Re: [Dev] Getting Invalid Scope Error While requesting IDToken With OIDC Scopes When Role Based Scope Validator Enabled
Hi Darshana,
On Mon, Feb 17, 2020 at 4:44 PM Darshana Gunawardana
wrote:
> Hi Isura\Sarubi,
>
> Why do we need to remove OIDC scopes from being validated?
>
> How can we do role base scope validation, for a OIDC scope, if we needed,
> in case?
>
The current behavior is, scope binding is only supported for OAuth scopes.
If we need role-based scope validation for OIDC scopes, we have to register
OIDC scopes are OAuth scopes as well.
Currently, we are not supporting to register OAuth and OIDC scopes with the
same name.
Cheers,
Isura.
> Thanks,
>
> On Mon, Feb 17, 2020 at 4:29 PM Isura Karunaratne wrote:
>
>>
>>
>> On Mon, Feb 17, 2020 at 2:59 PM Sarubi Thillainathan
>> wrote:
>>
>>> Hi All,
>>>
>>> When the role-based scope validator enabled we are granting the access
>>> token upon validated scope. In the OpenID flow, when we are reqesting for
>>> an ID token we can try the following for an example, where 'scope1' is bind
>>> with role 'login-sp'.
>>>
>>> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
>>> "grant_type=password=kim=12345&*scope=openid scope1*"
>>> -H "Content-Type:application/x-www-form-urlencoded"
>>> https://localhost:9443/oauth2/token
>>>
>>> This will respond with an ID token if the user Kim is a member of the
>>> role 'login-sp'.
>>>
>>> But when we try to obtain a custom claim value via ID token, we can pass
>>> the OIDC scopes which are mapped with the corresponding user claims. As
>>> example profile, email scopes.
>>>
>>> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
>>> "grant_type=password=kim=12345&*scope=openid scope1
>>> email*" -H "Content-Type:application/x-www-form-urlencoded"
>>> https://localhost:9443/oauth2/token -v
>>>
>>> When we are passing those OIDC scopes with the role-based scope
>>> validator enabled, we are getting an error message as,
>>>
>>> {"error_description":"Invalid Scope!","error":"invalid_scope"}
>>>
>>> for the OIDC scopes except the scope named 'openid'.
>>>
>>> The reason is we have only removed the 'openid' scope from the list [1].
>>> Then we try to validate, the scope is registered or not by only calling the
>>> OAuth2 scopes binding service. Since we can't view the OIDC scopes
>>> via OAuth2 scopes binding service we are resulting with an Invalid scope
>>> error.
>>>
>>> To resolve this issue, we may need to remove the OIDC scopes from the
>>> scope list before we validating the OAuth2 scopes.
>>>
>>> Appreciate your thoughts to tackle this issue with a better solution.
>>>
>> +1 to remove all the OIDC scopes since we can't register OAuth scopes
>> with the same name.
>>
>> Cheers,
>> Isura.
>>
>>>
>>> [1]
>>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220
>>>
>>>
>>> Thanks,
>>> Sarubi.
>>> --
>>> *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc.
>>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>>
>>> *[image: https://wso2.com/signature] *
>>>
>>
>>
>> --
>>
>> *Isura Dilhara Karunaratne*
>> Technical Lead | WSO2
Re: [Dev] Getting Invalid Scope Error While requesting IDToken With OIDC Scopes When Role Based Scope Validator Enabled
Hi Isura\Sarubi,
Why do we need to remove OIDC scopes from being validated?
How can we do role base scope validation, for a OIDC scope, if we needed,
in case?
Thanks,
On Mon, Feb 17, 2020 at 4:29 PM Isura Karunaratne wrote:
>
>
> On Mon, Feb 17, 2020 at 2:59 PM Sarubi Thillainathan
> wrote:
>
>> Hi All,
>>
>> When the role-based scope validator enabled we are granting the access
>> token upon validated scope. In the OpenID flow, when we are reqesting for
>> an ID token we can try the following for an example, where 'scope1' is bind
>> with role 'login-sp'.
>>
>> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
>> "grant_type=password=kim=12345&*scope=openid scope1*"
>> -H "Content-Type:application/x-www-form-urlencoded"
>> https://localhost:9443/oauth2/token
>>
>> This will respond with an ID token if the user Kim is a member of the
>> role 'login-sp'.
>>
>> But when we try to obtain a custom claim value via ID token, we can pass
>> the OIDC scopes which are mapped with the corresponding user claims. As
>> example profile, email scopes.
>>
>> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
>> "grant_type=password=kim=12345&*scope=openid scope1
>> email*" -H "Content-Type:application/x-www-form-urlencoded"
>> https://localhost:9443/oauth2/token -v
>>
>> When we are passing those OIDC scopes with the role-based scope validator
>> enabled, we are getting an error message as,
>>
>> {"error_description":"Invalid Scope!","error":"invalid_scope"}
>>
>> for the OIDC scopes except the scope named 'openid'.
>>
>> The reason is we have only removed the 'openid' scope from the list [1].
