2021-01-13 11:30:30 +08:00
<!DOCTYPE html>
<!-- [if IE]><![endif] -->
< html >
< head >
< meta charset = "utf-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge,chrome=1" >
< title > Application permissions < / title >
< meta name = "viewport" content = "width=device-width" >
< meta name = "title" content = "Application permissions " >
< meta name = "generator" content = "docfx 2.56.6.0" >
2021-01-13 11:49:03 +08:00
< link rel = "shortcut icon" href = "../images/favicon.ico" >
2021-01-13 11:30:30 +08:00
< link rel = "stylesheet" href = "../styles/docfx.vendor.css" >
< link rel = "stylesheet" href = "../styles/docfx.css" >
< link rel = "stylesheet" href = "../styles/main.css" >
< link href = "https://fonts.googleapis.com/css?family=Roboto" rel = "stylesheet" >
< meta property = "docfx:navrel" content = "../toc.html" >
< meta property = "docfx:tocrel" content = "toc.html" >
< / head > < body data-spy = "scroll" data-target = "#affix" data-offset = "120" >
< div id = "wrapper" >
< header >
< nav id = "autocollapse" class = "navbar navbar-inverse ng-scope" role = "navigation" >
< div class = "container" >
< div class = "navbar-header" >
< button type = "button" class = "navbar-toggle" data-toggle = "collapse" data-target = "#navbar" >
< span class = "sr-only" > Toggle navigation< / span >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< span class = "icon-bar" > < / span >
< / button >
2021-01-13 12:03:45 +08:00
< a class = "navbar-brand" href = "../index.html" >
< img id = "logo" class = "svg" src = "../images/logo.png" alt = "" >
< / a > < / div >
2021-01-13 11:30:30 +08:00
< div class = "collapse navbar-collapse" id = "navbar" >
< form class = "navbar-form navbar-right" role = "search" id = "search" >
< div class = "form-group" >
< input type = "text" class = "form-control" id = "search-query" placeholder = "Search" autocomplete = "off" >
< / div >
< / form >
< / div >
< / div >
< / nav >
< div class = "subnav navbar navbar-default" >
< div class = "container hide-when-search" id = "breadcrumb" >
< ul class = "breadcrumb" >
< li > < / li >
< / ul >
< / div >
< / div >
< / header >
< div role = "main" class = "container body-content hide-when-search" >
< div class = "sidenav hide-when-search" >
< a class = "btn toc-toggle collapse" data-toggle = "collapse" href = "#sidetoggle" aria-expanded = "false" aria-controls = "sidetoggle" > Show / Hide Table of Contents< / a >
< div class = "sidetoggle collapse" id = "sidetoggle" >
< div id = "sidetoc" > < / div >
< / div >
< / div >
< div class = "article row grid-right" >
< div class = "col-md-10" >
< article class = "content wrap" id = "_content" data-uid = "" >
< h1 id = "application-permissions" > Application permissions< / h1 >
2021-01-13 12:15:13 +08:00
< p > OpenIddict includes a built-in feature codenamed " application permissions" that
< strong > allows controlling and limiting the OAuth 2.0/OpenID Connect features each registered client application is able to use< / strong > .< / p >
< p > 4 categories of permissions are currently supported:< / p >
2021-01-13 11:30:30 +08:00
< ul >
2021-01-13 12:15:13 +08:00
< li > Endpoint permissions.< / li >
< li > Grant type permissions.< / li >
2021-01-13 11:30:30 +08:00
< li > Scope permissions.< / li >
2021-01-13 12:15:13 +08:00
< li > Response type permissions (< em > introduced in OpenIddict 3.0< / em > ).< / li >
2021-01-13 11:30:30 +08:00
< / ul >
< h2 id = "endpoint-permissions" > Endpoint permissions< / h2 >
< h3 id = "definition" > Definition< / h3 >
< p > Endpoint permissions limit the endpoints a client application can use.< / p >
< h3 id = "supported-permissions" > Supported permissions< / h3 >
< table >
< thead >
< tr >
< th style = "text-align:center" > Endpoint< / th >
< th style = "text-align:center" > Constant< / th >
< / tr >
< / thead >
< tbody >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Authorization< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Endpoints.Authorization< / code > < / td >
< / tr >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Introspection< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Endpoints.Introspection< / code > < / td >
