I implemented Identity server 4 and client angular every thing work as excepted I determined Scopes for client (openid,profile,email) but when try to remove openid from scope array from server and angular display error in request
but when remove profile or email work correctly why when remove openid display this error?
second question when remove profile from scope client still display user info in token why?
hint I am using implicitly grant flow
CodePudding user response:
When you are using a "user present" oauth2 flow such as "code flow", "implicit grant" or "resrource owner password" then the openid
scope is mandatory.
This is because this scope is the one that adds the subject sub
claim to your access_token and user-info.
Subject in the context of oauth is equivalent to the userid. Without it there is no way to identify the user/principal being logged in only the client (through client_id).
So for machine to machine scenarios such as client_credentials
flow the openid
scope is invalid but on the "user present" scenarios it is mandatory.
UPDATE
There are two things being configured when requesting access what information (claims) will be baked in the access_token and what will be available to the client via the normal http call to the /connect/user-info
endpoint.
- The information inside the access_token is meant for the server side (apis and services) to inspect
- while the information retrieved through the user-info endpoint is meant for your angular client.
If you are deserializing the access_token to figure out the profile information from within, they will not change by omitting the optional scopes such as email
and profile
. On the other hand if you make a call to the /connect/user-info endpoint with a "lesser" privileged token you will see the info in the response changing.
Try it out with postman. It all boils down on what is your angular client doing after the implicit grant flow is done. How is it materializing the user profile in order to show it (it should be using the user-info endpoint IMHO).