Fix scopes, strange effects with Openiddict

damienbod · damienbod · commit 7b3c9e322b2d · 2025-11-29T20:13:14.000+01:00
diff --git a/ResourceServer/HostingExtensions.cs b/ResourceServer/HostingExtensions.cs
@@ -1,6 +1,7 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.IdentityModel.Logging;
 using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 using ResourceServer.Model;
 using ResourceServer.Repositories;
@@ -99,11 +100,13 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
         {
             options.AddPolicy("dataEventRecordsAdmin", policyAdmin =>
             {
-                policyAdmin.RequireClaim("role", "dataEventRecords.admin");
+                //policyAdmin.RequireClaim("role", "dataEventRecords.admin");
+                policyAdmin.Requirements.Add(new RequireScope());
             });
             options.AddPolicy("dataEventRecordsUser", policyUser =>
             {
-                policyUser.RequireClaim("role", "dataEventRecords.user");
+                //policyUser.RequireClaim("role", "dataEventRecords.user");
+                policyUser.Requirements.Add(new RequireScope());
             });
             options.AddPolicy("dataEventRecordsPolicy", policyUser =>
             {
@@ -120,6 +123,8 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde
 
     public static WebApplication ConfigurePipeline(this WebApplication app)
     {
+        IdentityModelEventSource.ShowPII = true;
+
         var deploySwaggerUI = app.Configuration.GetValue<bool>("DeploySwaggerUI");
         app.UseCors("AllowAllOrigins");
 
diff --git a/ResourceServer/Properties/launchSettings.json b/ResourceServer/Properties/launchSettings.json
@@ -1,21 +1,5 @@
 {
-  "iisSettings": {
-    "windowsAuthentication": false,
-    "anonymousAuthentication": true,
-    "iisExpress": {
-      "applicationUrl": "https://localhost:44390/",
-      "sslPort": 44390
-    }
-  },
   "profiles": {
-    "IIS Express": {
-      "commandName": "IISExpress",
-      "launchBrowser": true,
-      "launchUrl": "https://localhost:44390/swagger",
-      "environmentVariables": {
-        "ASPNETCORE_ENVIRONMENT": "Development"
-      }
-    },
     "ResourceServer": {
       "commandName": "Project",
       "launchUrl": "https://localhost:44390/swagger",
diff --git a/ResourceServer/RequireScopeHandler.cs b/ResourceServer/RequireScopeHandler.cs
@@ -12,8 +12,6 @@ protected override Task HandleRequirementAsync(
         {
             throw new ArgumentNullException(nameof(context));
         }
-            
-
         if (requirement == null)
         {
             throw new ArgumentNullException(nameof(requirement));
@@ -22,7 +20,7 @@ protected override Task HandleRequirementAsync(
         var scopeClaim = context.User.Claims.FirstOrDefault(t => t.Type == "scope");
 
 
-        if (scopeClaim != null && (context.User.HasScope("dataEventRecords")))
+        if (scopeClaim != null && (scopeClaim.Value.Contains("dataEventRecords")))
         {
             context.Succeed(requirement);
         }
diff --git a/ResourceServer/appsettings.json b/ResourceServer/appsettings.json
@@ -3,8 +3,8 @@
     "DefaultConnection": "Data Source=dataeventrecords.sqlite"
   },
   "ProfileApiConfigurations": {
-    "Authority": "https://localhost:44337",
-    "Audience": "dataEventRecordsApi"
+    "Authority": "https://localhost:44395/",
+    "Audience": "rs_dataEventRecordsApi"
   },
   "DeploySwaggerUI": true,
   "Serilog": {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`using Microsoft.AspNetCore.Authentication.JwtBearer;`
`2`	`2`	`using Microsoft.AspNetCore.Authorization;`
`3`	`3`	`using Microsoft.EntityFrameworkCore;`
	`4`	`+using Microsoft.IdentityModel.Logging;`
`4`	`5`	`using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;`
`5`	`6`	`using ResourceServer.Model;`
`6`	`7`	`using ResourceServer.Repositories;`
`@@ -99,11 +100,13 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde`
`99`	`100`	`{`
`100`	`101`	`options.AddPolicy("dataEventRecordsAdmin", policyAdmin =>`
`101`	`102`	`{`
`102`		`- policyAdmin.RequireClaim("role", "dataEventRecords.admin");`
	`103`	`+ //policyAdmin.RequireClaim("role", "dataEventRecords.admin");`
	`104`	`+ policyAdmin.Requirements.Add(new RequireScope());`
`103`	`105`	`});`
`104`	`106`	`options.AddPolicy("dataEventRecordsUser", policyUser =>`
`105`	`107`	`{`
`106`		`- policyUser.RequireClaim("role", "dataEventRecords.user");`
	`108`	`+ //policyUser.RequireClaim("role", "dataEventRecords.user");`
	`109`	`+ policyUser.Requirements.Add(new RequireScope());`
`107`	`110`	`});`
`108`	`111`	`options.AddPolicy("dataEventRecordsPolicy", policyUser =>`
`109`	`112`	`{`
`@@ -120,6 +123,8 @@ public static WebApplication ConfigureServices(this WebApplicationBuilder builde`
`120`	`123`
`121`	`124`	`public static WebApplication ConfigurePipeline(this WebApplication app)`
`122`	`125`	`{`
	`126`	`+ IdentityModelEventSource.ShowPII = true;`
	`127`	`+`
`123`	`128`	`var deploySwaggerUI = app.Configuration.GetValue<bool>("DeploySwaggerUI");`
`124`	`129`	`app.UseCors("AllowAllOrigins");`
`125`	`130`
Original file line number	Diff line number	Diff line change
`@@ -12,8 +12,6 @@ protected override Task HandleRequirementAsync(`
`12`	`12`	`{`
`13`	`13`	`throw new ArgumentNullException(nameof(context));`
`14`	`14`	`}`
`15`		`-`
`16`		`-`
`17`	`15`	`if (requirement == null)`
`18`	`16`	`{`
`19`	`17`	`throw new ArgumentNullException(nameof(requirement));`
`@@ -22,7 +20,7 @@ protected override Task HandleRequirementAsync(`
`22`	`20`	`var scopeClaim = context.User.Claims.FirstOrDefault(t => t.Type == "scope");`
`23`	`21`
`24`	`22`
`25`		`- if (scopeClaim != null && (context.User.HasScope("dataEventRecords")))`
	`23`	`+ if (scopeClaim != null && (scopeClaim.Value.Contains("dataEventRecords")))`
`26`	`24`	`{`
`27`	`25`	`context.Succeed(requirement);`
`28`	`26`	`}`