Identity Server 4 - How to Define Supported Grant Types etc
In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.
After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):
{
"scopes_supported": [
"custom_scope_1",
"custom_scope_2",
"offline_access"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password"
],
}
The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.
Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?
asp.net-core identityserver4 openid-connect
asked Nov 22 '18 at 14:53
mmrmmr
886
add a comment |
In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.
After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):
{
"scopes_supported": [
"custom_scope_1",
"custom_scope_2",
"offline_access"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password"
],
}
The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.
Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?
asp.net-core identityserver4 openid-connect
asked Nov 22 '18 at 14:53
mmrmmr
886
add a comment |
In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.
After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):
{
"scopes_supported": [
"custom_scope_1",
"custom_scope_2",
"offline_access"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password"
],
}
The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.
Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?
asp.net-core identityserver4 openid-connect
asked Nov 22 '18 at 14:53
mmrmmr
886
In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.
After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):
{
"scopes_supported": [
"custom_scope_1",
"custom_scope_2",
"offline_access"
],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password"
],
}
The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.
Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?
asp.net-core identityserver4 openid-connect
asp.net-core identityserver4 openid-connect
asked Nov 22 '18 at 14:53
mmrmmr
886
asked Nov 22 '18 at 14:53
mmrmmr
886
asked Nov 22 '18 at 14:53
mmrmmr
886
asked Nov 22 '18 at 14:53
mmrmmr
886
asked Nov 22 '18 at 14:53
mmrmmr
886
886
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.
You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.
You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.
If you're using the in-memory Client collection, these are called AllowedGrantTypes there.
Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.
grant_types_supported
OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
answered Nov 22 '18 at 15:00
sellotapesellotape
5,65821619
Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).
– mmr
Nov 22 '18 at 15:04
I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).
– sellotape
Nov 22 '18 at 15:08
@mmr - I updated the answer with a bit more info.
– sellotape
Nov 22 '18 at 15:16
Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.
– mmr
Nov 22 '18 at 15:42
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53433528%2fidentity-server-4-how-to-define-supported-grant-types-etc%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.
You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.
You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.
If you're using the in-memory Client collection, these are called AllowedGrantTypes there.
Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.
grant_types_supported
OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
answered Nov 22 '18 at 15:00
sellotapesellotape
5,65821619
Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).
– mmr
Nov 22 '18 at 15:04
I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).
– sellotape
Nov 22 '18 at 15:08
@mmr - I updated the answer with a bit more info.
– sellotape
Nov 22 '18 at 15:16
Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.
– mmr
Nov 22 '18 at 15:42
add a comment |
I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.
You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.
You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.
If you're using the in-memory Client collection, these are called AllowedGrantTypes there.
Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.
grant_types_supported
OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
answered Nov 22 '18 at 15:00
sellotapesellotape
5,65821619
Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).
– mmr
Nov 22 '18 at 15:04
I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).
– sellotape
Nov 22 '18 at 15:08
@mmr - I updated the answer with a bit more info.
– sellotape
Nov 22 '18 at 15:16
Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.
– mmr
Nov 22 '18 at 15:42
add a comment |
I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.
You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.
You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.
If you're using the in-memory Client collection, these are called AllowedGrantTypes there.
Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.
grant_types_supported
OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
answered Nov 22 '18 at 15:00
sellotapesellotape
5,65821619
I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.
You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.
You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.
If you're using the in-memory Client collection, these are called AllowedGrantTypes there.
Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.
grant_types_supported
OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.
answered Nov 22 '18 at 15:00
sellotapesellotape
5,65821619
edited Nov 22 '18 at 16:03
answered Nov 22 '18 at 15:00
sellotapesellotape
5,65821619
answered Nov 22 '18 at 15:00
sellotapesellotape
5,65821619
answered Nov 22 '18 at 15:00
sellotapesellotape
5,65821619
5,65821619
Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).
– mmr
Nov 22 '18 at 15:04
I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).
– sellotape
Nov 22 '18 at 15:08
@mmr - I updated the answer with a bit more info.
– sellotape
Nov 22 '18 at 15:16
Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.
– mmr
Nov 22 '18 at 15:42
add a comment |
Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).
– mmr
Nov 22 '18 at 15:04
I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).
– sellotape
Nov 22 '18 at 15:08
@mmr - I updated the answer with a bit more info.
– sellotape
Nov 22 '18 at 15:16
Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.
– mmr
Nov 22 '18 at 15:42
Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).
– mmr
Nov 22 '18 at 15:04
Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).
– mmr
Nov 22 '18 at 15:04
I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).
– sellotape
Nov 22 '18 at 15:08
I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).
– sellotape
Nov 22 '18 at 15:08
@mmr - I updated the answer with a bit more info.
– sellotape
Nov 22 '18 at 15:16
@mmr - I updated the answer with a bit more info.
– sellotape
Nov 22 '18 at 15:16
Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.
– mmr
Nov 22 '18 at 15:42
Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.
– mmr
Nov 22 '18 at 15:42
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53433528%2fidentity-server-4-how-to-define-supported-grant-types-etc%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
