Another small thing people have been asking for.
The scope parameter is optional in OAuth 2 – but we made the decision that clients always have to explicitly ask for the scopes they want to access.
We relaxed this requirement a bit in IdentityServer4. At the token endpoint, scope is now optional (IOW for client credentials, resource owner and extension grants requests). If no scope is specified – the client will automatically get a token that contains all explicitly allowed scopes (that’s a per client setting).
This makes it easier, especially for server to server type communication to provision new APIs without having to change the token requests in the clients.
Endpoint documentation here – Client settings here.
Filed under: .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI
