Reputation: 2410
API is authorized without the Authorization Headers in Request using Identity Server 4 and .net core Identity
I am making the API call after the successfully login through Identity server from my vue application (SPA).
Firstly i was adding the Access token in the Header and it was Authorize but i was not getting the claim. Which i have the separate Question on SO, and now i tried by removing the access token from the header during API call the application is still being Authorized.
I don't understand how i should solve the problem.
service.interceptors.request.use(config => {
return authService
.getToken()
.then(tokenResponse => {
app.$Progress.start();
//config.headers.Authorization = `Bearer ${tokenResponse}`; removed Token
return Promise.resolve(config);
})
.catch(error => {
app.prototype.$Progress.fail();
alert("error");
});
});
Oidc Client Manager
export default {
authority: "https://localhost:44305",
client_id: "js",
redirect_uri: `${domain}/authredirect`,
response_type: "id_token token",
scope:"openid profile email api1 role",
post_logout_redirect_uri : `${domain}`,
silent_redirect_uri: `${domain}/silent`,
}
Identity Server Client Configuration
new Client
{
ClientId = "js",
ClientName = "JavaScript Client",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
AlwaysIncludeUserClaimsInIdToken = true,
RedirectUris = new List<string> {"http://localhost:8080/silent","http://localhost:8080/authredirect"},
PostLogoutRedirectUris = { "http://localhost:8080" },
AllowedCorsOrigins = { "http://localhost:8080" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1",
"role"
}
}
API Configure Services
public void ConfigureServices(IServiceCollection services)
{
services.AddMvcCore().AddJsonFormatters();
services.AddAuthorization();
services.AddCors(options =>
{
// this defines a CORS policy called "default"
options.AddPolicy("default", policy =>
{
policy.WithOrigins("http://localhost:8080")
.AllowAnyHeader()
.AllowAnyMethod();
});
});
var connectionString = Configuration.GetConnectionString("DefaultConnection");
services.AddDbContext<MyContext>(o => o.UseSqlServer(connectionString));
services.AddIdentity<User, IdentityRole<Guid>>().AddEntityFrameworkStores<MyContext>().AddDefaultTokenProviders();
// register the repository
services.AddScoped(typeof(IRepository<>), typeof(EfRepository<>));
services.AddMvcCore().AddJsonFormatters();
}
I have added the Project on Github. Please suggest me something. Link for Project not available currently, i will add again
![Image showing my Controller with [Authorize] attribute and debugging on the value for User.Identity](https://i.sstatic.net/W3uzM.png)
Upvotes: 1
Views: 974
Answers (1)
Reputation: 2410
I was able to solved the problems on this.
I was missing the DefaultChallengeScheme on my API ConfigureServices
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddIdentityServerAuthentication(options =>
{
options.Authority = "https://localhost:44305";
options.RequireHttpsMetadata = false;
options.ApiName = "api1";
});
Upvotes: 1
Related Questions
- IdentityServer4 always return 401 Unauthorized or 403 Forbidden
- .net 4.6 web api2 401 Unauthorized with identity server 4
- identity server 4 Getting 401 Unauthorized with valid access token
- Identity server: Authorization api returning 401
- Getting 401 Unauthorized with valid access token using identity server 4 with Asp.net Core API
- API access unauthorized unless AuthenticationScheme is specified
- IdentityServer4 - ASP .Net core 2 - getting unauthorized even using a valid token
- API Authorization with Identity Server 4 keeps returning 401 Unauthorized
- Authorization with Asp.Net Core WebAPI
- IdentityServer4 on Core 2.0 Getting 401 (Unauthorized) from the API