Is "api1" in allowed scopes for client registration predefined in Identity server4?

Question

I am using Identity Server4.

I followed the QuickStarts and replicated a scenario where I have 3 web applications 1. MVC web App 2. JS web App 3. API app

I also configured ASP.Net Identity to have a persistent user and client store.

Now from Allowed scopes values for JS web App I removed a scope "api1", expecting that token generated will not have this scope value.

But when I try to login , i am not even able to view the page but getting an exception some where in the pipeline.

My previous understanding was that allowed scopes are a bunch of strings which can be used to by resource apps for authorization purpose while serving the resources .

Can any one explain why i am facing the issue or am I missing any point?

If I add "api1" scope to JS web client again I am able to view login page.

Answer 1

Thanks for the logs. When you removed the api1 scope from the allowed scopes from the javascript client, you removed that clients access to that scope. The application itself is requesting api1 but it has no permissions to do so. So you need to edit the javascript clients configuration from the client side to also not request api1.

I am going off what you said about following the quickstart guide but where you defined your client and its configuration, it may look something like this:

var config = {
    authority: "http://localhost:5000",
    client_id: "js",
    redirect_uri: "http://localhost:5003/callback.html",
    response_type: "id_token token",
    scope:"openid profile api1",  <--- REMOVE API1 HERE 
    post_logout_redirect_uri : "http://localhost:5003/index.html",
};
var mgr = new Oidc.UserManager(config);

Remember the clients have to explicitly (in most cases) express their scope requirements, if you fail any resource scope requirement it will fail the request. So you disabled the js clients allowed scope yet it was still requesting for a scope it had no access to.