Paul
Reputation: 93
Angular Client - Access Token Fail Authenication
I have a Angular Client that I'm able to login into the Identity Server (Implicit) using the username and password. See screenshots below:
Upon login in I get the following info:
When I click on the API button the following code is executed:
Answer Posted Below (Thanks to m3n7alsnak3 - see comments below):
API Startup class:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Constants;
using Microsoft.AspNetCore.Authentication.JwtBearer;
namespace Api
{
public class Startup
{
#region "Startup"
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
#endregion
#region "ConfigureServices"
public void ConfigureServices(IServiceCollection services)
{
services.AddMvcCore()
.AddAuthorization(options =>
{
options.AddPolicy("JsClient", config =>
{
config.RequireClaim("client_id", "js");
});
})
.AddJsonFormatters();
#region "services.AddAuthentication"
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = Constants.Constant.AuthServer;
options.RequireHttpsMetadata = false;
});
#endregion
#region "Commented out services.AddCors"
services.AddCors(options =>
{
options.AddPolicy("default", policy =>
{
policy.WithOrigins("http://localhost:5003")
.AllowAnyHeader()
.AllowAnyMethod();
});
});
#endregion
}
#endregion
#region "Configure"
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseCors("default");
app.UseAuthentication();
app.UseMvc();
}
#endregion
}
}
IDS Startup Code:
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Identity;
using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using AuthServer.Data;
using AuthServer.Models;
using AuthServer.Services;
using System.Reflection;
using Microsoft.IdentityModel.Tokens;
using Microsoft.Extensions.Logging;
using Constants;
namespace AuthServer
{
public class Startup
{
#region "Startup"
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
#endregion
#region "ConfigureServices"
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
// Add application services.
services.AddTransient<IEmailSender, EmailSender>();
services.AddMvc();
string connectionString = Configuration.GetConnectionString("DefaultConnection");
var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
// configure identity server with in-memory stores, keys, clients and scopes
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddAspNetIdentity<ApplicationUser>()
// this adds the config data from DB (clients, resources)
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
})
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = builder =>
builder.UseSqlServer(connectionString,
sql => sql.MigrationsAssembly(migrationsAssembly));
// this enables automatic token cleanup. this is optional.
//options.EnableTokenCleanup = true;
//options.TokenCleanupInterval = 15; // interval in seconds. 15 seconds useful for debugging
});
services.AddAuthentication()
.AddGoogle("Google", options =>
{
options.ClientId = "434483408261-55tc8n0cs4ff1fe21ea8df2o443v2iuc.apps.googleusercontent.com";
options.ClientSecret = "3gcoTrEDPPJ0ukn_aYYT6PWo";
});
}
#endregion
#region "Configure"
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseBrowserLink();
app.UseDatabaseErrorPage();
}
else
{
app.UseExceptionHandler("/Home/Error");
}
app.UseStaticFiles();
// app.UseAuthentication(); // not needed, since UseIdentityServer adds the authentication middleware
app.UseIdentityServer();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
#endregion
}
}
API Log:
Hosting environment: Development
Content root path: C:\Users\Paul\Documents\Visual Studio 2017\Projects\AuthServer\Api
Now listening on: http://localhost:5001
Application started. Press Ctrl+C to shut down.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 OPTIONS http://localhost:5001/identity
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
Policy execution successful.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 84.7188ms 204
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
Request starting HTTP/1.1 GET http://localhost:5001/identity
info: Microsoft.AspNetCore.Cors.Infrastructure.CorsService[4]
Policy execution successful.
[13:39:14 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
Successfully validated the token.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
Successfully validated the token.
[13:39:14 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
AuthenticationScheme: BearerIdentityServerAuthenticationJwt was successfully authenticated.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[8]
AuthenticationScheme: BearerIdentityServerAuthenticationJwt was successfully authenticated.
[13:39:14 Information] IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler
AuthenticationScheme: Bearer was successfully authenticated.
info: IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler[8]
AuthenticationScheme: Bearer was successfully authenticated.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[1]
Authorization was successful for user: prdiet.
