CODEWITHSUNDEEP
identityserver4openid-connect.net-core-3.0
Andrew Duffy
Andrew Duffy

Reputation: 583

Code flow not working for Identity Server 4

I'm trying to update my .NET Core 3.0 React SPA to use code flow as opposed to implicit.

It is failing with "Invalid authorization code" in the logs of Identity Server.

Can anyone tell what is going wrong or what to check / try?

Do i need to do anything for PKCE? or just set it to true? (RequirePkce = true)

Seems to get a fair way before erroring.

I'm using oidc-client NPM package on the front end.

[13:14:44 Information] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.DiscoveryEndpoint" for "/.well-known/openid-configuration" (IdentityServer4.Hosting.IdentityServerMiddleware)

[13:14:44 Information] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.TokenEndpoint" for "/connect/token" (IdentityServer4.Hosting.IdentityServerMiddleware)

[13:14:44 Information] ClientAuthenticationSuccessEvent { ClientId: "MyProject.web", AuthenticationMethod: "NoSecret", Category: "Authentication", Name: "Client Authentication Success", EventType: Success, Id: 1010, Message: null, ActivityId: "80000050-0007-fe00-b63f-84710c7967bb", TimeStamp: 09/13/2019 03:14:44, ProcessId: 19196, LocalIpAddress: "::1:44343", RemoteIpAddress: "::1" } (IdentityServer4.Events.DefaultEventService)

[13:14:44 Information] Token request validation success TokenRequestValidationLog { ClientId: "MyProject.web", ClientName: "MyProject.web", GrantType: "authorization_code", Scopes: null, AuthorizationCode: "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171", RefreshToken: null, UserName: null, AuthenticationContextReferenceClasses: null, Tenant: null, IdP: null, Raw: [("client_id": "MyProject.web"), ("code": "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171"), ("redirect_uri": "https://localhost:44343/authentication/login-callback"), ("code_verifier": "7103488868084ec4aa94a62bcb9b422eac6fc24203eb4b14a8fdc9f3cad9839c358780cc40c546ecb8d58ac5e118b63e"), ("grant_type": "authorization_code")] } (IdentityServer4.Validation.TokenRequestValidator)

[13:14:44 Information] TokenIssuedSuccessEvent { ClientId: "MyProject.web", ClientName: "MyProject.web", RedirectUri: null, Endpoint: "Token", SubjectId: null, Scopes: "openid profile MyProject.webAPI", GrantType: "authorization_code", Tokens: [Token { TokenType: "id_token", TokenValue: "****gPHA" }, Token { TokenType: "access_token", TokenValue: "****YH5A" }], Category: "Token", Name: "Token Issued Success", EventType: Success, Id: 2000, Message: null, ActivityId: "80000050-0007-fe00-b63f-84710c7967bb", TimeStamp: 09/13/2019 03:14:44, ProcessId: 19196, LocalIpAddress: "::1:44343", RemoteIpAddress: "::1" } (IdentityServer4.Events.DefaultEventService)

[13:14:44 Information] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.UserInfoEndpoint" for "/connect/userinfo" (IdentityServer4.Hosting.IdentityServerMiddleware)

[13:14:44 Information] Profile service returned the following claim types: "given_name family_name" (IdentityServer4.ResponseHandling.UserInfoResponseGenerator)

[13:14:44 Information] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.TokenEndpoint" for "/connect/token" (IdentityServer4.Hosting.IdentityServerMiddleware)

[13:14:44 Information] ClientAuthenticationSuccessEvent { ClientId: "MyProject.web", AuthenticationMethod: "NoSecret", Category: "Authentication", Name: "Client Authentication Success", EventType: Success, Id: 1010, Message: null, ActivityId: "8000000c-0002-fc00-b63f-84710c7967bb", TimeStamp: 09/13/2019 03:14:44, ProcessId: 19196, LocalIpAddress: "::1:44343", RemoteIpAddress: "::1" } (IdentityServer4.Events.DefaultEventService)

[13:14:44 Error] Invalid authorization code{ code: "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171" }, details: TokenRequestValidationLog { ClientId: "MyProject.web", ClientName: "MyProject.web", GrantType: "authorization_code", Scopes: null, AuthorizationCode: "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171", RefreshToken: null, UserName: null, AuthenticationContextReferenceClasses: null, Tenant: null, IdP: null, Raw: [("client_id": "MyProject.web"), ("code": "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171"), ("redirect_uri": "https://localhost:44343/authentication/login-callback"), ("code_verifier": "7103488868084ec4aa94a62bcb9b422eac6fc24203eb4b14a8fdc9f3cad9839c358780cc40c546ecb8d58ac5e118b63e"), ("grant_type": "authorization_code")] } (IdentityServer4.Validation.TokenRequestValidator)

[13:14:44 Information] TokenIssuedFailureEvent { ClientId: "MyProject.web", ClientName: "MyProject.web", RedirectUri: null, Endpoint: "Token", SubjectId: null, Scopes: null, GrantType: "authorization_code", Error: "invalid_grant", ErrorDescription: null, Category: "Token", Name: "Token Issued Failure", EventType: Failure, Id: 2001, Message: null, ActivityId: "8000000c-0002-fc00-b63f-84710c7967bb", TimeStamp: 09/13/2019 03:14:44, ProcessId: 19196, LocalIpAddress: "::1:44343", RemoteIpAddress: "::1" } (IdentityServer4.Events.DefaultEventService)

Upvotes: 5

Views: 3764

Answers (1)

Sreeram Nair
Sreeram Nair

Reputation: 2397

Below is an implementation of Authorization Code Flow with Identity Server 4

public class Example
{
    public static IEnumerable<Test> Get()
    {
        var shakey = new Secret { Value = "mysecret".Sha512() };

        return new List<Test> {
            new Test {
                TestId = "authorizationCodeTest2",
                TestName = "Authorization Code Test",
                TestSecrets = new List<Secret> { shakey },
                Enabled = true,
                AllowedGrantTypes = new List<string> { "authorization_code" },
                AllowRememberConsent = false,
                RequireConsent = true,
                RedirectUris =
                  new List<string> {
                       "http://localhost:<<port>>/account/oAuth2"
                  },
                PostLogoutRedirectUris =
                  new List<string> {"http://localhost:<<port>>"},
                AllowedScopes = new List<string> {
                    "api"
                },
                AccessTokenType = AccessTokenType.Jwt
            }
        };
    }
}

Check if you are missing something on the Authentication Token and retry.

Upvotes: 3

Related Questions