Cannot understand the AllowedScopes options

[andreuwz]

Hello.

I have the following access token, which includes scopes (), issued by Identity Server 4, like this:
"scope": [ "Cart.API", "Catalogue.API", "Identity.API", "offline_access" ]
Also, in my ocelot configuration, for certain re-routings I have the following configuration:
"AllowedScopes": [ "Cart.API", "Catalogue.API", "Identity.API", "offline_access" ]

I want to ask, are the scopes created by IS4 the ones Ocelot looks for?
Because I tested the scopes in the token against 2 examples:
"AllowedScopes": [ "Cart.API", "Catalogue.API", "Identity.API", "offline_access", "test" ]
"AllowedScopes": [ "test" ]
In the first example where test is included in the list of scopes, using the token from above - I get forbidden. If I use only "test" scope I get Unauthorized. Is this expected behavior?

[ggnaegi]

@andreuwz As far as I understand it, the second example is giving you the expected result, since the test scope isn't included in the token's scopes.
https://github.com/ThreeMammals/Ocelot/blob/develop/src/Ocelot/Authorization/ScopesAuthorizer.cs

 if (!matchesScopes.Any())
            {
                return new ErrorResponse<bool>(
                    new ScopeNotAuthorizedError($"no one user scope: '{string.Join(',', userScopes)}' match with some allowed scope: '{string.Join(',', routeAllowedScopes)}'"));
            }

as for the first example, the error must be somewhere else, since you have some matching scopes (by the way it's an interesting debate: #231)