Now coming to the fact that why both the app roles API.READER and API.WRITER are added to the roles property of your JWT.
If you need the scp property to fetch the permissions, you need to use the Auth-Code grant flow of OAuth 2.0 as that's the flow used to fetch access-tokens in users' context and the set of permissions used are delegated permissions. Hence in your case, you can see the roles property with the corresponding values. These application permissions when added to the JWT gets added under the role property. Client_Credentials flow of OAuth 2.0 is to fetch access-tokens in applications context and for permissions required for client_credentials to work are called application permissions (found in the api permission section in-app registration). You are not seeing any scp(scope) property in your JWT just because, you are using Client_Credentials flow of OAuth 2.0. This will help us and others in the community as well. Please " Accept the answer" if the information helped you. In short, the behavior you have mentioned in both the issues is as per design and can not be changed. When a scope with /.default is added to the authentication request, all application permissions added and consented, under api permission blade of the application are included in roles claim within the access token. You can NOT specify api:///API.READER as scope in this case as this is possible only when the access token is acquired under user context. When acquiring token under application context, we can only use /.default in the scope parameter.
Mtty not decoding has scope code#
The SCP (scope) claim is available only when the token is acquired under user context using OAuth flows such as Authorization Code grant, Implicit Grant, ROPC etc. In case of which, the permissions are included in roles claim. Since you are using Grant Type: Client Credentials, the token is acquired under application context. See there is no value for the scope in the token and also roles contains both the roles. This is the token receieved after decoding it in jwt.io This is how i use to generate token from POSTMANĬlient Authentication: Send Client credentials in the body In the roles claim i see both API.READER and API.WRITER roles even though i expected only assigned API.READER role Now when i generate the token, token doesn't contains scp(scope) element or any other element denoting the scope. Now i have registered the client APP assigning it the permission of and API.READER
Mtty not decoding has scope registration#
I have configured App registration exposing two scopes something like and Īlso i have added two APP Roles API.READER and API.WRITER I am facing few issues with respect to oauth2 in azure.
0 kommentar(er)