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1]
Executing action method Api.Controllers.IdentityController.Get (Api) with arguments ((null)) - ModelState is Valid
info: Microsoft.AspNetCore.Mvc.Formatters.Json.Internal.JsonResultExecutor[1]
Executing JsonResult, writing value System.Linq.Enumerable+SelectEnumerableIterator`2[System.Security.Claims.Claim,<>f__AnonymousType0`2[System.String,System.String]].
info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2]
Executed action Api.Controllers.IdentityController.Get (Api) in 224.2595ms
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 2045.1953ms 200 application/json; charset=utf-8
IDS Log:
2018-02-09 13:37:41.253 -05:00 [DBG] Using Identity.Application as default scheme for authentication
2018-02-09 13:37:41.338 -05:00 [DBG] Using Identity.External as default scheme for sign-in
2018-02-09 13:37:41.342 -05:00 [DBG] Using Identity.External as default scheme for sign-out
2018-02-09 13:37:41.346 -05:00 [DBG] Using Identity.Application as default scheme for challenge
2018-02-09 13:37:41.349 -05:00 [DBG] Using Identity.Application as default scheme for forbid
2018-02-09 13:38:20.503 -05:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:5003
2018-02-09 13:38:21.589 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:38:21.604 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:38:21.729 -05:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2018-02-09 13:38:21.778 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2018-02-09 13:38:21.785 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2018-02-09 13:38:21.801 -05:00 [DBG] Start discovery request
2018-02-09 13:38:23.306 -05:00 [DBG] Found ["openid","email","profile","api1.IdentityScope","admin","user","api1.APIScope","api1"] as all scopes in database
2018-02-09 13:38:23.535 -05:00 [DBG] Request path /connect/authorize matched to endpoint type Authorize
2018-02-09 13:38:23.635 -05:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
2018-02-09 13:38:23.640 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
2018-02-09 13:38:23.658 -05:00 [DBG] Start authorize request
2018-02-09 13:38:23.687 -05:00 [DBG] No user present in authorize request
2018-02-09 13:38:23.714 -05:00 [DBG] Start authorize request protocol validation
2018-02-09 13:38:24.970 -05:00 [DBG] js found in database: true
2018-02-09 13:38:25.192 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:38:25.629 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:38:25.797 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:38:26.099 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:38:26.136 -05:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2018-02-09 13:38:26.200 -05:00 [INF] ValidatedAuthorizeRequest
{
"ClientId": "js",
"ClientName": "js.client",
"RedirectUri": "http://localhost:5003/callback.html",
"AllowedRedirectUris": [
"http://localhost:5003/callback.html"
],
"SubjectId": "anonymous",
"ResponseType": "id_token token",
"ResponseMode": "fragment",
"GrantType": "implicit",
"RequestedScopes": "openid profile api1",
"State": "2e1163f138514b2ab6d9b3da5cca4a03",
"Nonce": "d5a791d91e664b28a021b589307cc6a9",
"Raw": {
"client_id": "js",
"redirect_uri": "http://localhost:5003/callback.html",
"response_type": "id_token token",
"scope": "openid profile api1",
"state": "2e1163f138514b2ab6d9b3da5cca4a03",
"nonce": "d5a791d91e664b28a021b589307cc6a9"
}
}
2018-02-09 13:38:26.232 -05:00 [INF] Showing login: User is not authenticated
2018-02-09 13:38:26.881 -05:00 [INF] AuthenticationScheme: Identity.External signed out.
2018-02-09 13:38:26.913 -05:00 [DBG] Start authorize request protocol validation
2018-02-09 13:38:27.728 -05:00 [DBG] js found in database: true
2018-02-09 13:38:27.883 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:38:28.250 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:38:28.408 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:38:28.788 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:38:28.796 -05:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2018-02-09 13:38:57.996 -05:00 [DBG] Augmenting SignInContext
2018-02-09 13:38:58.004 -05:00 [DBG] Adding idp claim with value: local
2018-02-09 13:38:58.008 -05:00 [DBG] Adding amr claim with value: pwd
2018-02-09 13:38:58.016 -05:00 [DBG] Adding auth_time claim with value: 1518201538
2018-02-09 13:38:58.040 -05:00 [INF] AuthenticationScheme: Identity.Application signed in.
