CODEWITHSUNDEEP
identityserver4
skyrunner
skyrunner

Reputation: 500

Missing "aud" claim in access token

For unknown reason to me the "aud" claim is not present in access token (it is present in id token though).

Once access token is being sent to the API i get the following error:

Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'empty'. Did not match: validationParameters.ValidAudience: 'productconfigurationapi' or validationParameters.ValidAudiences: 'null'.

I know i can turn off audience validation and everything works then but i don't get why "aud" is not part of the access token.

Here's my IS4 configuration:

the client:

            new Client
            {
                ClientId = "Spa",
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,
                AlwaysSendClientClaims = true,
                AlwaysIncludeUserClaimsInIdToken = true,
                AccessTokenType = AccessTokenType.Jwt,
                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "productconfigurationapi"
                },
                RequireConsent = false
            }

the api resource:

            new ApiResource("productconfigurationapi")
            {
                UserClaims =
                {
                    JwtClaimTypes.Audience
                }
            }

the API Scope:

    return new List<ApiScope>
    {
        new ApiScope("productconfigurationapi")
    };

and here's how IS4 is configured within its host application:

        services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddConfigurationStore(options =>
            {
            })
            .AddOperationalStore(options =>
            {
            })
            .AddAspNetIdentity<IdentityUser>()
            .AddJwtBearerClientAuthentication();

Upvotes: 12

Views: 8177

Answers (1)

Tore Nestenius
Tore Nestenius

Reputation: 19991

You should tie the ApiScope to the ApiResource by setting the Scopes property:

var api = new ApiResource("productconfigurationapi")
{
    UserClaims =
    {
       //...optional user claims...
    },
    Scopes = new List<string>
    {
        "productconfigurationapi"
    },
};

To complement this answer, I write a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope

Upvotes: 18

Related Questions