>> Then we try to validate, the scope is registered or not by only calling the
>> OAuth2 scopes binding service. Since we can't view the OIDC scopes
>> via OAuth2 scopes binding service we are resulting with an Invalid scope
>> error.
>>
>> To resolve this issue, we may need to remove the OIDC scopes from the
>> scope list before we validating the OAuth2 scopes.
>>
>> Appreciate your thoughts to tackle this issue with a better solution.
>>
> +1 to remove all the OIDC scopes since we can't register OAuth scopes with
> the same name.
>
> Cheers,
> Isura.
>
>>
>> [1]
>> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220
>>
>>
>> Thanks,
>> Sarubi.
>> --
>> *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc.
>> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>>
>> *[image: https://wso2.com/signature] *
>>
>
>
> --
>
> *Isura Dilhara Karunaratne*
> Technical Lead | WSO2
Re: [Dev] Getting Invalid Scope Error While requesting IDToken With OIDC Scopes When Role Based Scope Validator Enabled
On Mon, Feb 17, 2020 at 2:59 PM Sarubi Thillainathan
wrote:
> Hi All,
>
> When the role-based scope validator enabled we are granting the access
> token upon validated scope. In the OpenID flow, when we are reqesting for
> an ID token we can try the following for an example, where 'scope1' is bind
> with role 'login-sp'.
>
> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
> "grant_type=password=kim=12345&*scope=openid scope1*"
> -H "Content-Type:application/x-www-form-urlencoded"
> https://localhost:9443/oauth2/token
>
> This will respond with an ID token if the user Kim is a member of the role
> 'login-sp'.
>
> But when we try to obtain a custom claim value via ID token, we can pass
> the OIDC scopes which are mapped with the corresponding user claims. As
> example profile, email scopes.
>
> curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
> "grant_type=password=kim=12345&*scope=openid scope1
> email*" -H "Content-Type:application/x-www-form-urlencoded"
> https://localhost:9443/oauth2/token -v
>
> When we are passing those OIDC scopes with the role-based scope validator
> enabled, we are getting an error message as,
>
> {"error_description":"Invalid Scope!","error":"invalid_scope"}
>
> for the OIDC scopes except the scope named 'openid'.
>
> The reason is we have only removed the 'openid' scope from the list [1].
> Then we try to validate, the scope is registered or not by only calling the
> OAuth2 scopes binding service. Since we can't view the OIDC scopes
> via OAuth2 scopes binding service we are resulting with an Invalid scope
> error.
>
> To resolve this issue, we may need to remove the OIDC scopes from the
> scope list before we validating the OAuth2 scopes.
>
> Appreciate your thoughts to tackle this issue with a better solution.
>
+1 to remove all the OIDC scopes since we can't register OAuth scopes with
the same name.
Cheers,
Isura.
>
> [1]
> https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220
>
>
> Thanks,
> Sarubi.
> --
> *Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc.
> (m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
>
> *[image: https://wso2.com/signature] *
>
--
*Isura Dilhara Karunaratne*
Technical Lead | WSO2
[Dev] Getting Invalid Scope Error While requesting IDToken With OIDC Scopes When Role Based Scope Validator Enabled
Hi All,
When the role-based scope validator enabled we are granting the access
token upon validated scope. In the OpenID flow, when we are reqesting for
an ID token we can try the following for an example, where 'scope1' is bind
with role 'login-sp'.
curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
"grant_type=password=kim=12345&*scope=openid scope1*" -H
"Content-Type:application/x-www-form-urlencoded"
https://localhost:9443/oauth2/token
This will respond with an ID token if the user Kim is a member of the role
'login-sp'.
But when we try to obtain a custom claim value via ID token, we can pass
the OIDC scopes which are mapped with the corresponding user claims. As
example profile, email scopes.
curl -u anKvtUmgg88qghLz5_AdzDMzIFAa:cQX5r6nDncXSaytrgVlZUx51teUa -k -d
"grant_type=password=kim=12345&*scope=openid scope1 email*"
-H "Content-Type:application/x-www-form-urlencoded"
https://localhost:9443/oauth2/token -v
When we are passing those OIDC scopes with the role-based scope validator
enabled, we are getting an error message as,
{"error_description":"Invalid Scope!","error":"invalid_scope"}
for the OIDC scopes except the scope named 'openid'.
The reason is we have only removed the 'openid' scope from the list [1].
Then we try to validate, the scope is registered or not by only calling the
OAuth2 scopes binding service. Since we can't view the OIDC scopes
via OAuth2 scopes binding service we are resulting with an Invalid scope
error.
To resolve this issue, we may need to remove the OIDC scopes from the scope
list before we validating the OAuth2 scopes.
Appreciate your thoughts to tackle this issue with a better solution.
[1]
https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/c4a33c5cb4914d5b803878c8962a6d4a6f35995d/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/validators/JDBCScopeValidator.java#L206-L220
Thanks,
Sarubi.
--
*Sarubi Thillainathan* | Senior Software Engineer | WSO2 Inc.
(m) +94 (0) 76 684 9101 | (e) sar...@wso2.com,stsa...@gmail.com
*[image: https://wso2.com/signature] *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
