28Eki
OpenId connect: Grant all available scopes in ClientCredentials flow
I have a microservice system with an OpenId connect Identity Provider, implemented with IdentityServer4.
I have one special (very generic) service which needs to be able to communicate with all other services, even with services which will be developed in future. This is server to server communication without user interaction, so my special service requests tokens vial Client Credentials Flow. I would like to grant this service "all scopes registered at this IdentityProvider". As a developer, I don't know which scopes will be there. So I can't specify them as AllowedScopes in my client registration.
My questions are:
- Is it OIDC conform to register a client without explicitly specifying allowed scopes, but rather saying "all existing (and future) scopes"? I checked the OIDC spec, but didn't find a rule saying you must (or should) specify allowed scopes. I found some posts suggesting that scopes are not that relevant in Client Credentials Flow, e.g. here.
- If it is OIDC conform, does IdentityServer4 offer such a possibilty or an extension point?
