When I see OAuth samples for ASP.NET Identity it looks like they always grant some kind of privileges to the client application:
I don't want any privileges to be granted. I just want a user to be authenticated.
How can I set this to happen?
Asked
Active
Viewed 36 times
1 Answers
1
Using OAuth 2.0 without any privileges (or: scopes) does not make sense (unless a default scope is always assumed by the Authorization Server). It seems that you're looking for user authentication, which is not a function of OAuth 2.0 per se. You need an extension such as OpenID Connect, in which case you would provide only the "openid" scope in the authentication request.
Hans Z.
- 50,496
- 12
- 102
- 115
-
Thank you for enlightening me! -- NB: Your answer lead me to this web page: (http://leastprivilege.com/2015/07/22/the-state-of-security-in-asp-net-5-and-mvc-6-oauth-2-0-openid-connect-and-identityserver/) which adds some more detail. – AxD Sep 29 '15 at 19:01