Hi All, When the role-based scope validator enabled we are granting the access token upon validated scope. In the OpenID flow, when we are reqesting for an ID token we can try the following for an example, where 'scope1' is bind with role 'login-sp'.
curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d "grant_type=password&username=kim&password=12345&*scope=openid scope1*" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token This will respond with an ID token if the user Kim is a member of the role 'login-sp'. But when we try to obtain a custom claim value via ID token, we can pass the OIDC scopes which are mapped with the corresponding user claims. As example profile, email scopes. curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d "grant_type=password&username=kim&password=12345&*scope=openid scope1 email*" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2/token -v When we are passing those OIDC scopes with the role-based scope validator enabled, we are getting an error message as, {"error_description":"Invalid Scope!","error":"invalid_scope"} for the OIDC scopes except the scope named 'openid'. The reason is we have only removed the 'openid' scope from the list [1]. Then we try to validate, the scope is registered or not by only calling the OAuth2 scopes binding service. Since we can't view the OIDC scopes via OAuth2 scopes binding service we are resulting with an Invalid scope error. To resolve this issue, we may need to remove the OIDC scopes from the scope list before we validating the OAuth2 scopes. Appreciate your thoughts to tackle this issue with a better solution. [1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220 Thanks, Sarubi. -- *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc. (m) +94 (0) 76 684 9101 | (e) [email protected],[email protected] *[image: https://wso2.com/signature] <https://wso2.com/signature>*
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
