ThreeMammals · raman-m · Dec 7, 2025 · May 31, 2021 · May 31, 2021 · Aug 11, 2023
diff --git a/src/Ocelot/Authorization/ScopesAuthorizer.cs b/src/Ocelot/Authorization/ScopesAuthorizer.cs
@@ -1,14 +1,15 @@
-using Ocelot.Infrastructure.Claims.Parser;
-using Ocelot.Responses;
+using Ocelot.Infrastructure.Claims.Parser;
+using Ocelot.Responses;
 using System.Security.Claims;
 
 namespace Ocelot.Authorization;
 
 public class ScopesAuthorizer : IScopesAuthorizer
 {
-    private readonly IClaimsParser _claimsParser;
     public const string Scope = "scope";
 
+    private readonly IClaimsParser _claimsParser;
+
     public ScopesAuthorizer(IClaimsParser claimsParser)
     {
         _claimsParser = claimsParser;
@@ -28,7 +29,17 @@ public Response<bool> Authorize(ClaimsPrincipal claimsPrincipal, List<string> ro
             return new ErrorResponse<bool>(values.Errors);
         }
 
-        var userScopes = values.Data;
+        IList<string> userScopes = values.Data;
+
+        if (userScopes.Count == 1)
+        {
+            var scope = userScopes[0];
+
+            if (scope.Contains(' '))
+            {
+                userScopes = scope.Split(' ', StringSplitOptions.RemoveEmptyEntries);
+            }
+        }
 
         var matchesScopes = routeAllowedScopes.Intersect(userScopes);
 

diff --git a/test/Ocelot.AcceptanceTests/AuthorizationTests.cs b/test/Ocelot.AcceptanceTests/AuthorizationTests.cs
@@ -308,6 +308,115 @@ public async Task Should_return_200_OK_with_global_allowed_scopes()
         await ThenTheResponseBodyAsync();
     }
 
