Embedded IdentityServer 4 with Aspnet Identity and resource owner

Question

I am trying to use IdentityServer4 with resource owner flow + aspnet identity and embed the api in the same project.

I tested the Sample here on github and it's working fine. I am able to retrieve a token for a registered user in the database and use this token to get protected resources from the api.

The sample the api is separated from the identity server, once both are merged into one project, im still able to get a token, BUT I get 401 Unauthorized while trying to access the protected resource. somehow the embedded api is no longer validating the token.

here's the Startup.cs code :

// This method gets called by the runtime. Use this method to add services to the container.
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDbContext<ApplicationDbContext>(options =>
            options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

        //(1)
        services.AddIdentity<ApplicationUser, IdentityRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders();

        services.AddMvc(config =>
        {
            var policy = new AuthorizationPolicyBuilder()
                         .RequireAuthenticatedUser()
                         .Build();
            config.Filters.Add(new AuthorizeFilter(policy));
        });

        services
            .AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddInMemoryPersistedGrants()
            .AddInMemoryIdentityResources(Config.GetIdentityResources())
            .AddInMemoryApiResources(Config.GetApiResources())
            .AddInMemoryClients(Config.GetClients())
        //(2)
        .AddAspNetIdentity<ApplicationUser>();
        //.AddTestUsers(Config.GetUsers());

        var corsBuilder = new CorsPolicyBuilder();
        corsBuilder.AllowAnyHeader();
        corsBuilder.AllowAnyMethod();
        corsBuilder.AllowAnyOrigin();
        corsBuilder.AllowCredentials();
        corsBuilder.WithExposedHeaders("Location");

        services.AddCors(options =>
        {
            options.AddPolicy("CorsPolicy", corsBuilder.Build());
        });

        services.AddMvcCore()
            .AddAuthorization()
            .AddJsonFormatters();

        services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://localhost:51318";
                options.RequireHttpsMetadata = false;

                options.ApiName = "api";
            });
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseBrowserLink();
        }
        else
        {
            app.UseExceptionHandler("/Home/Error");
        }

        app.UseStaticFiles();

        app.UseCors("CorsPolicy");

        app.UseIdentityServer();

        app.UseAuthentication();

        app.UseMvc(routes =>
        {
            routes.MapRoute(
                name: "default",
                template: "{controller=Home}/{action=Index}/{id?}");
        });
    }

Note that if we swith to in memory TestUser instead of persisted ApplicationUser by commenting the code in (1) and changing the code in (2) to :

    //(2)
    //.AddAspNetIdentity<ApplicationUser>();
    .AddTestUsers(Config.GetUsers());

the whole system works and the embedded api is authenticating the user normally.

Is there something missing in this code ? In real life scenarios the api will almost always be embedded with the identity server because of cost efficiency, is there any example I can use to make it work ?

Thank you.

Answer 1

After digging into AspNet Identity source code, I realized that the AddIdentity extension was doing some extra work that prevents from validating the token, but without it and the AddEntityFrameworkStores method the identity managers were not set by dependency injection.

So we need to replace :

        services.AddIdentity<ApplicationUser, IdentityRole>()
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddDefaultTokenProviders();

by a piece of code that does only dependency injection like that :

        services.TryAddScoped<IUserValidator<ApplicationUser>, UserValidator<ApplicationUser>>();
        services.TryAddScoped<IPasswordValidator<ApplicationUser>, PasswordValidator<ApplicationUser>>();
        services.TryAddScoped<IPasswordHasher<ApplicationUser>, PasswordHasher<ApplicationUser>>();
        services.TryAddScoped<ILookupNormalizer, UpperInvariantLookupNormalizer>();
        services.TryAddScoped<IRoleValidator<IdentityRole>, RoleValidator<IdentityRole>>();
        services.TryAddScoped<IdentityErrorDescriber>();
        services.TryAddScoped<ISecurityStampValidator, SecurityStampValidator<ApplicationUser>>();
        services.TryAddScoped<IUserClaimsPrincipalFactory<ApplicationUser>, UserClaimsPrincipalFactory<ApplicationUser, IdentityRole>>();
        services.TryAddScoped<UserManager<ApplicationUser>, AspNetUserManager<ApplicationUser>>();
        services.TryAddScoped<SignInManager<ApplicationUser>, SignInManager<ApplicationUser>>();
        services.TryAddScoped<RoleManager<IdentityRole>, AspNetRoleManager<IdentityRole>>();

        services.TryAddScoped<IRoleStore<IdentityRole>, RoleStore<IdentityRole>>();
        services.TryAddScoped<DbContext, ApplicationDbContext>();
        services.TryAddScoped<IUserStore<ApplicationUser>, UserStore<ApplicationUser>>();

by doing this, the final result is a working identity server embedded in the api with AspNet Identity.