-
|
Hello. I have the following access token, which includes scopes (), issued by Identity Server 4, like this: I want to ask, are the scopes created by IS4 the ones Ocelot looks for? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
@andreuwz As far as I understand it, the second example is giving you the expected result, since the test scope isn't included in the token's scopes. if (!matchesScopes.Any())
{
return new ErrorResponse<bool>(
new ScopeNotAuthorizedError($"no one user scope: '{string.Join(',', userScopes)}' match with some allowed scope: '{string.Join(',', routeAllowedScopes)}'"));
}as for the first example, the error must be somewhere else, since you have some matching scopes (by the way it's an interesting debate: #231) |
Beta Was this translation helpful? Give feedback.
-
|
Interestingly, a similar question by an author was raised in PR #1520, which was closed, yet the documentation was updated here: Ocelot/docs/features/authentication.rst Line 192 in ce0227c This has led to an inconsistency due to the terms "all" and "at least." The underlying issue in the user scenario involves matching scopes by the IScopesAuthorizer service, as seen in issue #2177
Consequently, I have assigned high priority to this issue and linked it to PR #1431. |
Beta Was this translation helpful? Give feedback.
-
Andrey, allow me to clarify the "forbidden issue" in the first case. The issue stems from the Ultimately, it appears that the "AllowedScopes" feature may not function correctly due to the character-separated In the second case, an unauthorized status indicates that the roles derived from the So, all these issues will be addressed in |
Beta Was this translation helpful? Give feedback.
@andreuwz
Andrey, allow me to clarify the "forbidden issue" in the first case. The issue stems from the
IScopesAuthorizerimplementation, which is utilized during the authentication phase in Ocelot. More details about the root cause can be found in issue #…