User Info endpoint not finding openid scope


November 2018


358 time


I am configuring my implementation of IdentityServer3 to be an Identity Provider to a new client application (Salesforce Communities) using the AuthorizationCode flow. Everything is working as expected until the client hits the userinfo endpoint, at which point the following errors occur:

ERROR IdentityServer3.Core.Validation.TokenValidator Checking for expected scope openid failed


ERROR IdentityServer3.Core.Endpoints.UserInfoEndpointController insufficient_scope

This obviously leads one to believe that the client did not request the openid scope in the authorize request, which is required when using OpenId Connect. However, I can confirm that the client does indeed request a scope of openid in the authorize request:

INFO  IdentityServer3.Core.Validation.AuthorizeRequestValidator Authorize request validation success
  "ClientId": "{client_id}",
  "ClientName": "{client_name",
  "RedirectUri": "{redirect_uri}",
  "AllowedRedirectUris": [
  "SubjectId": "{subject_id}",
  "ResponseType": "code",
  "ResponseMode": "query",
  "Flow": "AuthorizationCode",
  "RequestedScopes": "openid",
  "State": "{state_value}",
  "SessionId": "402a2356f0bd91a350dfd1f8779ea229",
  "Raw": {
    "response_type": "code",
    "client_id": "{client_id}",
    "redirect_uri": "{redirect_uri}",
    "scope": "openid",
    "state": "{state_value}"

I can also confirm that openid is an allowed scope for my client, and that openid is in the ScopeStore.

Furthermore, when I look at the tokens being generated in the database, they all correctly have the openid scope. There is just something in that userinfo endpoint that is causing the check to fail.

I am utterly perplexed by this issue as the implementation of this client is almost entirely standard and out of the box. If it will help, I can provide the complete logs of all three requests: authorize, token, and userinfo.

Thank you!

1 answers


Ответ закончился тем, что в пользовательском переопределении в DefaultClaimsProvider, в частности, в методе GetAccessTokenClaimsAsync. Метод был вручную сборки списка требований, чтобы добавить к маркеру, и удобно игнорируя требование возможности для OpenID. Как наши предыдущие реализации когда-либо работали без этого требования, вне меня, но после добавления его обратно все работало гладко.