Combining OpenId and OfflineAccess scope (#16220)

* Combining OpenId and OfflineAccess scope When the client scope is set to "openid offline_access", the returned scope only has the "offline_access" scope. The "openid" scope and the "id_token" are missing. By combining the OpenId and OfflineAccess as return scope, the refresh_token and id_token are returned. * Update MemberController.cs Cleaner way, provided by @kjac, to check if the scope has openid and/or offiline_access set.
2024-07-30 08:38:06 +02:00
parent b14ac811ef
commit 55f9b09ab7
1 changed files with 6 additions and 5 deletions
--- a/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs
+++ b/src/Umbraco.Cms.Api.Delivery/Controllers/Security/MemberController.cs
@@ -159,11 +159,12 @@ public class MemberController : DeliveryApiControllerBase
            claim.SetDestinations(OpenIddictConstants.Destinations.AccessToken);
        }

-        if (request.GetScopes().Contains(OpenIddictConstants.Scopes.OfflineAccess))
-        {
-            // "offline_access" scope is required to use refresh tokens
-            memberPrincipal.SetScopes(OpenIddictConstants.Scopes.OfflineAccess);
-        }
+        // "openid" and "offline_access" are the only scopes allowed for members; explicitly ensure we only add those
+        // NOTE: the "offline_access" scope is required to use refresh tokens
+        IEnumerable<string> allowedScopes = request
+            .GetScopes()
+            .Intersect(new[] { OpenIddictConstants.Scopes.OpenId, OpenIddictConstants.Scopes.OfflineAccess });
+        memberPrincipal.SetScopes(allowedScopes);

        return new SignInResult(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, memberPrincipal);
    }