I am getting invalid_scope error in access token request for client credential flow. The error log states that "cannot request OpenID scopes in client credentials flow". I haven't requested for the open id scope. I don't know from where it came from. I need to generate access token using client credential flow.
Issue / Steps to reproduce the problem
API Resource definition.
public IEnumerable GetApiResources()
{
    return new List {
        new ApiResource
        {
            Name = "WidgetApi",
            DisplayName = "Widget Management API",
            Description = "Widget Management API Resource Access",
            ApiSecrets = new List { new Secret("scopeSecret".Sha256()) },
            Scopes = new List {
                new Scope("WidgetApi.Read"),
                new Scope("WidgetApi.Write")
            }
        }
     };
}
Client Definition;
return new List
{
    new Client
    {
        ClientId = "WidgetApi Client Id",
        ClientName = "WidgetApi Client credential",
        RequireConsent = false,
        AllowedGrantTypes = GrantTypes.ClientCredentials,
        ClientSecrets =
        {
            new Secret( clientSecret.Sha256())
        },
       // scopes that client has access to
       AllowedScopes = { "WidgetApi.Read", "WidgetApi.Write"},
       AccessTokenLifetime = 3600
   };
}
Access token request body (key - value) using postman
grant_type  client_credentials
response_type  id_token
scope  WidgetApi.Read WidgetApi.Write
client_secret  xxxxxxxxxxxxxxxxxxxxxx
client_id  WidgetApiClientId
Relevant parts of the log file
dbug: Microsoft.EntityFrameworkCore.Storage.Internal.SqlServerConnection[4]
Closing connection to database 'IdentityServer4Db' on server 'localhost\SQLEXPRESS'.
dbug: IdentityServer4.EntityFramework.Stores.ResourceStore[0]
Found PssUserMgtApi.Read, PssUserMgtApi.Write API scopes in database
fail: IdentityServer4.Validation.TokenRequestValidator[0]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cannot request OpenID scopes in client credentials flow
fail: IdentityServer4.Validation.TokenRequestValidator[0]
{
        "ClientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "ClientName": "xxxxxxxxxxxxxxxxxxxxxxxxx",
        "GrantType": "client_credentials",
        "Scopes": "xxxxxxxxxx.Read xxxxxxxxxxxxx.Write",
        "Raw": {
            "grant_type": "client_credentials",
            "response_type": "id_token",
            "scope": "xxxxxxxxxxxx.Read xxxxxxxxxxxxx.Write",
            "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        }
 }
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 5292.2873ms 400 application/json
dbug: Microsoft.AspNetCore.Server.Kestrel[9]
Connection id "0HL51IVGKG792" completed keep alive response.
You can use the OAuth 2.0 client credentials grant specified in RFC 6749, sometimes called two-legged OAuth, to access web-hosted resources by using the identity of an application.
The token endpoint does not issue a refresh token as refresh tokens are not supported by the client credentials grant. The client credentials grant type is less secure than the authorization code grant type.
Since there is no user tagged in a client credential flow, normally, client credential is not intended to have a scope tagged to it, and many frameworks doesnt support it.
https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/ says :
scope (optional) : Your service can support different scopes for the client credentials grant. In practice, not many services actually support this.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With