IdentityServer4 always returning "error": "invalid_scope"

.net identityserver4 identity asp.net-core .net-core

Solution 1:

Double check that your client isn't looking at a scope that isn't configured in your ApiScopes configuration. In the example below, my client registration is looking at "THIS_IS_AN_INVALID_SCOPE", but I don't actually have this scope defined in my ApiScopes.

        public static class Scopes
        {
            public static IEnumerable<ApiScope> Get()
            {
                return new[]
                {
                    new ApiScope("ProtectedResource.Scope1", "Access to ProtectedResource.Scope1"),
                    new ApiScope("ProtectedResource.Scope2", "Access to ProtectedResource.Scope2")
                };
            }
        }

        public static class Clients
        {
            public static IEnumerable<Client> Get()
            {
                return new List<Client>
                {
                    new Client
                    {
                        ClientId = "IntegrationTests",
                        ClientName = "Example client application using client credentials",
                        AllowedGrantTypes = GrantTypes.ClientCredentials,
                        ClientSecrets = new List<Secret> {new Secret("not_the_actual_password".Sha256())},
                        AllowedScopes = new List<string> {"THIS_IS_AN_INVALID_SCOPE"},
                        AccessTokenLifetime = 300 //5 Minutes
                    },
                };
            }
        }

Solution 2:

You have to add ApiScope in the config. was changed in the latest IdentityServer4 just like this:

        public static IEnumerable<ApiScope> GetApiScopes()
    {
        return new List<ApiScope>
             {
                 new ApiScope(name: "read",   displayName: "Read your data."),
                 new ApiScope(name: "write",  displayName: "Write your data."),
                 new ApiScope(name: "delete", displayName: "Delete your data."),
                 new ApiScope(name: "identityserverapi", displayName: "manage identityserver api endpoints.")
             };
    }

Solution 3:

As mentioned by @DES PRO You need to add ApiScope in the config file as below.

    public static IEnumerable<ApiScope> GetApiScopes()
        {
            return new List<ApiScope>
             {
                 new ApiScope(name: "ApiOne")
             };
        }

Then you add the scope to the ConfigureService in Startup.cs class. this answers @raphael question "Where does the Scopes class being used?"

public void ConfigureServices(IServiceCollection services)
{
            services.AddIdentityServer()
                .AddInMemoryApiResources(Configuration.GetApis())
                .AddInMemoryClients(Configuration.GetClients())
                .AddInMemoryApiScopes(Configuration.GetApiScopes())
                .AddDeveloperSigningCredential();

            services.AddControllersWithViews();
}

Related

How To Add extra String "Names" in a String Array?
Laravel Migration to change table name
Can't detach network interfaces
How to add a new user with its own directory and shell Debian [closed]
PHP inserting string issue
constexpr position in variable declaration
Check if datetime is in hour range
whenever I use pip installer I get this error on my Mac terminal [duplicate]
Vim Adventures level 10
How does marking work in MGS 5?
How to supply a piston feed tape from a large cube of blocks
What is title of this retro game with catchy fast techno-dance theme song?