unable to validate token using IdentityServer3.AccessTokenValidation

Question

I m trying to validate token generated from IDS4 using IdentityServer3.AccessTokenValidation , but i receive 401 everytime.

I had followed the suggestion i saw in different articles:

• IdentityServer4 IdentityServer3.AccessTokenValidation
• https://andrewlock.net/debugging-jwt-validation-problems-between-an-owin-app-and-identityserver4-2/
• https://github.com/joaocolombo/IS4/blob/master/ApiIdentity/ApiIdentityNetFramework/Startup.cs

public void Configuration(IAppBuilder app)
        {
            var config = new HttpConfiguration();
            var builder = new ContainerBuilder();
            builder.RegisterApiControllers(Assembly.GetExecutingAssembly());
            var executingAssembly = Assembly.GetExecutingAssembly();
            Api.Register(builder, executingAssembly);

            builder.RegisterWebApiFilterProvider(GlobalConfiguration.Configuration);
            builder.RegisterAssemblyModules(executingAssembly);
            var container = builder.Build();

            config.DependencyResolver = new AutofacWebApiDependencyResolver(container);
            var webApiResolver = new AutofacWebApiDependencyResolver(container);
            GlobalConfiguration.Configuration.DependencyResolver = webApiResolver;


            app.UseCors(CorsOptions.AllowAll);
            app.UseAutofacWebApi(config);
            app.UseCookieAuthentication(new CookieAuthenticationOptions());
            var options = new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = ConfigurationManager.AppSettings["IdentityServer:Authority"],
                AuthenticationType = "Bearer",
                RequiredScopes = new[] { ConfigurationManager.AppSettings["IdentityServer:ApiScope"] },

            };
            app.UseIdentityServerBearerTokenAuthentication(options);
            WebApiConfig.Register(config);
            config.Filters.Add(new AuthorizeAttribute());

            app.UseWebApi(config);
        }

This should authorize the token i send from app, however The authorization is applied to all the controllers, but i see the controller's constructor is being hit but the action isn't getting called, does that mean the validation of token is working fine? but i see the Authority i'm sending is correct also.

i get the following error after i turned on katana logging :

IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider Information: 0 : Error returned from token validation endpoint: Not Found Microsoft.Owin.Security.OAuth.OAuthBearerAuthenticationMiddleware Warning: 0 : invalid bearer token received

Answer 1

I spent many hours on this issue. The solution listed above was in many other articles, however it did not work for me.

I added tracing for Katana and it helped a lot. I added:

<system.diagnostics>
<trace autoflush="true" />
<sources>
  <source name="Microsoft.Owin">
    <listeners>
      <add name="KatanaListener" />
    </listeners>
  </source>
</sources>
<sharedListeners>
  <add name="KatanaListener" type="System.Diagnostics.TextWriterTraceListener" initializeData="katana.trace.log" traceOutputOptions="ProcessId, DateTime" />
</sharedListeners>
<switches>
  <add name="Microsoft.Owin" value="Verbose" />
</switches>

Searching these errors, I found this article which solved my issues: https://github.com/IdentityServer/IdentityServer4/issues/3705

I had to change my IdServer4 so that it would use JWT tokens instead of at+jwt. I also enabled EmitLegacyResourceAudienceClaim.

Later I added IdentityServer3.Contrib.AccessTokenValidation to my webapi so that it accepted explicit typing of JWT (at+jwt).

Answer 2

You'll need ClientId and Client Secret - the Api is a resource, but since you're using Reference tokens, you'll need something like this:

    {
        Authority = "https://idsrvurl:44333/core",
        RequiredScopes = new[] { "api1" },

        ClientId = "api1",
        ClientSecret = "secret"
    });