Simple IdentityServer3/OpenIdConnect solution not working - HTTP 401.0 - Unauthorized

Question

I am new to IdentityServer and OpenId Connect. I am working with .NET Framework 6 and IdentityServer3 and OpenId Connect. I have been through the three walk throughs in the Overview section of the IdentityServer3 documentation - with console client, MVC client, and JavaScript client - and have those working solutions as a model. I am now trying to build my own authentication service with a simple MVC client for test purposes. It's not working. The symptom of its not working is that, the MVC client About page, which is secured with the [Authorize] attribute in the Home controller reports HTTP 401.0 - Unauthorized without ever redirecting the user to the login page. I've reviewed the network traffic in the Chrome developer tools and see the initial requests for /Home/About returning HTTP 401, never the expected HTTP 302 Redirect.

My IdentityServer3 configuration looks like this:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        // TODO: Replace use of InMemoryUsers with custom Orvis UserService
        app.UseIdentityServer(new IdentityServerOptions
        {
            SiteName = "MyClient Authentication Service",
            SigningCertificate = LoadCertificate(),
            Factory = new IdentityServerServiceFactory()
            .UseInMemoryClients(Clients.Get())
            .UseInMemoryScopes(Scopes.Get())
            .UseInMemoryUsers(Users.Get().ToList()),
            RequireSsl = true
        });
    }

    X509Certificate2 LoadCertificate()
    {
        // TODO: Get real signing certificate?
        return new X509Certificate2(string.Format(@"{0}\bin\idsrv3test.pfx", AppDomain.CurrentDomain.BaseDirectory), "idsrv3test");
    }
}

The GetClients and GetScopes code looks like this:

public static IEnumerable<Client> Get()
{
    // TODO: Replace hard-coded implementation of Clients.Get() with a configuration-driven implementation
    return new List<Client>
    {
        new Client
        {
            Enabled = true,
            ClientId = "mvc-sample",
            ClientName = "MVC Sample Client",
            RequireConsent = false,
            Flow = Flows.Implicit,
            RedirectUris = new List<string> { "http:/localhost:37320" },
            AllowedCorsOrigins = new List<string> { "http://localhost:37320/" },
            AllowedScopes = new List<string> { "orvis-services", "orvis-shopper-service" }
        }
    };
}

public static IEnumerable<Scope> Get()
{
    return new List<Scope>
    {
        new Scope
        {
            Name = "all-services",
            DisplayName = "All Services", 
            Description = "Access to all microservices",
            Type = ScopeType.Resource
        }, 
        new Scope
        {
            Name = "shopper-service",
            DisplayName = "Shopper Service",
            Description = "Access to the Shopper microservice", 
            Type = ScopeType.Resource
        }
    };
}

And my client configuration looks like this:

public void Configuration(IAppBuilder app)
{
    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = "Cookies"
    });

    app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
    {
        Authority = "https://localhost:44332",
        ClientId = "mvc-sample",
        RedirectUri = "http://localhost:37320",
        ResponseType = "id_token",
        SignInAsAuthenticationType = "Cookies"
    });
}

So, very similar to the IdentityServer3 "Getting Started: MVC Authentication and Web APIs" walk through. One difference is that the walk through has the client and server code in the same project and I've split them out into separate projects.

Since the dev tools network tab shows the request to /Home/About with a 401.0 response instead of the expected 302 response, I suspect there's something wrong with the cilent setup. But, beyond the browser dev tools, I'm not sure where to look to get at the underlying details.

Any suggestions appreciated.

Answer 1

The problem was that the IdentityServer3 walk through that I was using as a model had the IdentityServer and the MVC client in one project. When I created them separately, I added the Microsoft.Owin.Host.Systemweb and IdentityServer3 packages to the IdentityServer project and the Microsoft.Owin.Security.Cookies and Microsoft.Owin.Security.OpenIdConnect packages to the MVC client project. It turns out that the MVC client project also requires the Microsoft.Owin.Host.Systemweb package. without it, the Startup.Configuration() method is never called.