In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.
After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):
{
"scopes_supported": [
"custom_scope_1",
"custom_scope_2",
"offline_access"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password"
],
}
The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.
Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?
I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.
You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.
You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.
If you're using the in-memory Client collection, these are called AllowedGrantTypes there.
Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.
grant_types_supported
OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.