Thinktecture error "insufficient_scope". Claiming uniform coverage versus list of areas
I'm sure the answer is obvious, but it eludes me now.
I get a 403 when my code tries to call / connect / userinfo and the message is "not enough".
Above is a line of code that checks a JWT scoping claim and wants to find the "openid" value to get the / connect / userinfo endpoint to work.
In my JWT, if it has something like:
"scope": "openid"
... then the end point is fine. Instead, if I have:
"scope": ["openid", "email", "profile"]
... then it fails.
Should I never have a list / array of scope claims? Maybe I'm missing a configuration setting somewhere?
Updating with code
Unfortunately. Of course the code will make the problem clearer.
Customer store
public ClientStore()
{
_clients = new List<Client>
{
new Client
{
AlwaysSendClientClaims = true,
RequireConsent = false,
Enabled = true,
ClientName = @"MVC Client",
ClientId = @"mvc",
PostLogoutRedirectUris = new List<string>
{
"http://localhost:8080/index.html"
},
RedirectUris = new List<string>
{
"http://localhost:8080/loginCallback.html"
}
}
};
}
Shop area
public ScopeStore()
{
var scopes = new List<Scope>
{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.Address,
StandardScopes.AllClaims,
StandardScopes.RolesAlwaysInclude
};
_scopes = scopes;
}
Startup.cs
var certFile = env.ApplicationBasePath + "/cert.pfx";
app.Map("/core", core =>
{
var factory = new IdentityServerServiceFactory();
var configuration = new Configuration();
configuration.AddJsonFile("config.json");
var userService = new EndUserService(configuration.Get("ConnectionString"));
factory.UserService = new Registration<IUserService>(resolver => userService);
var scopeStore = new ScopeStore();
factory.ScopeStore = new Registration<IScopeStore>(resolver => scopeStore);
var clientStore = new ClientStore();
factory.ClientStore = new Registration<IClientStore>(resolver => clientStore);
var cert = new X509Certificate2(certFile, "test");
var idsrvOptions = new IdentityServerOptions
{
CorsPolicy = CorsPolicy.AllowAll,
Factory = factory,
RequireSsl = false,
SigningCertificate = cert,
LoggingOptions = new LoggingOptions() {
EnableWebApiDiagnostics = true,
EnableHttpLogging = true
}
};
core.UseIdentityServer(idsrvOptions);
});
login.html
var config = {
client_id: "mvc",
redirect_uri: "http://localhost:8080/loginCallback.html",
response_type: "id_token token",
scope: "openid email profile",
authority: "http://localhost:44319/core",
post_logout_redirect_uri: "http://localhost:8080/index.html"
};
var mgr = new OidcTokenManager(config);
UPDATE # 2
Shoot, it's Mono against Windows. Works fine on Windows, broken Mono. Known issue, apparently: https://github.com/IdentityServer/IdentityServer3/issues/1373#issuecomment-104756822
source to share
It turns out there is a bug in the way the Microsoft JWT library interprets the JWT claims. Described here: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/pull/153
Waiting for this transport request to be accepted, or to otherwise correct the problem.
source to share