C#•3y ago

Asp.Net Core OAuth2 Strip token of claims or Request new token

I am trying to prevent sending unnecessary tokens to WebApi however I find it hard to do. I am using Duende.IdentityServer package These are approaches i am considering. -To either strip a token of unnecessary claims if it's possible -or ask for a new token however I do not believe i have access to the code from authorizationcodeflow to request a new token. Having tried to use ClientCredentials Flow I've failed whenever ive asked for user specific information like "role" or even their id using "openid" scope

7 Replies

IndeedOP•3y ago

Having tried Implicit Flow I get

IndeedOP•3y ago

IndeedOP•3y ago

for "APIScope roles"

IndeedOP•3y ago

IndeedOP•3y ago

for "APIScope roles openid"

      new() {
        ClientId = "POSTMAN",
        ClientSecrets = {new Secret("POSTMAN".Sha256())},

        AllowedGrantTypes = GrantTypes.Implicit,

        // where to redirect to after login
        RedirectUris = {"https://oauth.pstmn.io/v1/browser-callback"},

        // where to redirect to after logout
        PostLogoutRedirectUris = {$"{IpAddresses.MVCServer}/signout-callback-oidc"},

        AllowedScopes = new List<string> {
          Scopes.ApiScope.Name,
          Scopes.Roles.Name,
          IdentityServerConstants.StandardScopes.OpenId,
          IdentityServerConstants.StandardScopes.Profile
        },
        RequirePkce = false,
        AllowPlainTextPkce = false,
        AllowAccessTokensViaBrowser = true
      }

      new() {
        ClientId = "POSTMAN",
        ClientSecrets = {new Secret("POSTMAN".Sha256())},

        AllowedGrantTypes = GrantTypes.Implicit,

        // where to redirect to after login
        RedirectUris = {"https://oauth.pstmn.io/v1/browser-callback"},

        // where to redirect to after logout
        PostLogoutRedirectUris = {$"{IpAddresses.MVCServer}/signout-callback-oidc"},

        AllowedScopes = new List<string> {
          Scopes.ApiScope.Name,
          Scopes.Roles.Name,
          IdentityServerConstants.StandardScopes.OpenId,
          IdentityServerConstants.StandardScopes.Profile
        },
        RequirePkce = false,
        AllowPlainTextPkce = false,
        AllowAccessTokensViaBrowser = true
      }

  public static IEnumerable<IdentityResource> IdentityResources =>
    new IdentityResource[] {
      new IdentityResources.OpenId(),
      new IdentityResources.Profile(),
      Scopes.Roles
    };

  public static IEnumerable<ApiScope> ApiScopes =>
    new[] {Scopes.ApiScope};

  public static IEnumerable<IdentityResource> IdentityResources =>
    new IdentityResource[] {
      new IdentityResources.OpenId(),
      new IdentityResources.Profile(),
      Scopes.Roles
    };

  public static IEnumerable<ApiScope> ApiScopes =>
    new[] {Scopes.ApiScope};

IndeedOP•3y ago

IndeedOP•3y ago

ClientCredentials Scope is for Machine-Machine call so it can't transfer user information

Gaming

Programming

Asp.Net Core OAuth2 Strip token of claims or Request new token

Did you find this page helpful?