Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why is there a scope query parameter in the callback URL? #1681

Open
valurefugl opened this issue Nov 26, 2024 · 3 comments
Open

Why is there a scope query parameter in the callback URL? #1681

valurefugl opened this issue Nov 26, 2024 · 3 comments
Assignees
@RolandGuijt
Labels
area/identity-server Related to Identity Server

Comments

@valurefugl
Copy link

Which version of Duende IdentityServer are you using?
7.0.7

Which version of .NET are you using?
8.0

Describe the bug

We’ve noticed that the scope parameter is included in the callback URL after authentication in the authorization code flow, also when using PAR. This behavior seems unexpected, as scope is already handled during the authorization process and doesn’t appear to be required in the callback URL. In particular with PAR, where one of the benefits should be shorter URLs.

Wondering if this is an intentional design choice? If so, what purpose does it serve?

To Reproduce

  1. Post the required parameters to the /connect/par endpoint.
  2. Use the returned request_uri in the /connect/authorize URL.
  3. Observe the callback URL after the user authenticates.

For example, during a PAR flow on your demo server, the callback URL is:

https://demo.duendesoftware.com/diagnostics?code=6CFBD7471D6755F314350B4A6A442EEE45EBB25B91F24B29B16355CF519AF346-1&scope=openid%20profile%20email%20api&session_state=VxipVTqEDrVw229tErqNMkP2Dsn6ZppQbPFb9ySN9Fg.A13E20C70771A4CD66F7A0487A5385CA&iss=https%3A%2F%2Fdemo.duendesoftware.com

Expected behavior

No scope query parameter in the callback URL.
@RolandGuijt
Copy link

I'm confused by the URL you have posted that seems the be a request to the diagnostics endpoint. Can you share the details around your setup including the configuration code so we can investigate what's going on?

Please keep in mind that when an access token is requested the client isn't supposed to read the token. So when it wants to check for granted scopes it has to rely on the information in the callback URL. This is especially relevant when the consent screen is enabled for that client. In that case users can opt out of certain scopes and when they do the client must be able to check the scopes that were allowed.

@valurefugl
Copy link
Author

The granted scopes are available to the client as the scope response parameter from the token endpoint, right?

Sorry about the URL confusion, was just trying to demonstrate that this is not specific to our configuration, since your demo site also includes the scope query parameter in the callback.

@RolandGuijt
Copy link

You are right. After further investigation we came to the conclusion that this indeed isn't the correct behavior for this flow.
Thank you for reporting and investigating this. I'm transferring this issue to the IdentityServer repository to be triaged and fixed.

@RolandGuijt RolandGuijt transferred this issue from DuendeSoftware/Support Dec 20, 2024
@damianh damianh added the area/identity-server Related to Identity Server label Dec 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RolandGuijt RolandGuijt

Labels
area/identity-server Related to Identity Server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@damianh @RolandGuijt @valurefugl