From 2761f5cd20622a1e8c1d2f20a9b161582573244d Mon Sep 17 00:00:00 2001 From: mcl-sz Date: Tue, 30 Jul 2024 08:38:06 +0200 Subject: [PATCH] Combining OpenId and OfflineAccess scope (#16220) * Combining OpenId and OfflineAccess scope When the client scope is set to "openid offline_access", the returned scope only has the "offline_access" scope. The "openid" scope and the "id_token" are missing. By combining the OpenId and OfflineAccess as return scope, the refresh_token and id_token are returned. * Update MemberController.cs Cleaner way, provided by @kjac, to check if the scope has openid and/or offiline_access set. (cherry picked from commit 55f9b09ab754702ceaabdbb57d4f532f5fbabca5) --- .../Controllers/Security/MemberController.cs | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs b/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs index a9c670b7ad..102bf16224 100644 --- a/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs +++ b/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs @@ -160,11 +160,12 @@ public class MemberController : DeliveryApiControllerBase claim.SetDestinations(OpenIddictConstants.Destinations.AccessToken); } - if (request.GetScopes().Contains(OpenIddictConstants.Scopes.OfflineAccess)) - { - // "offline_access" scope is required to use refresh tokens - memberPrincipal.SetScopes(OpenIddictConstants.Scopes.OfflineAccess); - } + // "openid" and "offline_access" are the only scopes allowed for members; explicitly ensure we only add those + // NOTE: the "offline_access" scope is required to use refresh tokens + IEnumerable allowedScopes = request + .GetScopes() + .Intersect(new[] { OpenIddictConstants.Scopes.OpenId, OpenIddictConstants.Scopes.OfflineAccess }); + memberPrincipal.SetScopes(allowedScopes); return new SignInResult(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, memberPrincipal); }