IBM App ID-无法在OAuth 2.0授权代码流中的访问令牌中获得定制范围 [英] IBM App ID - Cannot get custom scopes in access token in OAuth 2.0 Authorization Code Flow
问题描述
我正在使用App ID作为身份提供者和授权服务器来保护某些后端spring-boot应用程序.我设法设置了整个OAuth 2.0授权码流程,但无法将自定义范围包含在访问令牌中.访问令牌中显示的唯一范围是应用程序ID默认范围:"openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated"
I am using App ID as an Identity Provider and Authorization Server to protect some back-end spring-boot applications. I have managed to set up the whole OAuth 2.0 Authorization Code flow to work but cannot manage to include custom scopes into the access token. The only scopes that appear in the access token are the App ID default ones: "openid appid_default appid_readuserattr appid_readprofile appid_writeuserattr appid_authenticated"
我已经使用所需的自定义范围配置了适当的角色,并将该角色与用户配置文件相关联.此外,我已将这些自定义范围与客户端应用程序相关联.App ID仪表板中的一切似乎都很好.但是,当我以编程方式或通过curl调用令牌端点时,总是在访问令牌中获得相同的默认范围.
I have configured an appropriate role with the desired custom scopes and associated this role to the user profile. Furthermore I have associated these custom scopes to the client application. Everything seems fine in the App ID dashboard. However when I call the token endpoint either programmatically or via curl I always get the same default scopes in the access token.
Reading the Swagger , I should be able to specify the scopes for the password flow and bearer token but I am in an OAuth 2.0 Authorization Code flow. Furthermore, even with password credentials flow, I do not manage to get these custom scopes although I specify them in the request.
有人遇到过这些问题吗?任何帮助将不胜感激.
Has anyone encountered these problems? Any help would be much appreciated.
非常感谢,克里斯
推荐答案
为了查看令牌中应用程序配置的作用域,您需要向配置了作用域的应用程序以及为其分配角色的用户进行身份验证
In order to see the application configured scopes in the token, you need to authenticate with the application that you configured scopes to and with the user you assigned the role to.
这意味着您应该在请求授权标头中使用应用程序的 username:client ID 和 password:secret ,并向您分配了匹配角色的用户进行身份验证(包含所需的范围.
Meaning you should use username : client ID and password : secret of the application in the request authorization header, and authenticate with the user you assigned the matching role (which contains the scopes wanted).
向应用程序添加访问控制的步骤:
The steps to add access control to your application:
- 转到应用程序",然后通过添加范围来定义要保护的应用程序.
- 通过转到角色和个人资料">角色">创建角色"来创建角色.
- 通过转到角色和个人资料",将角色分配给特定用户>用户个人资料.然后,选择您要分配的用户角色,然后单击更多选项"菜单>分配角色".
有关更多信息,请参阅AppID访问控制文档: https://cloud.ibm.com/docs/services/appid?topic=appid-access-control
For more information see AppID Access control docs: https://cloud.ibm.com/docs/services/appid?topic=appid-access-control
这篇关于IBM App ID-无法在OAuth 2.0授权代码流中的访问令牌中获得定制范围的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
