Skip to content

Switching between a scope's matching strategies #1066

Description

@papugamichal
Old description outdated after January 2, 2025

Expected Behavior / New Feature

Allowed Scopes documentation says:

If you add scopes to AllowedScopes Ocelot will get all the user claims (from the token) of the type scope and make sure that the user has all of the scopes in the list.

This is a way to restrict access to a Route on a per scope basis.

ScopesAuthoriser.Authorize method:

var matchesScopes = routeAllowedScopes.Intersect(userScopes);

Example:

Token contains Scope: "A"
Defined route AllowedScopes: "A", "B"

Ocelot should reject request to be fair with documentation.

Actual Behavior / Motivation for New Feature

Example

Token contains Scope: "A".
Defined route AllowedScopes: "A", "B"

Ocelot allow to pass request, even when token do not contains all required scopes!

Change proposal

Change:
var matchesScopes = routeAllowedScopes.Intersect(userScopes).ToList();
To:
var matchesScopes = routeAllowedScopes.All(e => userScopes.Contains(e));

Or, change misleading information in documentation.

New Feature

To be written...

Metadata

Metadata

Assignees

No one assigned

    Labels

    AuthenticationOcelot feature: AuthenticationAuthorizationOcelot feature: AuthorizationSummer'26Summer 2026 releasefeatureA new featureproposalProposal for a new functionality in Ocelot

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions