问题
I am doing sso sample(travelocity.com) example. When I am trying to access user info with oauth access token using this command,
curl -k -H "Authorization: Bearer b68ba941c9da3d2644d8a63154d28" https://localhost:9443/oauth2/userinfo?schema=openid
I am getting follwing error
{"error":"insufficient_scope","error_description":"Access token does not have the openid scope"}
please help, thank you
回答1:
When you make the first request to the authorization endpoint, you have to include openid in the scope request parameter. OpenID Connect Core 1.0, 3.1.2.1. Authentication Request says as follows.
scope
REQUIRED. OpenID Connect requests MUST contain the
openidscope value. If theopenidscope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. See Sections 5.4 and 11 for additional scope values defined by this specification.
回答2:
By default the travelocity.com sso sample web app doesn't sent the openid scope in it's access token request. That is the cause for the error you have encountered.
In order to send the openid scope along with the access token request in the travelocity sample you can try the following,
- Open travelocity.properties[1] file in the sample web app (You can find it in travelocity.com/WEB-INF/classe)
Uncomment and edit the QueryParams property in the file[1] as shown below
QueryParams=scope=openid
Save the properties file and redeploy the web app and try the access token generated on the userinfo endpoint now :)
[1] https://github.com/wso2/product-is/blob/master/modules/samples/sso/sso-agent-sample/src/main/resources/travelocity.properties
Update
Looks like the setting the scope in QueryParams isn't working, There's a workaround
Can you change OAuth2.TokenURL in travelocity.propeties as below and try out? I tested this locally and should work.
#OAuth2 token endpoint URL
OAuth2.TokenURL=https://localhost:9443/oauth2/token?scope=openid
来源:https://stackoverflow.com/questions/37354555/access-token-does-not-have-the-openid-scope