Identity Server 4 ASP.NET Quickstart 'refused connection'

Question

I'm following the Identity Server 4 Quickstart and I'm having a weird issue even though I followed it step by step.

It says (translated from German) connection denied by target computer. Whats weird about this is that in the API project "we"(I) said ValidateAudience = false which I thought meant that tokens aren't being validated at all.

// call api
var apiClient = new HttpClient();
apiClient.SetBearerToken(tokenResponse.AccessToken);

var response = await apiClient.GetAsync("https://localhost:6001/identity");
if (!response.IsSuccessStatusCode)
{
    Console.WriteLine(response.StatusCode);
}
else
{
    var content = await response.Content.ReadAsStringAsync();
    Console.WriteLine(JArray.Parse(content));
}

I am truly confused.The Client does get an accessToken so that's not the problem ... I hope.

Github-Repo

Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token

[16:15:42 Debug] IdentityServer4.Endpoints.TokenEndpoint
Start token request.

[16:15:42 Debug] IdentityServer4.Validation.ClientSecretValidator
Start client validation

[16:15:42 Debug] IdentityServer4.Validation.BasicAuthenticationSecretParser
Start parsing Basic Authentication secret

[16:15:42 Debug] IdentityServer4.Validation.PostBodySecretParser
Start parsing for secret in post body

[16:15:42 Debug] IdentityServer4.Validation.ISecretsListParser
Parser found secret: PostBodySecretParser

[16:15:42 Debug] IdentityServer4.Validation.ISecretsListParser
Secret id found: client

[16:15:42 Debug] IdentityServer4.Stores.ValidatingClientStore
client configuration validation for client client succeeded.

[16:15:42 Debug] IdentityServer4.Validation.ISecretsListValidator
Secret validator success: HashedSharedSecretValidator

[16:15:42 Debug] IdentityServer4.Validation.ClientSecretValidator
Client validation success

[16:15:42 Debug] IdentityServer4.Validation.TokenRequestValidator
Start token request validation

[16:15:42 Debug] IdentityServer4.Validation.TokenRequestValidator
Start client credentials token request validation

[16:15:42 Debug] IdentityServer4.Validation.TokenRequestValidator
client credentials token request validation success

[16:15:42 Information] IdentityServer4.Validation.TokenRequestValidator
Token request validation success, {"ClientId": "client", "ClientName": null, "GrantType": "client_credentials", "Scopes": "api1", "AuthorizationCode": null, "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "client_credentials", "scope": "api1", "client_id": "client", "client_secret": "***REDACTED***"}, "$type": "TokenRequestValidationLog"}

[16:15:42 Debug] IdentityServer4.Services.DefaultClaimsService
Getting claims for access token for client: client

[16:15:42 Debug] IdentityServer4.Endpoints.TokenEndpoint
Token request success.

Answer 1

I think setting ValidateAudience = false will just ignore the audience claim, but still validate the other things in the token.

You can set the IncludeErrorDetails property to true and like this:

        .AddJwtBearer(options =>
        {

            options.Audience = "payment";
            options.Authority = "https://localhost:6001/";

            //True if token validation errors should be returned to the caller.
            options.IncludeErrorDetails = true;

When you set it to True, then you will get more details in the response header, like:

HTTP/1.1 401 Unauthorized
Date: Sun, 02 Aug 2020 11:19:06 GMT
WWW-Authenticate: Bearer error="invalid_token", error_description="The signature is invalid"

To further help you out, please post a sample access token and API configuration (Startup class)

See this article for further details.

To complement this answer, I wrote a blog post that goes into more detail about this topic: Troubleshooting JwtBearer authentication problems in ASP.NET Core.

Answer 2

So in API/Properties/lauchsettings .... when generating the project it used a default sheme and in that sheme it sets a port of 43033 or smth