2018-02-09 13:38:58.049 -05:00 [INF] User logged in.
2018-02-09 13:38:58.109 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:38:58.119 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:38:58.129 -05:00 [DBG] Request path /connect/authorize/callback matched to endpoint type Authorize
2018-02-09 13:38:58.136 -05:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
2018-02-09 13:38:58.143 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback
2018-02-09 13:38:58.163 -05:00 [DBG] Start authorize callback request
2018-02-09 13:38:58.179 -05:00 [DBG] User in authorize request: 8ae24a28-59f5-48a6-92c6-c6cac551341b
2018-02-09 13:38:58.184 -05:00 [DBG] Start authorize request protocol validation
2018-02-09 13:38:59.378 -05:00 [DBG] js found in database: true
2018-02-09 13:38:59.598 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:39:00.165 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:39:00.406 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:39:01.020 -05:00 [DBG] Found ["admin","user","api1.APIScope","api1"] API scopes in database
2018-02-09 13:39:01.032 -05:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2018-02-09 13:39:01.037 -05:00 [INF] ValidatedAuthorizeRequest
{
"ClientId": "js",
"ClientName": "js.client",
"RedirectUri": "http://localhost:5003/callback.html",
"AllowedRedirectUris": [
"http://localhost:5003/callback.html"
],
"SubjectId": "8ae24a28-59f5-48a6-92c6-c6cac551341b",
"ResponseType": "id_token token",
"ResponseMode": "fragment",
"GrantType": "implicit",
"RequestedScopes": "openid profile api1",
"State": "2e1163f138514b2ab6d9b3da5cca4a03",
"Nonce": "d5a791d91e664b28a021b589307cc6a9",
"SessionId": "f80b09fa34fe67f90117912fb01ee854",
"Raw": {
"client_id": "js",
"redirect_uri": "http://localhost:5003/callback.html",
"response_type": "id_token token",
"scope": "openid profile api1",
"state": "2e1163f138514b2ab6d9b3da5cca4a03",
"nonce": "d5a791d91e664b28a021b589307cc6a9"
}
}
2018-02-09 13:39:01.263 -05:00 [DBG] Client is configured to not require consent, no consent is required
2018-02-09 13:39:01.284 -05:00 [DBG] Creating Implicit Flow response.
2018-02-09 13:39:01.311 -05:00 [DBG] Getting claims for access token for client: js
2018-02-09 13:39:01.317 -05:00 [DBG] Getting claims for access token for subject: 8ae24a28-59f5-48a6-92c6-c6cac551341b
2018-02-09 13:39:01.722 -05:00 [DBG] Getting claims for identity token for subject: 8ae24a28-59f5-48a6-92c6-c6cac551341b and client: js
2018-02-09 13:39:01.729 -05:00 [DBG] In addition to an id_token, an access_token was requested. No claims other than sub are included in the id_token. To obtain more user claims, either use the user info endpoint or set AlwaysIncludeUserClaimsInIdToken on the client configuration.
2018-02-09 13:39:01.775 -05:00 [INF] Authorize endpoint response
{
"SubjectId": "8ae24a28-59f5-48a6-92c6-c6cac551341b",
"ClientId": "js",
"RedirectUri": "http://localhost:5003/callback.html",
"State": "2e1163f138514b2ab6d9b3da5cca4a03",
"Scope": "openid profile api1"
}
2018-02-09 13:39:01.824 -05:00 [DBG] Augmenting SignInContext
2018-02-09 13:39:01.829 -05:00 [INF] AuthenticationScheme: Identity.Application signed in.
