Identity Server 4 - How to Define Supported Grant Types etc












0















In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.



After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):



{

  "scopes_supported": [

    "custom_scope_1",

    "custom_scope_2",

    "offline_access"

  ],

  "grant_types_supported": [

    "authorization_code",

    "client_credentials",

    "refresh_token",

    "implicit",

    "password"

  ],

}


The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.



Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?






asp.net-core identityserver4 openid-connect







share|improve this question



























    0















    In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.



    After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):



    {
    
  "scopes_supported": [
    
    "custom_scope_1",
    
    "custom_scope_2",
    
    "offline_access"
    
  ],
    
  "grant_types_supported": [
    
    "authorization_code",
    
    "client_credentials",
    
    "refresh_token",
    
    "implicit",
    
    "password"
    
  ],
    
}


    The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.



    Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?






    asp.net-core identityserver4 openid-connect







    share|improve this question

























      0












      0








      0








      In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.



      After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):



      {
      
  "scopes_supported": [
      
    "custom_scope_1",
      
    "custom_scope_2",
      
    "offline_access"
      
  ],
      
  "grant_types_supported": [
      
    "authorization_code",
      
    "client_credentials",
      
    "refresh_token",
      
    "implicit",
      
    "password"
      
  ],
      
}


      The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.



      Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?






      asp.net-core identityserver4 openid-connect







      share|improve this question














      In a current ASP.NET Core project (v2.1.6) Identity Server 4 (v2.2.0) was implemented for user and API authentication and it works like a charm. The only grant_type that is set to the clients is client-credentials and the scopes are set to a few custom scopes where offline_access is not allowed.



      After visiting the .well-known/openid-configuration it was found that more grant_types are supported than specified and offline_access is a supported scope even though it was disabled (shortened for brevity):



      {
      
  "scopes_supported": [
      
    "custom_scope_1",
      
    "custom_scope_2",
      
    "offline_access"
      
  ],
      
  "grant_types_supported": [
      
    "authorization_code",
      
    "client_credentials",
      
    "refresh_token",
      
    "implicit",
      
    "password"
      
  ],
      
}


      The documentation of both IdentityServer4 but could not find a clue how to set such an option. I stumbled upon an possibly older documentation but this seems not to be part of the current version.



      Is there any possibility to explicitly define the supported grant types during configuration which I just missed? Or is it generated automatically and cannot be set at all?






      asp.net-core identityserver4 openid-connect




      asp.net-core identityserver4 openid-connect






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 22 '18 at 14:53









      mmrmmr

      886




      886
























          1 Answer
          1






          active

          oldest

          votes


















          2














          I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.



          You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.




          You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.



          If you're using the in-memory Client collection, these are called AllowedGrantTypes there.




          Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.




          grant_types_supported



          OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.







          share|improve this answer


























          • Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).

            – mmr
            Nov 22 '18 at 15:04











          • I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).

            – sellotape
            Nov 22 '18 at 15:08











          • @mmr - I updated the answer with a bit more info.

            – sellotape
            Nov 22 '18 at 15:16











          • Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.

            – mmr
            Nov 22 '18 at 15:42











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53433528%2fidentity-server-4-how-to-define-supported-grant-types-etc%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          2














          I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.



          You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.




          You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.



          If you're using the in-memory Client collection, these are called AllowedGrantTypes there.




          Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.




          grant_types_supported



          OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.







          share|improve this answer


























          • Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).

            – mmr
            Nov 22 '18 at 15:04











          • I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).

            – sellotape
            Nov 22 '18 at 15:08











          • @mmr - I updated the answer with a bit more info.

            – sellotape
            Nov 22 '18 at 15:16











          • Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.

            – mmr
            Nov 22 '18 at 15:42
















          2














          I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.



          You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.




          You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.



          If you're using the in-memory Client collection, these are called AllowedGrantTypes there.




          Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.




          grant_types_supported



          OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.







          share|improve this answer


























          • Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).

            – mmr
            Nov 22 '18 at 15:04











          • I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).

            – sellotape
            Nov 22 '18 at 15:08











          • @mmr - I updated the answer with a bit more info.

            – sellotape
            Nov 22 '18 at 15:16











          • Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.

            – mmr
            Nov 22 '18 at 15:42














          2












          2








          2







          I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.



          You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.




          You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.



          If you're using the in-memory Client collection, these are called AllowedGrantTypes there.




          Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.




          grant_types_supported



          OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.







          share|improve this answer















          I believe those are all the ones that IdentityServer4 supports; i.e. its capabilities.



          You can see how they are added here (line 223); the short answer is they are based on the server capabilities/configuration, and not individual Clients.




          You configure each Client individually with the grant type(s) you want it to have enabled with the ClientGrantTypes collection.



          If you're using the in-memory Client collection, these are called AllowedGrantTypes there.




          Addition: as .well-known/openid-configuration is an open standards concept, not an IdentityServer one, you can see confirmation of the above here.




          grant_types_supported



          OPTIONAL. JSON array containing a list of the OAuth 2.0 Grant Type values that this OP supports.








          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 22 '18 at 16:03

























          answered Nov 22 '18 at 15:00









          sellotapesellotape

          5,65821619




          5,65821619













          • Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).

            – mmr
            Nov 22 '18 at 15:04











          • I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).

            – sellotape
            Nov 22 '18 at 15:08











          • @mmr - I updated the answer with a bit more info.

            – sellotape
            Nov 22 '18 at 15:16











          • Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.

            – mmr
            Nov 22 '18 at 15:42



















          • Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).

            – mmr
            Nov 22 '18 at 15:04











          • I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).

            – sellotape
            Nov 22 '18 at 15:08











          • @mmr - I updated the answer with a bit more info.

            – sellotape
            Nov 22 '18 at 15:16











          • Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.

            – mmr
            Nov 22 '18 at 15:42

















          Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).

          – mmr
          Nov 22 '18 at 15:04





          Alright - so the document is generated based on what the server supports in total no matter what the actual clients support?! If the authentication is successful depends then on the actual setting for the client (which works as wanted).

          – mmr
          Nov 22 '18 at 15:04













          I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).

          – sellotape
          Nov 22 '18 at 15:08





          I'll check the first part, but certainly the second part is true (although clearly you can only add Client grant types that fall within the server's capabilities).

          – sellotape
          Nov 22 '18 at 15:08













          @mmr - I updated the answer with a bit more info.

          – sellotape
          Nov 22 '18 at 15:16





          @mmr - I updated the answer with a bit more info.

          – sellotape
          Nov 22 '18 at 15:16













          Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.

          – mmr
          Nov 22 '18 at 15:42





          Thanks a lot @sellotape! I understand now how it works. The grant types are as supported by the auth server / OP, in this case IDS4, and can be extended by custom grants if required - see the docs.

          – mmr
          Nov 22 '18 at 15:42


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53433528%2fidentity-server-4-how-to-define-supported-grant-types-etc%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Costa Masnaga

          Image
          .mw-parser-output .avviso .mbox-text-div>div,.mw-parser-output .avviso .mbox-text-full-div>div{font-size:90%}.mw-parser-output .avviso .mbox-image div{width:52px}.mw-parser-output .avviso .mbox-text-full-div .hide-when-compact{display:block} Questa voce o sezione sull'argomento Lombardia non cita le fonti necessarie o quelle presenti sono insufficienti . Puoi migliorare questa voce aggiungendo citazioni da fonti attendibili secondo le linee guida sull'uso delle fonti. Segui i suggerimenti del progetto di riferimento. Costa Masnaga comune Localizzazione Stato   Italia Regione Lombardia Provincia Lecco Amministrazione Sindaco Sabina Panzeri (Al centro il cittadino) dall'08/06/2009 Territorio Coordinate 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Coordinate: 45°46′N 9°17′E  /  45.766667°N 9.283333°E 45.766667; 9.283333  ( Costa Masnaga ) Altitudine 318 m s.l.m...
          Read more

          Fotorealismo

          Image
          Guerrino Boatto, Venice's St. Barnaba Church and canal Il fotorealismo è un genere di pittura basato sull'uso di una o più fotografie dalle quali l'artista prende le informazioni necessarie da utilizzare poi nel processo della creazione dell'opera, in genere ad olio o ad acrilico, al fine di avere un aspetto finale il più simile possibile alla fotografia. Indice 1 Storia 2 Lista dei fotorealisti 3 Note 4 Voci correlate 5 Altri progetti Storia | Il fotorealismo è un movimento che nasce negli Stati Uniti d'America alla fine degli anni sessanta [1] sulla scia della Pop Art [2] [3] [4] , e insieme condividono il carattere reazionario verso la travolgente ascesa dei media, che alla metà del ventesimo secolo si trasforma in un fenomeno di massa talmente imponente da minacciare il valore dell'immagine nell'arte. [5] [6] Ne consegue così che, colto il gesto d'inizio che fu della Pop Art, i fotorealisti aprono ad un ...
          Read more

          Sidney Franklin

          Image
          Questa voce sull'argomento registi statunitensi è solo un abbozzo . Contribuisci a migliorarla secondo le convenzioni di Wikipedia. Sidney Franklin, foto di Carl Van Vechten Oscar alla memoria Irving G. Thalberg 1943 Sidney Franklin , all'anagrafe Sidney Arnold Franklin , (San Francisco, 21 marzo 1893 – Santa Monica, 18 maggio 1972), è stato un regista, produttore cinematografico e attore statunitense. Il 20 giugno 1963, si sposò con l'attrice australiana Enid Bennett. Il matrimonio durò fino alla morte dell'attrice, il 14 maggio 1969 [1] Indice 1 Filmografia 1.1 Regista 1.2 Aiuto regia (parziale) 1.3 Produttore 1.4 Attore (parziale) 2 Note 3 Altri progetti 4 Collegamenti esterni Filmografia | Regista | The Baby , co-regia Chester M. Franklin (1915) The Rivals , co-regia Chester M. Franklin (1915) Little Dick's First Case , co-regia Chester M. Franklin (1915) Her Filmland Hero , co-...
          Read more