invalid_scope - After Upgrading to 7.0 Scope x.api not found in store or not supported by requested resource indicators (.netcore 9.0)

[szein-prego]

IdentityServer version

Duende IdentityServer 7.2.0

.NET version

.NET 9.0

Description

Hallo Everyone,

We are testing our Idp server after upgrade to v7.2 and we are stuck at the moment in the error mentioned above and can not get arround it.

I do not know what are the data that i should provide to clearfiy the issue but i will try:

/.well-known/openid-configuration

{
    "issuer": "https://x.dev.local",
    "jwks_uri": "https://x.dev.local/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "https://x.dev.local/connect/authorize",
    "token_endpoint": "https://x.dev.local/connect/token",
    "userinfo_endpoint": "https://x.dev.local/connect/userinfo",
    "end_session_endpoint": "https://x.dev.local/connect/endsession",
    "check_session_iframe": "https://x.dev.local/connect/checksession",
    "revocation_endpoint": "https://x.dev.local/connect/revocation",
    "introspection_endpoint": "https://x.dev.local/connect/introspect",
    "device_authorization_endpoint": "https://x.dev.local/connect/deviceauthorization",
    "backchannel_authentication_endpoint": "https://x.dev.local/connect/ciba",
    "pushed_authorization_request_endpoint": "https://x.dev.local/connect/par",
    "require_pushed_authorization_requests": false,
    "frontchannel_logout_supported": true,
    "frontchannel_logout_session_supported": true,
    "backchannel_logout_supported": true,
    "backchannel_logout_session_supported": true,
    "scopes_supported": [
        "openid",
        "profile",
        "x.profile",
        "offline_access"
    ],
    "claims_supported": [],
    "grant_types_supported": [
        "authorization_code",
        "client_credentials",
        "refresh_token",
        "implicit",
        "password",
        "urn:ietf:params:oauth:grant-type:device_code",
        "urn:openid:params:grant-type:ciba"
    ],
    "response_types_supported": [
        "code",
        "token",
        "id_token",
        "id_token token",
        "code id_token",
        "code token",
        "code id_token token"
    ],
    "response_modes_supported": [
        "form_post",
        "query",
        "fragment"
    ],
    "token_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "subject_types_supported": [
        "public"
    ],
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "request_parameter_supported": true,
    "request_object_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "PS256",
        "PS384",
        "PS512",
        "ES256",
        "ES384",
        "ES512",
        "HS256",
        "HS384",
        "HS512"
    ],
    "prompt_values_supported": [
        "none",
        "login",
        "consent",
        "select_account"
    ],
    "authorization_response_iss_parameter_supported": true,
    "backchannel_token_delivery_modes_supported": [
        "poll"
    ],
    "backchannel_user_code_parameter_supported": true,
    "dpop_signing_alg_values_supported": [
        "RS256",
        "RS384",
        "RS512",
        "PS256",
        "PS384",
        "PS512",
        "ES256",
        "ES384",
        "ES512"
    ]
}

Authorize request:

GET https://x.dev.local/connect/authorize?response_type=code&client_id=x-clientId&scope=openid profile x.profile x.api&redirect_uri=https://jsclient-x.dev.local/callback.html

Log:

[DBG] Request path /connect/authorize matched to endpoint type Authorize
[DBG] Endpoint enabled: Authorize, successfully created handler: Duende.IdentityServer.Endpoints.AuthorizeEndpoint
[INF] Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.AuthorizeEndpoint for /connect/authorize
[DBG] Start authorize request
[DBG] No user present in authorize request
[DBG] Start authorize request protocol validation
[DBG] x-clientId found in database: true
[DBG] client configuration validation for client x-clientId succeeded.
[DBG] Checking for PKCE parameters
[DBG] No PKCE used.
[DBG] Found ["openid","profile","x.profile"] identity scopes in database
[DBG] Found ["x.api.resource","https://x.api"] API resources in database
[DBG] Found ["x.api"] scopes in database
[ERR] Scope x.api not found in store or not supported by requested resource indicators.
[ERR] Request validation failed

[maartenba]

Can you share the resource configuration and x.api configuration?

[szein-prego]

I use those functions to seed my Db:

public static IEnumerable<IdentityResource> GetIdentityResources()
{
    return new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Profile(),
        new CustomIdentityResources.CustomID()
    };
}
public static IEnumerable<ApiResource> GetApis()
{
    return new List<ApiResource>
    {
        // local API
        new ApiResource(IdentityServerConstants.LocalApi.ScopeName),
        new ApiResource("Https://x.api", " X API resource") {Scopes = {"x.api"}},
    };
}

public static IEnumerable<ApiScope> GetApiScopes()
{
    return new List<ApiScope>
        {
                // local API
                new ApiScope(IdentityServerConstants.LocalApi.ScopeName),
                new ApiScope("x.api", "X API"),
        };
}

[szein-prego]

After long time of research....
It turns out that the ApiScope was Disabled in Database.
That upgrade from v4.0 to v7.2 made some test be broken, and the reason was the after migration all scopes were disabled!

Scope my.api not found in store or not supported by requested resource indicators.
Enabling the Scope my.api has solve one of the problems!

I hope that could help someone!
Cheers