diff --git a/src/Logto.AspNetCore.Authentication/LogtoOptions.cs b/src/Logto.AspNetCore.Authentication/LogtoOptions.cs
index 079b770..3ee2e3b 100644
--- a/src/Logto.AspNetCore.Authentication/LogtoOptions.cs
+++ b/src/Logto.AspNetCore.Authentication/LogtoOptions.cs
@@ -32,6 +32,8 @@ public class LogtoOptions
///
/// The API resource that your application needs to access.
/// See RBAC to learn more about how to use role-based access control (RBAC) to protect API resources.
+ ///
+ /// If is specified in , this value must not be set.
///
public string? Resource { get; set; } = null;
///
@@ -63,6 +65,10 @@ public class LogtoOptions
/// set this value to `true` since they are not included in the ID token.
///
public bool GetClaimsFromUserInfoEndpoint { get; set; } = false;
+ ///
+ /// Get if `Scopes` contains `LogtoParameters.Scopes.Organizations`.
+ ///
+ public bool IsOrganizationsScopeRequested => Scopes.Contains(LogtoParameters.Scopes.Organizations);
}
///
diff --git a/src/Logto.AspNetCore.Authentication/LogtoParameters.cs b/src/Logto.AspNetCore.Authentication/LogtoParameters.cs
index 86a4cca..8ba1b65 100644
--- a/src/Logto.AspNetCore.Authentication/LogtoParameters.cs
+++ b/src/Logto.AspNetCore.Authentication/LogtoParameters.cs
@@ -51,6 +51,18 @@ public static class Scopes
/// Note that when requesting this scope, you must set to true.
///
public const string Identities = "identities";
+ ///
+ /// The scope for user's organization IDs and perform organization token grant per RFC 0001.
+ ///
+ /// To learn more about Logto Organizations, see .
+ ///
+ public const string Organizations = "urn:logto:scope:organizations";
+ ///
+ /// Scope for user's organization roles per RFC 0001.
+ ///
+ /// To learn more about Logto Organizations, see .
+ ///
+ public const string OrganizationRoles = "urn:logto:scope:organization_roles";
}
///
@@ -114,5 +126,24 @@ public static class Claims
/// The claim name for user's identities.
///
public const string Identities = "identities";
+ ///
+ /// The claim name for user's organization IDs.
+ ///
+ public const string Organizations = "organizations";
+ ///
+ /// The claim name for user's organization roles. Each role is in the format of `:`.
+ ///
+ public const string OrganizationRoles = "organization_roles";
+ }
+
+ ///
+ /// Resources that reserved by Logto, which cannot be defined by users.
+ ///
+ public static class ReservedResource
+ {
+ ///
+ /// The resource for organization template per RFC 0001.
+ ///
+ public const string Organizations = "urn:logto:resource:organizations";
}
}
diff --git a/src/Logto.AspNetCore.Authentication/extensions/AuthenticationBuilderExtensions.cs b/src/Logto.AspNetCore.Authentication/extensions/AuthenticationBuilderExtensions.cs
index cc3f76e..3b67d4b 100644
--- a/src/Logto.AspNetCore.Authentication/extensions/AuthenticationBuilderExtensions.cs
+++ b/src/Logto.AspNetCore.Authentication/extensions/AuthenticationBuilderExtensions.cs
@@ -137,7 +137,13 @@ private static void ConfigureOpenIdConnectOptions(OpenIdConnectOptions options,
}
// Handle resource
- if (!string.IsNullOrEmpty(logtoOptions.Resource))
+ if (logtoOptions.IsOrganizationsScopeRequested) {
+ if (!string.IsNullOrEmpty(logtoOptions.Resource)) {
+ throw new ArgumentException($"The {nameof(LogtoOptions.Resource)} must be null when requesting the {LogtoParameters.Scopes.Organizations} scope.");
+ }
+
+ options.Resource = LogtoParameters.ReservedResource.Organizations;
+ } else if (!string.IsNullOrEmpty(logtoOptions.Resource))
{
options.Resource = logtoOptions.Resource;
}