< / tr >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Logout/end session< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Endpoints.Logout< / code > < / td >
< / tr >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Revocation< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Endpoints.Revocation< / code > < / td >
< / tr >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Token< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Endpoints.Token< / code > < / td >
< / tr >
< / tbody >
< / table >
< h3 id = "example" > Example< / h3 >
< p > In the following example, the < code > mvc< / code > application is allowed to use the authorization, logout and
token endpoints but will get an error when trying to send an introspection or revocation request:< / p >
2021-01-13 12:15:13 +08:00
< pre > < code class = "lang-csharp" > if (await manager.FindByClientIdAsync(" mvc" ) is null)
2021-01-13 11:30:30 +08:00
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = " mvc" ,
ClientSecret = " 901564A5-E7FE-42CB-B10D-61EF6A8F3654" ,
DisplayName = " MVC client application" ,
PostLogoutRedirectUris = { new Uri(" http://localhost:53507/signout-callback-oidc" ) },
RedirectUris = { new Uri(" http://localhost:53507/signin-oidc" ) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token
}
});
}
< / code > < / pre > < h3 id = "disabling-endpoint-permissions" > Disabling endpoint permissions< / h3 >
< p > If you don' t want to use endpoint permissions, call < code > options.IgnoreEndpointPermissions()< / code > to ignore them:< / p >
< pre > < code class = "lang-csharp" > services.AddOpenIddict()
.AddServer(options =>
{
options.IgnoreEndpointPermissions();
});
< / code > < / pre > < h2 id = "grant-type-permissions" > Grant type permissions< / h2 >
< h3 id = "definition-1" > Definition< / h3 >
2021-01-13 12:15:13 +08:00
< p > Grant type permissions limit the grant types a client application is allowed to use.< / p >
2021-01-13 11:30:30 +08:00
< h3 id = "supported-permissions-1" > Supported permissions< / h3 >
< table >
< thead >
< tr >
< th style = "text-align:center" > Grant type< / th >
< th style = "text-align:center" > Constant< / th >
< / tr >
< / thead >
< tbody >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Authorization code< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode< / code > < / td >
< / tr >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Client credentials< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.GrantTypes.ClientCredentials< / code > < / td >
< / tr >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Implicit< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.GrantTypes.Implicit< / code > < / td >
< / tr >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Password< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.GrantTypes.Password< / code > < / td >
< / tr >
< tr >
2021-01-13 12:15:13 +08:00
< td style = "text-align:center" > Refresh token< / td >
2021-01-13 11:30:30 +08:00
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.GrantTypes.RefreshToken< / code > < / td >
< / tr >
< / tbody >
< / table >
2021-01-13 12:15:13 +08:00
< p > To add a custom grant type permission, you can use the following pattern:< / p >
2021-01-13 11:30:30 +08:00
< pre > < code class = "lang-csharp" > OpenIddictConstants.Permissions.Prefixes.GrantType + " custom_flow_name"
< / code > < / pre > < h3 id = "example-1" > Example< / h3 >
2021-01-13 12:15:13 +08:00
< p > In the following example, the < code > postman< / code > application can only use the authorization code grant
while < code > console< / code > is restricted to the < code > password< / code > and < code > refresh_token< / code > grants:< / p >
< pre > < code class = "lang-csharp" > if (await manager.FindByClientIdAsync(" postman" ) is null)
2021-01-13 11:30:30 +08:00
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = " postman" ,
DisplayName = " Postman" ,
RedirectUris = { new Uri(" https://www.getpostman.com/oauth2/callback" ) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode
}
});
}
2021-01-13 12:15:13 +08:00
if (await manager.FindByClientIdAsync(" console" ) is null)
2021-01-13 11:30:30 +08:00
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = " console" ,
DisplayName = " Console" ,
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.Password,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken
}
});
}
< / code > < / pre > < h3 id = "disabling-grant-type-permissions" > Disabling grant type permissions< / h3 >
< p > If you don' t want to use grant type permissions, call < code > options.IgnoreGrantTypePermissions()< / code > to ignore them:< / p >
< pre > < code class = "lang-csharp" > services.AddOpenIddict()
.AddServer(options =>
{
options.IgnoreGrantTypePermissions();
});
< / code > < / pre > < h2 id = "scope-permissions" > Scope permissions< / h2 >
< h3 id = "definition-2" > Definition< / h3 >
< p > Scope permissions limit the scopes (standard or custom) a client application is allowed to use.< / p >
< blockquote > < p > The < code > openid< / code > and < code > offline_access< / code > scopes are special-cased by OpenIddict and don' t require explicit permissions.< / p >
< / blockquote >
< h3 id = "supported-permissions-2" > Supported permissions< / h3 >
< table >
< thead >
< tr >
< th style = "text-align:center" > Scope< / th >
< th style = "text-align:center" > Constant< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td style = "text-align:center" > address< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Scopes.Address< / code > < / td >
< / tr >
< tr >
< td style = "text-align:center" > email< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Scopes.Email< / code > < / td >
< / tr >
< tr >
< td style = "text-align:center" > phone< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Scopes.Phone< / code > < / td >
< / tr >
< tr >
< td style = "text-align:center" > profile< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Scopes.Profile< / code > < / td >
< / tr >
< tr >
< td style = "text-align:center" > roles< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.Scopes.Roles< / code > < / td >
< / tr >
< / tbody >
< / table >
< p > To add a custom scope permission, you can use the following pattern:< / p >
< pre > < code class = "lang-csharp" > OpenIddictConstants.Permissions.Prefixes.Scope + " custom_scope_name"
< / code > < / pre > < h3 id = "example-2" > Example< / h3 >
< p > In the following sample, the < code > angular< / code > client is allowed to request the < code > address< / code > ,
< code > profile< / code > and < code > marketing_api< / code > scopes: any other scope will result in an error being returned.< / p >
2021-01-13 12:15:13 +08:00
< pre > < code class = "lang-csharp" > if (await manager.FindByClientIdAsync(" angular" ) is null)
2021-01-13 11:30:30 +08:00
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = " angular" ,
DisplayName = " Angular" ,
RedirectUris = { new Uri(" https://localhost:34422/callback" ) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.GrantTypes.Implicit,
OpenIddictConstants.Permissions.Scopes.Address,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Prefixes.Scope + " marketing_api"
}
});
}
< / code > < / pre > < h3 id = "disabling-scope-permissions" > Disabling scope permissions< / h3 >
< p > If you don' t want to use scope permissions, call < code > options.IgnoreScopePermissions()< / code > to ignore them:< / p >
< pre > < code class = "lang-csharp" > services.AddOpenIddict()
.AddServer(options =>
{
options.IgnoreScopePermissions();
});
2021-01-13 12:21:20 +08:00
< / code > < / pre > < h2 id = "response-type-permissions" > Response type permissions< / h2 >
2021-01-13 13:05:04 +08:00
< div class = "NOTE" > < h5 > Note< / h5 > < p > Response type permissions were introduced in OpenIddict 3.0.< / p >
< / div >
2021-01-13 12:15:13 +08:00
< h3 id = "definition-3" > Definition< / h3 >
< p > Response type permissions limit the response types a client application is allowed to use when implementing an interactive flow like code, implicit or hybrid.< / p >
