It looks like the same issue is there with the .NET SDK as it's also supplying scopes in the body. (Which wsa the original reason I was trying to use Postman). I'm going to see if I can circumvent Kinde's auth in some way without just forking the library to see if I can get it to work if I supply scope in the header.
Also, I'll log a GitHub issue but I also think the current approach that Kinde has towards exception management in that SDK could do with some improvement. Here's Kinde's code when authentication fails.
if (!response.IsSuccessStatusCode || string.IsNullOrEmpty(content))
{
throw new ApplicationException("Invalid response from server: No token received");
}There's two issues with this:
- There is no way for a developer to understand why authentication failed unless they attach a debugger before the ApplicationException is thrown as the actual error is never reported, just a generic no token received. This is going to be problematic when troubleshooting issues outside of a developers local machine (e.g. production). If data sensitivity is a concern at least allow for a config value to allow for sensitive exceptions to be thrown (just like with the .NET OIDC libraries you can have a config setting to allow for PII data to be output)
- Kinde is throwing
ApplicationException. Both Microsoft and Jetbrains state in their base practices and code analytics do not throw ApplicationException (https://learn.microsoft.com/en-us/dotnet/standard/design-guidelines/using-standard-exception-types). The problem with throwing just the base Exception and ApplicationException types is that they are so general they give very little indication with what went wrong. I would suggest throwing a custom Kinde exception or using one of the .NET security or HTTP exception types.
