Access token does not have the openid scope

对着背影说爱祢 提交于 2020-12-31 09:54:40

问题


I am doing sso sample(travelocity.com) example. When I am trying to access user info with oauth access token using this command,

curl -k -H "Authorization: Bearer b68ba941c9da3d2644d8a63154d28" https://localhost:9443/oauth2/userinfo?schema=openid

I am getting follwing error

{"error":"insufficient_scope","error_description":"Access token does not have the openid scope"}

please help, thank you


回答1:


When you make the first request to the authorization endpoint, you have to include openid in the scope request parameter. OpenID Connect Core 1.0, 3.1.2.1. Authentication Request says as follows.

scope

REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. See Sections 5.4 and 11 for additional scope values defined by this specification.




回答2:


By default the travelocity.com sso sample web app doesn't sent the openid scope in it's access token request. That is the cause for the error you have encountered.

In order to send the openid scope along with the access token request in the travelocity sample you can try the following,

  1. Open travelocity.properties[1] file in the sample web app (You can find it in travelocity.com/WEB-INF/classe)
  2. Uncomment and edit the QueryParams property in the file[1] as shown below

    QueryParams=scope=openid

  3. Save the properties file and redeploy the web app and try the access token generated on the userinfo endpoint now :)

[1] https://github.com/wso2/product-is/blob/master/modules/samples/sso/sso-agent-sample/src/main/resources/travelocity.properties


Update

Looks like the setting the scope in QueryParams isn't working, There's a workaround

Can you change OAuth2.TokenURL in travelocity.propeties as below and try out? I tested this locally and should work.

#OAuth2 token endpoint URL

OAuth2.TokenURL=https://localhost:9443/oauth2/token?scope=openid


来源:https://stackoverflow.com/questions/37354555/access-token-does-not-have-the-openid-scope

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!