Miguel Moura
Reputation: 39404
The specified token is invalid is Invalid when using Client Credentials in OpenIdDict
With Asp.Net Core 5 and OpenIdDict I have the configuration for Authorization Code and Client Credentials:
services.AddOpenIddict()
.AddCore(x => {
x.UseEntityFrameworkCore().UseDbContext<Context>().ReplaceDefaultEntities<Application, Authorization, Scope, Token, Int32>();
})
.AddServer(x => {
x.SetAuthorizationEndpointUris("/connect/authorize")
.SetLogoutEndpointUris("/connect/logout")
.SetTokenEndpointUris("/connect/token")
.SetUserinfoEndpointUris("/connect/userinfo")
.SetIntrospectionEndpointUris("/.well-known/openid-configuration");
x.RegisterScopes(OpenIddictConstants.Scopes.Profile, OpenIddictConstants.Scopes.Email, OpenIddictConstants.Scopes.OfflineAccess);
x.AllowAuthorizationCodeFlow()
.AllowRefreshTokenFlow()
.AllowClientCredentialsFlow();
x.AddDevelopmentEncryptionCertificate().AddDevelopmentSigningCertificate();
x.UseAspNetCore()
.EnableAuthorizationEndpointPassthrough()
.EnableLogoutEndpointPassthrough()
.EnableTokenEndpointPassthrough()
.EnableUserinfoEndpointPassthrough()
.EnableStatusCodePagesIntegration();
})
.AddValidation(x => {
x.UseLocalServer();
x.UseAspNetCore();
});
On the API I have:
services.AddOpenIddict()
.AddValidation(x => {
x.SetIssuer("https://localhost:5000");
x.AddAudiences("api");
x.UseIntrospection().SetClientId("api").SetClientSecret("SecretAPI");
x.UseSystemNetHttp();
x.UseAspNetCore();
});
Then I have the Client and the API applications:
OpenIddictApplicationDescriptor mvc = new OpenIddictApplicationDescriptor {
ClientId = "mvc",
ClientSecret = "SecretMVC",
ConsentType = OpenIddictConstants.ConsentTypes.Explicit,
Permissions = {
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.ClientCredentials,
OpenIddictConstants.Permissions.Prefixes.Scope + "api"
}
};
OpenIddictApplicationDescriptor api = new OpenIddictApplicationDescriptor {
ClientId = "api",
ClientSecret = "SecretAPI",
Permissions = {
OpenIddictConstants.Permissions.Endpoints.Introspection
}
};
I am able to get an Access token using Insomnia Rest Client and Client Credentials.
But when I call the API with the given access token I get the following error:
Bearer error = "invalid_token", error_description = "The specified token is invalid."
Why does this happen?
Update
On the logs I have the following:
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
The event OpenIddict.Validation.OpenIddictValidationEvents+HandleIntrospectionResponseContext was marked as rejected by OpenIddict.Validation.OpenIddictValidationHandlers+HandleErrorResponse`1[[OpenIddict.Validation.OpenIddictValidationEvents+HandleIntrospectionResponseContext, OpenIddict.Validation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
An error occurred while introspecting the token.
OpenIddict.Abstractions.OpenIddictExceptions+GenericException: An error occurred while handling the introspection response.
Error: invalid_request
Error description: The specified HTTP method is not valid.
Error URI:
at OpenIddict.Validation.OpenIddictValidationService.<>c__DisplayClass5_0.<<IntrospectTokenAsync>g__HandleIntrospectionResponseAsync|3>d.MoveNext()
--- End of stack trace from previous location ---
at OpenIddict.Validation.OpenIddictValidationService.IntrospectTokenAsync(Uri address, String token, String type, CancellationToken cancellationToken)
at OpenIddict.Validation.OpenIddictValidationService.IntrospectTokenAsync(Uri address, String token, String type, CancellationToken cancellationToken)
at OpenIddict.Validation.OpenIddictValidationHandlers.IntrospectToken.HandleAsync(ProcessAuthenticationContext context)
[12:09:52 Debug] OpenIddict.Validation.OpenIddictValidationDispatcher
The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+IntrospectToken.
Upvotes: 2
Views: 5838
Answers (1)
Kévin Chalet
Reputation: 42030
You configured your introspection endpoint to share the same address as the OIDC provider configuration endpoint, which prevents introspection requests from being recognized as valid POST requests.
Fix SetIntrospectionEndpointUris("/.well-known/openid-configuration") to use a different address and it should work.
Upvotes: 3
Related Questions
- An unhandled exception occurred while processing the request in OpenIddict
- OpenIdDict: Interactive user consent is required. AuthenticationScheme: OpenIddict.Server.AspNetCore was forbidden
- The authentication demand was rejected because the token had no audience attached
- OpenIddict authorization request not handled
- Asp.NET Core OpenIddict invalid_grant
- .NET Core Openiddict invalid request
- openiddict password/refresh flow Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed for user: (null)
- OpenIdDict and ASP.NET Core: 401 after successfully getting the token back (full repro)
- OpenIDDict in asp.net core error " The OpenID Connect request cannot be retrieved"
- MissingExceptionMethod error when calling token endpoint