Invalid redirect_uri IdentityServer4 and AppAuth

Question

I'm using the IdentityServer template that comes with asp.net core 3.1. So far so good, the SPA app works with the implicit flow. Now I have a mobile application that I want to use with the same identity server.

So in appsettings.json i added a new key charla-mobile, and set the Profile to NativeApp, assuming i can use my own configuration as per https://github.com/dotnet/aspnetcore/blob/62c098bc170f50feca15916e81cb7f321ffc52ff/src/Identity/ApiAuthorization.IdentityServer/src/Configuration/ConfigureClients.cs#L56:

   "IdentityServer": {
    "Key": {
      "Type": "Development"
    },     
    "Clients": {
        "Charla": {
            "Profile": "IdentityServerSPA"
        },
        "charla-mobile": {
          "Enabled": true,
          "Profile": "NativeApp",
          "ClientName": "Charla Mobile Client (Code with PKCE)",
          "RequireClientSecret" : false,  
          "RedirectUris": ["http://localhost:8100/implicit/authcallback", "com.appauth.demo://callback"],
          "AllowedGrantTypes": [ "code", "implicit" ],
          "RequirePkce": true,
          "AllowedScopes": ["converse-appAPI", "openid", "profile"]
          
        }
    }
    
  }

Problem is i keep getting Invalid redirect_uri although im calling it from the javascript library with the same url (http://localhost:8100/implicit/authcallback):

Invalid redirect_uri: http: //localhost:8100/implicit/authcallback
    {
        "ClientId": "charla-mobile",
        "ClientName": "charla-mobile",
        "RedirectUri": null,
        "AllowedRedirectUris": ["urn:ietf:wg:oauth:2.0:oob"],
        "SubjectId": "anonymous",
        "ResponseType": null,
        "ResponseMode": null,
        "GrantType": null,
        "RequestedScopes": "",
        "State": null,
        "UiLocales": null,
        "Nonce": null,
        "AuthenticationContextReferenceClasses": null,
        "DisplayMode": null,
        "PromptMode": null,
        "MaxAge": null,
        "LoginHint": null,
        "SessionId": null,
        "Raw": {
            "redirect_uri": "http://localhost:8100/implicit/authcallback",
            "client_id": "charla-mobile",
            "response_type": "code",
            "state": "4qtaYswLFK",
            "scope": "converse-appAPI openid profile",
            "code_challenge": "opKV8gSVV5X7pQ7eTvQ3Lp40A7BXplkz4RiGkEFgBcc",
            "code_challenge_method": "S256"
        },
        "$type": "AuthorizeRequestValidationLog"
    }

and from chrome network tab:

Full log as requested

Application started. Press Ctrl+C to shut down.
[18:38:49 DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:8100
[18:38:49 DBG] CorsPolicyService allowed origin: http://localhost:8100
[18:38:49 DBG] Login Url: /auth/login
[18:38:49 DBG] Login Return Url Parameter: ReturnUrl
[18:38:49 DBG] Logout Url: /Identity/Account/Logout
[18:38:49 DBG] ConsentUrl Url: /consent
[18:38:49 DBG] Consent Return Url Parameter: returnUrl
[18:38:49 DBG] Error Url: /home/error
[18:38:49 DBG] Error Id Parameter: errorId
[18:38:49 DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
[18:38:49 DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
[18:38:49 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
[18:38:49 DBG] Start discovery request
[18:38:49 DBG] Request path /connect/authorize matched to endpoint type Authorize
[18:38:49 DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
[18:38:49 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[18:38:49 DBG] Start authorize request
[18:38:49 DBG] No user present in authorize request
[18:38:49 DBG] Start authorize request protocol validation
[18:38:49 DBG] client configuration validation for client charla-mobile succeeded.
[18:38:49 ERR] Invalid redirect_uri: http://localhost:8100/implicit/authcallback
{"ClientId": "charla-mobile", "ClientName": "charla-mobile", "RedirectUri": null, "AllowedRedirectUris": ["urn:ietf:wg:oauth:2.0:oob"], "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"redirect_uri": "http://localhost:8100/implicit/authcallback", "client_id": "charla-mobile", "response_type": "code", "state": "G0Zn5uV8K4", "scope": "converse-appAPI openid profile", "code_challenge": "7vnsRsZRIzgf7Ti_gH-k1LY6fErlLZNrbfZlbQYCz7U", "code_challenge_method": "S256"}, "$type": "AuthorizeRequestValidationLog"}
[18:38:49 ERR] Request validation failed
[18:38:49 INF] {"ClientId": "charla-mobile", "ClientName": "charla-mobile", "RedirectUri": null, "AllowedRedirectUris": ["urn:ietf:wg:oauth:2.0:oob"], "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": null, "MaxAge": null, "LoginHint": null, "SessionId":
null, "Raw": {"redirect_uri": "http://localhost:8100/implicit/authcallback", "client_id": "charla-mobile", "response_type": "code", "state": "G0Zn5uV8K4", "scope": "converse-appAPI openid profile", "code_challenge": "7vnsRsZRIzgf7Ti_gH-k1LY6fErlLZNrbfZlbQYCz7U", "code_challenge_method": "S256"}, "$type": "AuthorizeRequestValidationLog"}
[18:38:49 INF] {"ClientId": "charla-mobile", "ClientName": "charla-mobile", "RedirectUri": null, "Endpoint": "Authorize", "SubjectId": null, "Scopes": "", "GrantType": null, "Error": "unauthorized_client", "ErrorDescription": "Invalid redirect_uri", "Category": "Token", "Name": "Token Issued Failure", "EventType": "Failure", "Id": 2001, "Message": null, "ActivityId": "0HM1T9FDQAMOT:00000001", "TimeStamp": "2020-08-10T16:38:49.0000000Z", "ProcessId": 13112, "LocalIpAddress": "::1:5000", "RemoteIpAddress": "::1", "$type": "TokenIssuedFailureEvent"}

Answer 1

I ran into the same problem, the solution for me was to set it up manually through code (like really manually) otherwise the redirectUri was set to a completely different value:

services.AddIdentityServer()
            .AddApiAuthorization<ApplicationUser, AuthorizationDbContext>(options =>
            {
                options.Clients.AddNativeApp(
                    "MyApp", 
                    app => app
                        .WithScopes("MyServerAPI", "openid", "profile", "offline_access")
                );
                var client = options.Clients.Single(c => c.ClientId == "MyApp");
                client.AllowOfflineAccess = true;
                client.RedirectUris.Clear();
                client.RedirectUris.Add("http://localhost:4000/");
                client.PostLogoutRedirectUris.Clear();
                client.PostLogoutRedirectUris.Add("http://localhost:4000/");
                
            });

Answer 2

This might not be the answer i was looking for, but I had to ditch the ApiAuthorizaion extension provided by asp.net core, and start configuring identity server using their standard documentation and configuration files.

Answer 3

I think its easier to configure clients in code to make sure you get it all correct. What I am thinking about is if you have missed the ClientID and if the clientID is wrong then IS can't find the correct redirectURL?

I found this example here

"IdentityServer": {
  "IssuerUri": "urn:sso.company.com",
  "Clients": [
    {
      "Enabled": true,
      "ClientId": "local-dev",
      "ClientName": "Local Development",
      "ClientSecrets": [ { "Value": "<Insert Sha256 hash of the secret encoded as Base64 string>" } ],
      "AllowedGrantTypes": [ "implicit" ],
      "AllowedScopes": [ "openid", "profile" ],
      "RedirectUris": [ "https://localhost:5001/signin-oidc" ],
      "RequireConsent": false
    }
  ]