QuickApp icon indicating copy to clipboard operation
QuickApp copied to clipboard
verified publisher icon emonney

Unable to authorize "invalid_scope"

Open AndyBraham opened this issue 5 years ago • 6 comments

Unable to authorize user connect/token returns "invalid_scope".

fail: IdentityServer4.Validation.DefaultResourceValidator[0] Scope quickapp_api not found in store. fail: IdentityServer4.Validation.TokenRequestValidator[0] Invalid scopes requested, { "ClientId": "quickapp_spa", "GrantType": "password", "Raw": { "username": "admin", "password": "REDACTED", "client_id": "quickapp_spa", "grant_type": "password", "scope": "openid email phone profile offline_access roles quickapp_api" } }

AndyBraham avatar Jun 23 '20 02:06 AndyBraham

When this happens to be it's almost always my DB is out of sync for IDserver (had it this weekend). Ensure the Migrations are up to date on IdentifyServer4 (I see you upgrade to ID4 from ID3 so you need to Add-Migrations for the 2 contexts, and then apply them - and there are LOTS of changes, but my test worked)

tonydrake avatar Jun 23 '20 10:06 tonydrake

I removed the migrations and added again still getting invalid_scope. The only way I can get away from it is to remove the quickapp_api from the OidcHelperService scope but then I don't get any of the user info.

AndyBraham avatar Jul 01 '20 16:07 AndyBraham

I'm having the same issue. I get the same error Unable to login 'invalid_scope'. Only change I've made is to update IdentityServer4 to version 4.0.4 Here is the console log when I try to login

dbug: IdentityServer4.Hosting.EndpointRouter[0]
      Request path /.well-known/openid-configuration matched to endpoint type Discovery
dbug: IdentityServer4.Hosting.EndpointRouter[0]
      Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
dbug: IdentityServer4.Endpoints.DiscoveryEndpoint[0]
      Start discovery request
dbug: IdentityServer4.Hosting.EndpointRouter[0]
      Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
dbug: IdentityServer4.Hosting.EndpointRouter[0]
      Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryKeyEndpoint
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
dbug: IdentityServer4.Endpoints.DiscoveryKeyEndpoint[0]
      Start key discovery request
dbug: IdentityServer4.Hosting.EndpointRouter[0]
      Request path /connect/token matched to endpoint type Token
dbug: IdentityServer4.Hosting.EndpointRouter[0]
      Endpoint enabled: Token, successfully created handler: IdentityServer4.Endpoints.TokenEndpoint
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
      Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
dbug: IdentityServer4.Endpoints.TokenEndpoint[0]
      Start token request.
dbug: IdentityServer4.Validation.ClientSecretValidator[0]
      Start client validation
dbug: IdentityServer4.Validation.BasicAuthenticationSecretParser[0]
      Start parsing Basic Authentication secret
dbug: IdentityServer4.Validation.PostBodySecretParser[0]
      Start parsing for secret in post body
dbug: IdentityServer4.Validation.ISecretsListParser[0]
      Parser found secret: PostBodySecretParser
dbug: IdentityServer4.Validation.ISecretsListParser[0]
      Secret id found: quickapp_spa
dbug: IdentityServer4.Stores.ValidatingClientStore[0]
      client configuration validation for client quickapp_spa succeeded.
dbug: IdentityServer4.Validation.ClientSecretValidator[0]
      Public Client - skipping secret validation success
dbug: IdentityServer4.Validation.ClientSecretValidator[0]
      Client validation success
dbug: IdentityServer4.Validation.TokenRequestValidator[0]
      Start token request validation
dbug: IdentityServer4.Validation.TokenRequestValidator[0]
      Start resource owner password token request validation
fail: IdentityServer4.Validation.DefaultResourceValidator[0]
      Scope quickapp_api not found in store.
fail: IdentityServer4.Validation.TokenRequestValidator[0]
      Invalid scopes requested, {
        "ClientId": "quickapp_spa",
        "GrantType": "password",
        "Raw": {
          "grant_type": "password",
          "scope": "openid email phone profile offline_access roles quickapp_api",
          "username": "admin",
          "password": "***REDACTED***",
          "client_id": "quickapp_spa",
          "client_secret": "***REDACTED***"
        }
      }

MosesMachua avatar Jul 27 '20 04:07 MosesMachua

After much debugging and reading the IdentityServer4 docs, I've come up with a solution. This invalid_scope error only occurs if you upgrade from IdentityServer4 ver3 to ver 4. It turns out there are breaking changes in how scopes are defined. While in ver 3 they were implicit, in ver 4 they have to be declared in a separate function . See migrations steps to V4 and this stackoverflow answer.

Here is the solution. STEP 1: Open IdentityServerConfig.cs and add the following method.

       public static IEnumerable<ApiScope> GetApiScopes()
        {
            return new List<ApiScope>
            {
                new ApiScope(ApiName)
            };
        }

STEP 2: Add scopes to resource in GetApiResources() like below

        public static IEnumerable<ApiResource> GetApiResources()
        {
            return new List<ApiResource>
            {
                new ApiResource(ApiName) {
                    UserClaims = {
                        IdentityServerConstants.StandardScopes.Profile,
                        JwtClaimTypes.Name,
                        JwtClaimTypes.Email,
                        JwtClaimTypes.PhoneNumber,
                        JwtClaimTypes.Role,
                        ClaimConstants.Permission
                    },
                    Scopes =
                    {
                        IdentityServerConstants.StandardScopes.OpenId, // For UserInfo endpoint.
                        IdentityServerConstants.StandardScopes.Profile,
                        IdentityServerConstants.StandardScopes.Phone,
                        IdentityServerConstants.StandardScopes.Email,
                        ScopeConstants.Roles,
                        ApiName
                    }
                }
            };
        }

STEP 3: Open Startup.cs and add .AddInMemoryApiScopes(IdentityServerConfig.GetApiScopes()) to services.AddIdentityServer() like below

    public void ConfigureServices(IServiceCollection services)
    {
        //other code omitted for brevity

        // IdentityServer config section
        services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddInMemoryPersistedGrants()
            .AddInMemoryApiScopes(IdentityServerConfig.GetApiScopes()) //scopes added here
            .AddInMemoryIdentityResources(IdentityServerConfig.GetIdentityResources())
            .AddInMemoryApiResources(IdentityServerConfig.GetApiResources())
            .AddInMemoryClients(IdentityServerConfig.GetClients())
            .AddAspNetIdentity<ApplicationUser>()
            .AddProfileService<ProfileService>();

        //other code omitted for brevity
    }

With those changes, the "invalid_scope" error should be gone and you should be able to login and get all your user data in the access_token.

MosesMachua avatar Jul 29 '20 06:07 MosesMachua

I suggest closing this issue.

MosesMachua avatar Aug 01 '20 18:08 MosesMachua

Yes. This solution worked so wonderfully well for me. Thank you so much MosesMachua

deoraashish avatar Apr 06 '21 10:04 deoraashish