Any Client Can Access to The Registration Page

[parlive]

In the skoruba project, any client can access to the registration page. Shouldn't only the clients defined in the project or the management section be able to send a request to this application?

"Clients": [
            {
                "ClientId": "skoruba_identity_admin",
                "ClientName": "skoruba_identity_admin",
                "ClientUri": "https://localhost:44303",
                "AllowedGrantTypes": [
                    "authorization_code"
                ],
                "RequirePkce": true,
                "ClientSecrets": [
                    {
                        "Value": "skoruba_admin_client_secret"
                    }
                ],
                "RedirectUris": [
                    "https://localhost:44303/signin-oidc"
                ],
                "FrontChannelLogoutUri": "https://localhost:44303/signout-oidc",
                "PostLogoutRedirectUris": [
                    "https://localhost:44303/signout-callback-oidc"
                ],
                "AllowedCorsOrigins": [
                    "https://localhost:44303"
                ],
                "AllowedScopes": [
                    "openid",
                    "email",
                    "profile",
                    "roles"
                ]
            },
            {
                "ClientId": "skoruba_identity_admin_api_swaggerui",
                "ClientName": "skoruba_identity_admin_api_swaggerui",
                "AllowedGrantTypes": [
                    "authorization_code"
                ],
                "RequireClientSecret": false,
                "RequirePkce": true,
                "RedirectUris": [
                    "https://localhost:44302/swagger/oauth2-redirect.html"
                ],
                "AllowedScopes": [
                    "skoruba_identity_admin_api"
                ],
                "AllowedCorsOrigins": [
                    "https://localhost:44302"
                ]
            }
        ]

[vbjay]

Registration is not client specific. It is how you register new users. You can adjust the registration configuration to allow registration or not. Consider the experiance of you going to https://demoids.vbjaysolutions.com/sts and logging in using a google or github account. I have prevented user registration except for 3rd party logins. In the demo site.

[parlive]

Registration is not client specific. It is how you register new users. You can adjust the registration configuration to allow registration or not. Consider the experiance of you going to https://demoids.vbjaysolutions.com/sts and logging in using a google or github account. I have prevented user registration except for 3rd party logins. In the demo site.

What is the correct and high-security way to access and route to the Login, Register and Password Recovery pages and etc in skoruba project by some Clients project (for example MVC client) ? If possible, refer to the project example

[vbjay]

https://github.com/skoruba/IdentityServer4.Admin/discussions/920

On Mon, Oct 25, 2021, 4:58 AM parlive @.***> wrote:

Registration is not client specific. It is how you register new users. You can adjust the registration configuration to allow registration or not. Consider the experiance of you going to https://demoids.vbjaysolutions.com/sts and logging in using a google or github account. I have prevented user registration except for 3rd party logins. In the demo site.

What is the correct and high-security way to access and route to the Login, Register and Password Recovery pages and etc in skoruba project by some Clients project (for example MVC client) ? If possible, refer to the project example

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/skoruba/IdentityServer4.Admin/issues/918#issuecomment-950688073, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA3WDMOKOMUUU7VZ7BGXVULUIUL5FANCNFSM5GTAYRWA .