diff --git a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
index e19c9ccf..bf18e8f3 100644
--- a/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
+++ b/sandbox/OpenIddict.Sandbox.Console.Client/InteractiveService.cs
@@ -58,16 +58,22 @@ public class InteractiveService : BackgroundService
if (result.VerificationUriComplete is not null)
{
- AnsiConsole.MarkupLineInterpolated(
- $"[yellow]Please visit [link]{result.VerificationUriComplete}[/] and confirm the displayed code is '{result.UserCode}' to complete the authentication demand.[/]");
+ AnsiConsole.MarkupLineInterpolated($"""
+ [yellow]Please visit [link]{result.VerificationUriComplete}[/] and confirm the
+ displayed code is '{result.UserCode}' to complete the authentication demand.[/]
+ """);
}
else
{
- AnsiConsole.MarkupLineInterpolated(
- $"[yellow]Please visit [link]{result.VerificationUri}[/] and enter '{result.UserCode}' to complete the authentication demand.[/]");
+ AnsiConsole.MarkupLineInterpolated($"""
+ [yellow]Please visit [link]{result.VerificationUri}[/] and enter
+ '{result.UserCode}' to complete the authentication demand.[/]
+ """);
}
+ AnsiConsole.MarkupLine("[cyan]Waiting for the user to approve the authorization demand.[/]");
+
// Wait for the user to complete the demand on the other device.
principal = (await _service.AuthenticateWithDeviceAsync(new()
{
@@ -90,6 +96,8 @@ public class InteractiveService : BackgroundService
ProviderName = provider
});
+ AnsiConsole.MarkupLine("[cyan]Waiting for the user to approve the authorization demand.[/]");
+
// Wait for the user to complete the authorization process.
principal = (await _service.AuthenticateInteractivelyAsync(new()
{
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
index 3cb6b3ce..c67c24ec 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.cs
@@ -706,6 +706,21 @@ public static partial class OpenIddictClientWebIntegrationHandlers
_ => context.SendUserinfoRequest
},
+ // Note: some providers don't allow querying the userinfo endpoint when the "openid" scope
+ // is not requested or granted. To work around that, userinfo is disabled when the "openid"
+ // scope wasn't requested during the initial authorization request or during the token request.
+ ProviderTypes.Okta => context.GrantType switch
+ {
+ GrantTypes.AuthorizationCode or GrantTypes.Implicit when
+ context.StateTokenPrincipal is ClaimsPrincipal principal && !principal.HasScope(Scopes.OpenId)
+ => false,
+
+ GrantTypes.DeviceCode or GrantTypes.RefreshToken when !context.Scopes.Contains(Scopes.OpenId)
+ => false,
+
+ _ => context.SendUserinfoRequest
+ },
+
_ => context.SendUserinfoRequest
};
diff --git a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
index 6bb70c38..1c68f286 100644
--- a/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
+++ b/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationProviders.xml
@@ -711,6 +711,27 @@
+
+
+
+
+
+
+
+
+
+
-
+