I wanted to test wso2 scopes and how they can be used to allow my asp.net web app clients to access a resource. I ended up with an exception:
OpenIdConnectProtocolException: Message contains error: 'invalid_scope', error_description: 'Scope validation failed.', error_uri: 'error_uri is null'.
at
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()
I don't know what went wrong. I followed this wso2 blog https://gdrdabarera.medium.com/rbac-role-based-access-control-via-oauth2-0-scopes-with-wso2-identity-server-dd6dcb0b737b
As soon as I disable the scope validator option in the service provider configuration, it works (of course). Any thoughts?
[Update]
The answer to the error above is clear: invalid scope. It is caused by Wso2 which doesn't seem to find that particular scope in its configuration. And that is a big deal because,
- the blog says it is necessary to enable scope validation in Wso2, otherwise, any client could ask for any scope and will be included in the token, which should not happen from a security perspective
- it doesn't work the way it's supposed to. I logged in with a user who has a role bound/mapped to that scope I created, and it doesn't work.
- finally, I have no way to debug it
[Update2]
Also, when i created a new role and assigned it to a user, that role ended up in the Group field when I view the user profile. Why doesn't it get appended to the other role ? Maybe that's why scope validation is failing?