2018-02-09 13:39:02.256 -05:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:5003
2018-02-09 13:39:02.334 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:02.340 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:02.362 -05:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2018-02-09 13:39:02.372 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2018-02-09 13:39:02.392 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2018-02-09 13:39:02.416 -05:00 [DBG] Start discovery request
2018-02-09 13:39:02.852 -05:00 [DBG] Found ["openid","email","profile","api1.IdentityScope","admin","user","api1.APIScope","api1"] as all scopes in database
2018-02-09 13:39:02.879 -05:00 [DBG] CORS request made for path: /.well-known/openid-configuration/jwks from origin: http://localhost:5003
2018-02-09 13:39:02.934 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:02.940 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:02.950 -05:00 [DBG] Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
2018-02-09 13:39:02.957 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryKeyEndpoint
2018-02-09 13:39:02.962 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
2018-02-09 13:39:02.980 -05:00 [DBG] Start key discovery request
2018-02-09 13:39:03.093 -05:00 [DBG] CORS request made for path: /connect/userinfo from origin: http://localhost:5003
2018-02-09 13:39:03.148 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:03.154 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:03.192 -05:00 [DBG] CORS request made for path: /connect/userinfo from origin: http://localhost:5003
2018-02-09 13:39:03.250 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:03.257 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:03.273 -05:00 [DBG] Request path /connect/userinfo matched to endpoint type Userinfo
2018-02-09 13:39:03.289 -05:00 [DBG] Endpoint enabled: Userinfo, successfully created handler: IdentityServer4.Endpoints.UserInfoEndpoint
2018-02-09 13:39:03.296 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.UserInfoEndpoint for /connect/userinfo
2018-02-09 13:39:03.318 -05:00 [DBG] Start userinfo request
2018-02-09 13:39:03.330 -05:00 [DBG] Bearer token found in header
2018-02-09 13:39:04.059 -05:00 [DBG] js found in database: true
2018-02-09 13:39:04.621 -05:00 [DBG] js found in database: true
2018-02-09 13:39:04.702 -05:00 [DBG] Calling into custom token validator: IdentityServer4.Validation.DefaultCustomTokenValidator
2018-02-09 13:39:04.722 -05:00 [DBG] Token validation success
{
"ValidateLifetime": true,
"AccessTokenType": "Jwt",
"ExpectedScope": "openid",
"Claims": {
"nbf": 1518201541,
"exp": 1518205141,
"iss": "http://localhost:5000",
"aud": [
"http://localhost:5000/resources",
"api1"
],
"client_id": "js",
"sub": "8ae24a28-59f5-48a6-92c6-c6cac551341b",
"auth_time": 1518201538,
"idp": "local",
"name": "prdiet",
"email": "[email protected]",
"scope": [
"openid",
"profile",
"api1"
],
"amr": "pwd"
}
}
2018-02-09 13:39:04.745 -05:00 [DBG] Creating userinfo response
2018-02-09 13:39:04.761 -05:00 [DBG] Scopes in access token: openid profile api1
2018-02-09 13:39:04.773 -05:00 [DBG] Scopes in access token: openid profile api1
2018-02-09 13:39:04.896 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:39:04.905 -05:00 [DBG] Requested claim types: sub zoneinfo birthdate gender website picture profile locale preferred_username middle_name given_name family_name name nickname updated_at
2018-02-09 13:39:04.911 -05:00 [DBG] Scopes in access token: openid profile api1
2018-02-09 13:39:05.006 -05:00 [DBG] Found ["openid","profile"] identity scopes in database
2018-02-09 13:39:05.139 -05:00 [INF] Profile service returned to the following claim types: sub preferred_username name
2018-02-09 13:39:05.149 -05:00 [DBG] End userinfo request
2018-02-09 13:39:05.200 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:39:05.217 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:39:05.228 -05:00 [DBG] Request path /connect/checksession matched to endpoint type Checksession
2018-02-09 13:39:05.237 -05:00 [DBG] Endpoint enabled: Checksession, successfully created handler: IdentityServer4.Endpoints.CheckSessionEndpoint
2018-02-09 13:39:05.244 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.CheckSessionEndpoint for /connect/checksession
2018-02-09 13:39:05.255 -05:00 [DBG] Rendering check session result
2018-02-09 13:39:05.538 -05:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:5003
2018-02-09 13:39:05.608 -05:00 [DBG] Origin http://localhost:5003 is allowed: true
2018-02-09 13:39:05.613 -05:00 [DBG] CorsPolicyService allowed origin: http://localhost:5003
2018-02-09 13:39:05.624 -05:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2018-02-09 13:39:05.632 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2018-02-09 13:39:05.637 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2018-02-09 13:39:05.646 -05:00 [DBG] Start discovery request
2018-02-09 13:39:06.042 -05:00 [DBG] Found ["openid","email","profile","api1.IdentityScope","admin","user","api1.APIScope","api1"] as all scopes in database
2018-02-09 13:39:06.082 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:39:06.092 -05:00 [INF] AuthenticationScheme: Identity.Application was successfully authenticated.