+    [Fact]
+    [Trait("Feature", "Space-separated scopes")]
+    public async Task Should_return_200_OK_with_space_separated_scope_single_match()
+    {
+        var port = PortFinder.GetRandomPort();
+        var route = GivenAuthRoute(port);
+        route.AuthenticationOptions.AllowedScopes = ["api", "api.read", "api.write"];
+        var configuration = GivenConfiguration(route);
+        await GivenThereIsAnIdentityServer();
+        GivenThereIsAServiceRunningOn(port, HttpStatusCode.OK, "Hello from space-separated test");
+
+        GivenThereIsAConfiguration(configuration);
+        GivenOcelotIsRunning(WithAspNetIdentityAuthentication);
+
+        // Generate token with space-separated scopes
+        await GivenIHaveAToken(scope: "api.read api.write openid");
+        GivenIHaveAddedATokenToMyRequest();
+        await WhenIGetUrlOnTheApiGateway("/");
+        ThenTheStatusCodeShouldBe(HttpStatusCode.OK);
+        await ThenTheResponseBodyShouldBeAsync("Hello from space-separated test");
+    }
+
+    [Fact]
+    [Trait("Feature", "Space-separated scopes")]
+    public async Task Should_return_200_OK_with_space_separated_scope_multiple_matches()
+    {
+        var port = PortFinder.GetRandomPort();
+        var route = GivenAuthRoute(port);
+        route.AuthenticationOptions.AllowedScopes = ["api.read", "api.write"];
+        var configuration = GivenConfiguration(route);
+        await GivenThereIsAnIdentityServer();
+        GivenThereIsAServiceRunningOn(port, HttpStatusCode.OK, "Multiple scopes matched");
+
+        GivenThereIsAConfiguration(configuration);
+        GivenOcelotIsRunning(WithAspNetIdentityAuthentication);
+
+        // Generate token with space-separated scopes that includes both allowed scopes
+        await GivenIHaveAToken(scope: "api.read api.write openid offline_access");
+        GivenIHaveAddedATokenToMyRequest();
+        await WhenIGetUrlOnTheApiGateway("/");
+        ThenTheStatusCodeShouldBe(HttpStatusCode.OK);
+        await ThenTheResponseBodyShouldBeAsync("Multiple scopes matched");
+    }
+
+    [Fact]
+    [Trait("Feature", "Space-separated scopes")]
+    public async Task Should_return_403_with_space_separated_scope_no_match()
+    {
+        var port = PortFinder.GetRandomPort();
+        var route = GivenAuthRoute(port);
+        route.AuthenticationOptions.AllowedScopes = ["admin", "superuser"];
+        var configuration = GivenConfiguration(route);
+        await GivenThereIsAnIdentityServer();
+        GivenThereIsAServiceRunningOn(port, HttpStatusCode.OK, "Should not reach here");
+
+        GivenThereIsAConfiguration(configuration);
+        GivenOcelotIsRunning(WithAspNetIdentityAuthentication);
+
+        // Generate token with space-separated scopes that don't match allowed scopes
+        await GivenIHaveAToken(scope: "api.read api.write openid");
+        GivenIHaveAddedATokenToMyRequest();
+        await WhenIGetUrlOnTheApiGateway("/");
+        ThenTheStatusCodeShouldBe(HttpStatusCode.Forbidden);
+    }
+
+    [Fact]
+    [Trait("Feature", "Space-separated scopes")]
+    public async Task Should_return_200_OK_with_space_separated_scope_with_extra_spaces()
+    {
+        var port = PortFinder.GetRandomPort();
+        var route = GivenAuthRoute(port);
+        route.AuthenticationOptions.AllowedScopes = ["api", "api.read"];
+        var configuration = GivenConfiguration(route);
+        await GivenThereIsAnIdentityServer();
+        GivenThereIsAServiceRunningOn(port, HttpStatusCode.OK, "Extra spaces handled");
+
+        GivenThereIsAConfiguration(configuration);
+        GivenOcelotIsRunning(WithAspNetIdentityAuthentication);
+
+        // Generate token with space-separated scopes that have extra spaces
+        await GivenIHaveAToken(scope: "  api.read   api.write  ");
+        GivenIHaveAddedATokenToMyRequest();
+        await WhenIGetUrlOnTheApiGateway("/");
+        ThenTheStatusCodeShouldBe(HttpStatusCode.OK);
+        await ThenTheResponseBodyShouldBeAsync("Extra spaces handled");
+    }
+
+    [Fact]
+    [Trait("Feature", "Space-separated scopes")]
+    public async Task Should_return_200_OK_with_single_scope_without_spaces()
+    {
+        var port = PortFinder.GetRandomPort();
+        var route = GivenAuthRoute(port);
+        route.AuthenticationOptions.AllowedScopes = ["api", "api.read"];
+        var configuration = GivenConfiguration(route);
+        await GivenThereIsAnIdentityServer();
+        GivenThereIsAServiceRunningOn(port, HttpStatusCode.OK, "Single scope no spaces");
+
+        GivenThereIsAConfiguration(configuration);
+        GivenOcelotIsRunning(WithAspNetIdentityAuthentication);
+
+        // Generate token with single scope (no spaces) - should not be affected
+        await GivenIHaveAToken(scope: "api.read");
+        GivenIHaveAddedATokenToMyRequest();
+        await WhenIGetUrlOnTheApiGateway("/");
+        ThenTheStatusCodeShouldBe(HttpStatusCode.OK);
+        await ThenTheResponseBodyShouldBeAsync("Single scope no spaces");
+    }
+
     private static void Void() { }
 
     //private async Task GivenThereIsAnIdentityServerOn(string url, string apiName, AccessTokenType tokenType)

diff --git a/test/Ocelot.UnitTests/Infrastructure/ScopesAuthorizerTests.cs b/test/Ocelot.UnitTests/Infrastructure/ScopesAuthorizerTests.cs
@@ -90,7 +90,104 @@ public void Should_not_match_scopes_and_return_error_result()
         var result = _authorizer.Authorize(principal, allowedScopes);
 
         // Assert
-        ThenTheFollowingIsReturned(result, new ErrorResponse<bool>(fakeError));        
+        ThenTheFollowingIsReturned(result, new ErrorResponse<bool>(fakeError));
+    }
+
+    [Fact]
+    public void Should_split_space_separated_scope_and_match()
+    {
+        // Arrange
+        var principal = new ClaimsPrincipal();
+        var allowedScopes = new List<string> { "api.read", "api.write" };
+        var userScopes = new List<string> { "api.read api.write openid" }; // Space-separated scope claim
+        GivenTheParserReturns(new OkResponse<List<string>>(userScopes));
+
+        // Act
+        var result = _authorizer.Authorize(principal, allowedScopes);
+
+        // Assert
+        ThenTheFollowingIsReturned(result, new OkResponse<bool>(true));
+    }
+
+    [Fact]
+    public void Should_split_space_separated_scope_and_match_single_scope()
+    {
+        // Arrange
+        var principal = new ClaimsPrincipal();
+        var allowedScopes = new List<string> { "api.write" };
+        var userScopes = new List<string> { "api.read api.write openid" }; // Space-separated scope claim
+        GivenTheParserReturns(new OkResponse<List<string>>(userScopes));
+
+        // Act
+        var result = _authorizer.Authorize(principal, allowedScopes);
+
+        // Assert
+        ThenTheFollowingIsReturned(result, new OkResponse<bool>(true));
+    }
+
+    [Fact]
+    public void Should_split_space_separated_scope_but_not_match()
+    {
+        // Arrange
+        var fakeError = new FakeError();
+        var principal = new ClaimsPrincipal();
+        var allowedScopes = new List<string> { "admin" };
+        var userScopes = new List<string> { "api.read api.write openid" }; // Space-separated scope claim
+        GivenTheParserReturns(new OkResponse<List<string>>(userScopes));
+
+        // Act
+        var result = _authorizer.Authorize(principal, allowedScopes);
+
+        // Assert
+        ThenTheFollowingIsReturned(result, new ErrorResponse<bool>(fakeError));
+    }
+
+    [Fact]
+    public void Should_handle_multiple_scope_claims_without_splitting()
+    {
+        // Arrange
+        var principal = new ClaimsPrincipal();
+        var allowedScopes = new List<string> { "api.read" };
+        var userScopes = new List<string> { "api.read", "api.write" }; // Multiple separate claims
+        GivenTheParserReturns(new OkResponse<List<string>>(userScopes));
+
+        // Act
+        var result = _authorizer.Authorize(principal, allowedScopes);
+
+        // Assert
+        ThenTheFollowingIsReturned(result, new OkResponse<bool>(true));
+    }
+
+    [Fact]
+    public void Should_not_split_single_scope_without_spaces()
+    {
+        // Arrange
+        var principal = new ClaimsPrincipal();
+        var allowedScopes = new List<string> { "api.read" };
+        var userScopes = new List<string> { "api.read" }; // Single scope without spaces
+        GivenTheParserReturns(new OkResponse<List<string>>(userScopes));
+
+        // Act
+        var result = _authorizer.Authorize(principal, allowedScopes);
+
+        // Assert
+        ThenTheFollowingIsReturned(result, new OkResponse<bool>(true));
+    }
+
+    [Fact]
+    public void Should_handle_empty_string_after_splitting()
+    {
+        // Arrange
+        var principal = new ClaimsPrincipal();
+        var allowedScopes = new List<string> { "api.read" };
+        var userScopes = new List<string> { "  api.read  api.write  " }; // Scope with extra spaces
+        GivenTheParserReturns(new OkResponse<List<string>>(userScopes));
+
+        // Act
+        var result = _authorizer.Authorize(principal, allowedScopes);
+
+        // Assert
+        ThenTheFollowingIsReturned(result, new OkResponse<bool>(true));
     }
 
     private void GivenTheParserReturns(Response<List<string>> response)