0

I have a microservice system with an OpenId connect Identity Provider, implemented with IdentityServer4.

I have one special (very generic) service which needs to be able to communicate with all other services, even with services which will be developed in future. This is server to server communication without user interaction, so my special service requests tokens vial Client Credentials Flow. I would like to grant this service "all scopes registered at this IdentityProvider". As a developer, I don't know which scopes will be there. So I can't specify them as AllowedScopes in my client registration.

My questions are:

  1. Is it OIDC conform to register a client without explicitly specifying allowed scopes, but rather saying "all existing (and future) scopes"? I checked the OIDC spec, but didn't find a rule saying you must (or should) specify allowed scopes. I found some posts suggesting that scopes are not that relevant in Client Credentials Flow, e.g. here.
  2. If it is OIDC conform, does IdentityServer4 offer such a possibilty or an extension point?
PhotonTamer
  • 1
  • Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. – Community Oct 28 '21 at 17:10

2 Answers2

0

OIDC does not define scopes or the client credentials grant. Both are defined by OAuth 2.0 in RFC 6749.

Providing scopes at all is optional:

If the client omits the scope parameter when requesting authorization, the authorization server MUST either process the request using a pre-defined default value or fail the request indicating an invalid scope. The authorization server SHOULD document its scope requirements and default value (if defined).

(RFC 6749, Section 3.3)

Also this is optional in the client credentials grant:

scope
OPTIONAL. The scope of the access request as described by Section 3.3.

(RFC 6749, Section 4.4.2)

Testing with the Demo of IdentityServer4, omitting the scope parameter results in a token with multiple scopes. IS4 seems to use a default in this case (maybe all scopes granted to the application).

JuliusPC
  • 101
  • 3
0
  1. Yes, there is an extension point IdentityServer4 (and the other versions as well) has the possibility of creating custom grants. https://identityserver4.readthedocs.io/en/latest/topics/extension_grants.html

You can create your own custom grant that gives all existing scopes in you application at runtime.

AndersJH
  • 1