On Mon, Feb 17, 2020 at 2:59 PM Sarubi Thillainathan <[email protected]> wrote:
> Hi All, > > When the role-based scope validator enabled we are granting the access > token upon validated scope. In the OpenID flow, when we are reqesting for > an ID token we can try the following for an example, where 'scope1' is bind > with role 'login-sp'. > > curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d > "grant_type=password&username=kim&password=12345&*scope=openid scope1*" > -H "Content-Type:application/x-www-form-urlencoded" > https://localhost:9443/oauth2/token > > This will respond with an ID token if the user Kim is a member of the role > 'login-sp'. > > But when we try to obtain a custom claim value via ID token, we can pass > the OIDC scopes which are mapped with the corresponding user claims. As > example profile, email scopes. > > curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d > "grant_type=password&username=kim&password=12345&*scope=openid scope1 > email*" -H "Content-Type:application/x-www-form-urlencoded" > https://localhost:9443/oauth2/token -v > > When we are passing those OIDC scopes with the role-based scope validator > enabled, we are getting an error message as, > > {"error_description":"Invalid Scope!","error":"invalid_scope"} > > for the OIDC scopes except the scope named 'openid'. > > The reason is we have only removed the 'openid' scope from the list [1]. > Then we try to validate, the scope is registered or not by only calling the > OAuth2 scopes binding service. Since we can't view the OIDC scopes > via OAuth2 scopes binding service we are resulting with an Invalid scope > error. > > To resolve this issue, we may need to remove the OIDC scopes from the > scope list before we validating the OAuth2 scopes. > > Appreciate your thoughts to tackle this issue with a better solution. > +1 to remove all the OIDC scopes since we can't register OAuth scopes with the same name. Cheers, Isura. > > [1] > https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220 > > > Thanks, > Sarubi. > -- > *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc. > (m) +94 (0) 76 684 9101 | (e) [email protected],[email protected] > > *[image: https://wso2.com/signature] <https://wso2.com/signature>* > -- *Isura Dilhara Karunaratne* Technical Lead | WSO2 <http://wso2.com/> *lean.enterprise.middleware* Email: [email protected] Mob : +94 772 254 810 Blog : https://medium.com/@isurakarunaratne
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