2018-02-09 13:39:06.102 -05:00 [DBG] Request path /connect/checksession matched to endpoint type Checksession
2018-02-09 13:39:06.108 -05:00 [DBG] Endpoint enabled: Checksession, successfully created handler: IdentityServer4.Endpoints.CheckSessionEndpoint
2018-02-09 13:39:06.114 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.CheckSessionEndpoint for /connect/checksession
2018-02-09 13:39:06.125 -05:00 [DBG] Rendering check session result
2018-02-09 13:39:13.278 -05:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2018-02-09 13:39:13.284 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2018-02-09 13:39:13.290 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2018-02-09 13:39:13.298 -05:00 [DBG] Start discovery request
2018-02-09 13:39:13.703 -05:00 [DBG] Found ["openid","email","profile","api1.IdentityScope","admin","user","api1.APIScope","api1"] as all scopes in database
2018-02-09 13:39:14.217 -05:00 [DBG] Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
2018-02-09 13:39:14.223 -05:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryKeyEndpoint
2018-02-09 13:39:14.229 -05:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
2018-02-09 13:39:14.238 -05:00 [DBG] Start key discovery request
Fiddle test results:
Finally the API response:
Upvotes: 0
Views: 693
Answers (1)
m3n7alsnak3
Reputation: 3156
The two lines that you have mentioned
.AddJwtBearer to services.AddAuthentication()
Services.AddAuthorization
should be part of your API Startup.cs, not part of the Identity Server one's.
And also the policy should be, again, specified in the API and not in the IDS.
Why is that? By using services.AddAuthentication() (whatever type, in your case is JWTBearer) you are saying:
Hey, this resources are protected, please authenticate against
authorityto be able to access it.
Then comes the authorization part, that is again your API's responsibility, and not IDS'. The policy, that you specifies, is API specific, that means:
Hey, you are authenticated against that authority, but I have some more requirements/rules to let you in.
And there you specify the rules. You can treat the Policy-Based authorization as an advanced Role-Based or more like custom authorization attribute, but the important part - it is API's responsibility.
Start from there, and see what happens then.
EDIT
Based on our discussion, I'm updating the answer. Now try switching your API startup to the following:
public void ConfigureServices(IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services
.AddMvcCore()
.AddAuthorization(options =>
{
// your policies
})
// more code
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = <ids address>;
options.RequireHttpsMetadata = false;
});
// more code
Keep the stuff around it. And be careful - in your test scenario 2, you had a 2 times services.AddAuthorization(). Do it only once (as shown above). Give it a try.
EDIT 2
In services.AddAuthentication("Bearer") - Bearer is with capital (upper case) B!
Upvotes: 1
Related Questions
- Getting error: "invalid_client" when connecting Angular to IndentityServer4
- IdentityServer 4: Invalid grant type for client: authorization_code
- Identity Server 4 responds with a 403 (forbidden) to Angular client on account/login
- Unknown client or client not enabled
- error 400 bad request Angular 5 login with token
- Token with invalid signature in IdentityServer4 with client Angular
- IdentityServer3 + Angular4 + WebApi Causing 401 Unauthorized
- Angular 4 could not authenticate with IdentityServer4
- Angular 2 Login using ASP.NET Identity Token
- Identity server claims asp.net API