2018-02-12 07:54:40 +08:00
# Application permissions
2021-01-13 12:14:05 +08:00
OpenIddict includes a built-in feature codenamed "application permissions" that
**allows controlling and limiting the OAuth 2.0/OpenID Connect features each registered client application is able to use**.
2018-02-12 07:54:40 +08:00
2021-01-13 12:14:05 +08:00
4 categories of permissions are currently supported:
- Endpoint permissions.
- Grant type permissions.
2018-02-12 07:54:40 +08:00
- Scope permissions.
2021-01-13 12:14:05 +08:00
- Response type permissions (*introduced in OpenIddict 3.0*).
2018-02-12 07:54:40 +08:00
## Endpoint permissions
### Definition
Endpoint permissions limit the endpoints a client application can use.
### Supported permissions
2021-01-13 12:14:05 +08:00
| Endpoint | Constant |
|:------------------:|:---------------------------------------------------------:|
| Authorization | `OpenIddictConstants.Permissions.Endpoints.Authorization` |
| Introspection | `OpenIddictConstants.Permissions.Endpoints.Introspection` |
| Logout/end session | `OpenIddictConstants.Permissions.Endpoints.Logout` |
| Revocation | `OpenIddictConstants.Permissions.Endpoints.Revocation` |
| Token | `OpenIddictConstants.Permissions.Endpoints.Token` |
2018-02-12 07:54:40 +08:00
### Example
In the following example, the `mvc` application is allowed to use the authorization, logout and
token endpoints but will get an error when trying to send an introspection or revocation request:
```csharp
2021-01-13 12:14:05 +08:00
if (await manager.FindByClientIdAsync("mvc") is null)
2018-02-12 07:54:40 +08:00
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = "mvc",
ClientSecret = "901564A5-E7FE-42CB-B10D-61EF6A8F3654",
DisplayName = "MVC client application",
PostLogoutRedirectUris = { new Uri("http://localhost:53507/signout-callback-oidc") },
RedirectUris = { new Uri("http://localhost:53507/signin-oidc") },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token
}
});
}
```
2018-07-04 19:12:29 +08:00
### Disabling endpoint permissions
If you don't want to use endpoint permissions, call `options.IgnoreEndpointPermissions()` to ignore them:
```csharp
services.AddOpenIddict()
.AddServer(options =>
{
options.IgnoreEndpointPermissions();
});
```
2018-02-12 07:54:40 +08:00
## Grant type permissions
### Definition
2021-01-13 12:14:05 +08:00
Grant type permissions limit the grant types a client application is allowed to use.
2018-02-12 07:54:40 +08:00
### Supported permissions
2021-01-13 12:14:05 +08:00
| Grant type | Constant |
|:------------------:|:--------------------------------------------------------------:|
| Authorization code | `OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode` |
| Client credentials | `OpenIddictConstants.Permissions.GrantTypes.ClientCredentials` |
| Implicit | `OpenIddictConstants.Permissions.GrantTypes.Implicit` |
| Password | `OpenIddictConstants.Permissions.GrantTypes.Password` |
| Refresh token | `OpenIddictConstants.Permissions.GrantTypes.RefreshToken` |
2018-02-12 07:54:40 +08:00
2021-01-13 12:14:05 +08:00
To add a custom grant type permission, you can use the following pattern:
2021-01-26 00:27:19 +08:00
2018-02-12 07:54:40 +08:00
```csharp
OpenIddictConstants.Permissions.Prefixes.GrantType + "custom_flow_name"
```
### Example
2021-01-13 12:14:05 +08:00
In the following example, the `postman` application can only use the authorization code grant
while `console` is restricted to the `password` and `refresh_token` grants:
2018-02-12 07:54:40 +08:00
```csharp
2021-01-13 12:14:05 +08:00
if (await manager.FindByClientIdAsync("postman") is null)
2018-02-12 07:54:40 +08:00
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = "postman",
DisplayName = "Postman",
RedirectUris = { new Uri("https://www.getpostman.com/oauth2/callback") },
Permissions =
{
2018-07-04 19:12:29 +08:00
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Token,
2018-02-12 07:54:40 +08:00
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode
}
});
}
2021-01-13 12:14:05 +08:00
if (await manager.FindByClientIdAsync("console") is null)
2018-02-12 07:54:40 +08:00
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = "console",
DisplayName = "Console",
Permissions =
{
2018-07-04 19:12:29 +08:00
OpenIddictConstants.Permissions.Endpoints.Token,
2018-02-12 07:54:40 +08:00
OpenIddictConstants.Permissions.GrantTypes.Password,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken
}
});
}
```
2018-07-04 19:12:29 +08:00
### Disabling grant type permissions
If you don't want to use grant type permissions, call `options.IgnoreGrantTypePermissions()` to ignore them:
```csharp
services.AddOpenIddict()
.AddServer(options =>
{
options.IgnoreGrantTypePermissions();
});
```
2018-02-12 07:54:40 +08:00
## Scope permissions
### Definition
Scope permissions limit the scopes (standard or custom) a client application is allowed to use.