< h3 id = "supported-permissions-3" > Supported permissions< / h3 >
< table >
< thead >
< tr >
2021-01-13 12:21:20 +08:00
< th style = "text-align:center" > Response type< / th >
< th style = "text-align:center" > Constant< / th >
2021-01-13 12:15:13 +08:00
< / tr >
< / thead >
< tbody >
< tr >
2021-01-13 12:21:20 +08:00
< td style = "text-align:center" > code< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.ResponseTypes.Code< / code > < / td >
2021-01-13 12:15:13 +08:00
< / tr >
< tr >
2021-01-13 12:21:20 +08:00
< td style = "text-align:center" > code id_token< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken< / code > < / td >
2021-01-13 12:15:13 +08:00
< / tr >
< tr >
2021-01-13 12:21:20 +08:00
< td style = "text-align:center" > code id_token token< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken< / code > < / td >
2021-01-13 12:15:13 +08:00
< / tr >
< tr >
2021-01-13 12:21:20 +08:00
< td style = "text-align:center" > code token< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.ResponseTypes.CodeToken< / code > < / td >
2021-01-13 12:15:13 +08:00
< / tr >
< tr >
2021-01-13 12:21:20 +08:00
< td style = "text-align:center" > id_token< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.ResponseTypes.IdToken< / code > < / td >
2021-01-13 12:15:13 +08:00
< / tr >
< tr >
2021-01-13 12:21:20 +08:00
< td style = "text-align:center" > id_token token< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.ResponseTypes.IdTokenToken< / code > < / td >
2021-01-13 12:15:13 +08:00
< / tr >
< tr >
2021-01-13 12:21:20 +08:00
< td style = "text-align:center" > none< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.ResponseTypes.None< / code > < / td >
2021-01-13 12:15:13 +08:00
< / tr >
< tr >
2021-01-13 12:21:20 +08:00
< td style = "text-align:center" > token< / td >
< td style = "text-align:center" > < code > OpenIddictConstants.Permissions.ResponseTypes.Token< / code > < / td >
2021-01-13 12:15:13 +08:00
< / tr >
< / tbody >
< / table >
< h3 id = "example-3" > Example< / h3 >
< p > In the following example, the < code > postman< / code > application can only use the < code > code id_token< / code > response type:< / p >
< pre > < code class = "lang-csharp" > if (await manager.FindByClientIdAsync(" postman" ) is null)
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = " postman" ,
DisplayName = " Postman" ,
RedirectUris = { new Uri(" https://www.getpostman.com/oauth2/callback" ) },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken
}
});
}
< / code > < / pre > < h3 id = "disabling-response-type-permissions" > Disabling response type permissions< / h3 >
< p > If you don' t want to use response type permissions, call < code > options.IgnoreResponseTypePermissions()< / code > to ignore them:< / p >
< pre > < code class = "lang-csharp" > services.AddOpenIddict()
.AddServer(options =>
{
options.IgnoreResponseTypePermissions();
});
2021-01-13 11:30:30 +08:00
< / code > < / pre > < / article >
< / div >
< div class = "hidden-sm col-md-2" role = "complementary" >
< div class = "sideaffix" >
< div class = "contribution" >
< ul class = "nav" >
< li >
< a href = "https://github.com/openiddict/openiddict-documentation/blob/dev/configuration/application-permissions.md/#L1" class = "contribution-link" > Improve this Doc< / a >
< / li >
< / ul >
< / div >
< nav class = "bs-docs-sidebar hidden-print hidden-xs hidden-sm affix" id = "affix" >
< h5 > In This Article< / h5 >
< div > < / div >
< / nav >
< / div >
< / div >
< / div >
< / div >
< footer >
< div class = "grad-bottom" > < / div >
< div class = "footer" >
< div class = "container" >
< span class = "pull-right" >
< a href = "#top" > Back to top< / a >
< / span >
< span > Generated by < strong > DocFX< / strong > < / span >
< / div >
< / div >
< / footer >
< / div >
< script type = "text/javascript" src = "../styles/docfx.vendor.js" > < / script >
< script type = "text/javascript" src = "../styles/docfx.js" > < / script >
< script type = "text/javascript" src = "../styles/main.js" > < / script >
< / body >
< / html >
