Why doesn't ScopesAuthorizer find my scope?

[bednart]

Hi,
I'm trying to use AllowedScopes array in Ocelot config with only one value:
"AllowedScopes": [ "access_as_user" ]

I'm using Azure AD App Registration with specified scope at "Expose an API" tab and there is scp claim in JWT access token once requested:
"scp": "access_as_user"

Problem is that ScopeAuthorizer uses build in "scope" as claim type, but access_as_user is in claim with "http://schemas.microsoft.com/identity/claims/scope" type so it is not found and ScopesAuthorizer throws error "no one user scope: '' match with some allowed scope: 'access_as_user'"

Question is. Am I doing something wrong or AllowedScopes array is not usable for this use case?

Thanks,
beda

[vitorelli]

Hello @bednart ,

I faced a similar issue. Please check if you are using the Authentication midleware app.UseAuthentication() or\and JwtSecurityTokenHandler.DefaultInboundClaimTypeMap to map your scopes.

You may find more information here: https://ocelot.readthedocs.io/en/latest/features/authentication.html

[raman-m]

• References from Authentication docs could do with a note around .NET 8 changes #1876

[raman-m]

@bednart wrote on Mar 7, 2022

Hi Tomáš!
In addition to the message above from @vitorelli, please look into this issue:

• Authentication docs could do with a note around .NET 8 changes #1876