2021-01-26 00:27:19 +08:00
> [!NOTE]
2018-02-12 07:54:40 +08:00
> The `openid` and `offline_access` scopes are special-cased by OpenIddict and don't require explicit permissions.
2018-09-13 20:46:53 +08:00
### Supported permissions
| Scope | Constant |
|:-------:|:------------------------------------------------:|
| address | `OpenIddictConstants.Permissions.Scopes.Address` |
| email | `OpenIddictConstants.Permissions.Scopes.Email` |
| phone | `OpenIddictConstants.Permissions.Scopes.Phone` |
| profile | `OpenIddictConstants.Permissions.Scopes.Profile` |
| roles | `OpenIddictConstants.Permissions.Scopes.Roles` |
To add a custom scope permission, you can use the following pattern:
2021-01-26 00:27:19 +08:00
2018-09-13 20:46:53 +08:00
```csharp
OpenIddictConstants.Permissions.Prefixes.Scope + "custom_scope_name"
```
2018-02-12 07:54:40 +08:00
### Example
In the following sample, the `angular` client is allowed to request the `address` ,
2018-07-04 19:12:29 +08:00
`profile` and `marketing_api` scopes: any other scope will result in an error being returned.
2018-02-12 07:54:40 +08:00
```csharp
2021-01-13 12:14:05 +08:00
if (await manager.FindByClientIdAsync("angular") is null)
2018-02-12 07:54:40 +08:00
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = "angular",
DisplayName = "Angular",
RedirectUris = { new Uri("https://localhost:34422/callback") },
Permissions =
{
2018-07-04 19:12:29 +08:00
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.GrantTypes.Implicit,
2018-02-12 07:54:40 +08:00
2018-07-04 19:12:29 +08:00
OpenIddictConstants.Permissions.Scopes.Address,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Prefixes.Scope + "marketing_api"
2018-02-12 07:54:40 +08:00
}
});
}
2018-07-04 19:12:29 +08:00
```
### Disabling scope permissions
If you don't want to use scope permissions, call `options.IgnoreScopePermissions()` to ignore them:
```csharp
services.AddOpenIddict()
.AddServer(options =>
{
options.IgnoreScopePermissions();
});
2021-01-13 12:14:05 +08:00
```
2021-01-13 12:19:06 +08:00
## Response type permissions
2021-01-13 12:48:11 +08:00
> [!NOTE]
2021-01-13 12:19:06 +08:00
> Response type permissions were introduced in OpenIddict 3.0.
2021-01-13 12:14:05 +08:00
### Definition
Response type permissions limit the response types a client application is allowed to use when implementing an interactive flow like code, implicit or hybrid.
### Supported permissions
| Response type | Constant |
2021-01-13 12:19:06 +08:00
|:-------------------:|:----------------------------------------------------------------:|
2021-01-13 12:14:05 +08:00
| code | `OpenIddictConstants.Permissions.ResponseTypes.Code` |
| code id_token | `OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken` |
| code id_token token | `OpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken` |
| code token | `OpenIddictConstants.Permissions.ResponseTypes.CodeToken` |
| id_token | `OpenIddictConstants.Permissions.ResponseTypes.IdToken` |
| id_token token | `OpenIddictConstants.Permissions.ResponseTypes.IdTokenToken` |
| none | `OpenIddictConstants.Permissions.ResponseTypes.None` |
| token | `OpenIddictConstants.Permissions.ResponseTypes.Token` |
### Example
In the following example, the `postman` application can only use the `code id_token` response type:
```csharp
if (await manager.FindByClientIdAsync("postman") is null)
{
await manager.CreateAsync(new OpenIddictApplicationDescriptor
{
ClientId = "postman",
DisplayName = "Postman",
RedirectUris = { new Uri("https://www.getpostman.com/oauth2/callback") },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.ResponseTypes.CodeIdToken
}
});
}
```
### Disabling response type permissions
If you don't want to use response type permissions, call `options.IgnoreResponseTypePermissions()` to ignore them:
```csharp
services.AddOpenIddict()
.AddServer(options =>
{
options.IgnoreResponseTypePermissions();
});
2018-02-12 07:54:40 +08:00
```
