invalid_scope error in access token for client credential flow

Question

I am getting invalid_scope error in access token request for client credential flow. The error log states that "cannot request OpenID scopes in client credentials flow". I haven't requested for the open id scope. I don't know from where it came from. I need to generate access token using client credential flow.

Issue / Steps to reproduce the problem

API Resource definition.

public IEnumerable GetApiResources()
{
    return new List {
        new ApiResource
        {
            Name = "WidgetApi",
            DisplayName = "Widget Management API",
            Description = "Widget Management API Resource Access",
            ApiSecrets = new List { new Secret("scopeSecret".Sha256()) },
            Scopes = new List {
                new Scope("WidgetApi.Read"),
                new Scope("WidgetApi.Write")
            }
        }
     };
}

Client Definition;

return new List
{
    new Client
    {
        ClientId = "WidgetApi Client Id",
        ClientName = "WidgetApi Client credential",
        RequireConsent = false,
        AllowedGrantTypes = GrantTypes.ClientCredentials,
        ClientSecrets =
        {
            new Secret( clientSecret.Sha256())
        },
       // scopes that client has access to
       AllowedScopes = { "WidgetApi.Read", "WidgetApi.Write"},
       AccessTokenLifetime = 3600
   };
}

Access token request body (key - value) using postman

grant_type  client_credentials
response_type  id_token
scope  WidgetApi.Read WidgetApi.Write
client_secret  xxxxxxxxxxxxxxxxxxxxxx
client_id  WidgetApiClientId

Relevant parts of the log file

dbug: Microsoft.EntityFrameworkCore.Storage.Internal.SqlServerConnection[4]
Closing connection to database 'IdentityServer4Db' on server 'localhost\SQLEXPRESS'.
dbug: IdentityServer4.EntityFramework.Stores.ResourceStore[0]
Found PssUserMgtApi.Read, PssUserMgtApi.Write API scopes in database
fail: IdentityServer4.Validation.TokenRequestValidator[0]
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cannot request OpenID scopes in client credentials flow
fail: IdentityServer4.Validation.TokenRequestValidator[0]

{
        "ClientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
        "ClientName": "xxxxxxxxxxxxxxxxxxxxxxxxx",
        "GrantType": "client_credentials",
        "Scopes": "xxxxxxxxxx.Read xxxxxxxxxxxxx.Write",
        "Raw": {
            "grant_type": "client_credentials",
            "response_type": "id_token",
            "scope": "xxxxxxxxxxxx.Read xxxxxxxxxxxxx.Write",
            "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
        }
 }

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 5292.2873ms 400 application/json
dbug: Microsoft.AspNetCore.Server.Kestrel[9]
Connection id "0HL51IVGKG792" completed keep alive response.

It looks like your client_id is "WidgetApi Client Id", but in the postman you have "WidgetApiClientId"... — Miguel Domingues
@MiguelDomingues That should have resulted in Invalid Client error. — naveddeshmukh
Could it be that you've registered WidgetApi.Read and WidgetApi.Write as IdentityResource instead of ApiResource? You will also still get an error asking for id_token for client_credentials flow. You should ask for "token" instead. — Espen Medbø

Abbin Varghese Abbin Varghese · Accepted Answer · 2018-12-04T09:04:00

Since there is no user tagged in a client credential flow, normally, client credential is not intended to have a scope tagged to it, and many frameworks doesnt support it.

https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/ says :

scope (optional) : Your service can support different scopes for the client credentials grant. In practice, not many services actually support this.

invalid_scope error in access token for client credential flow

5 Answers