Reputation: 85
Audience claim on identityserver4 code flow access token is wrong
I'm using code flow for a vuejs client with Identityserver4.
i added RequirePkce and i can get the access token and id token from oidc-client.
but access token aud claim is pointing back to Identityserver4 base address not my api resource.
can something be wrong ?
Client:
new Client
{
ClientId = "js.admin",
ClientName = "admin dashboard vuejs client.",
RequirePkce = true,
RequireClientSecret = false,
RequireConsent = false,
AllowedGrantTypes = GrantTypes.Code,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List<string>
{
"http://localhost:8080",
"http://localhost:8080/logincb.html",
"http://localhost:8080/silent-renew.html"
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:8080/",
"http://localhost:8080"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:8080"
},
AllowedScopes = new List<string>
{
"openid",
"role",
"profile",
"api1.rw",
"email",
"phone"
}
}
oidc client setting:
const clientSettings = {
userStore: new WebStorageStateStore({ store: window.localStorage }),
authority: STS_DOMAIN,
client_id: "js.admin",
redirect_uri: "http://localhost:8080/logincb.html",
automaticSilentRenew: true,
silent_redirect_uri: "http://localhost:8080/silent-renew.html",
response_type: "code",
scope: "openid profile api1.rw role email phone",
post_logout_redirect_uri: "http://localhost:8080/",
filterProtocolClaims: true
};
Access token decoded:
"iss": "http://localhost:5001",
"aud": "http://localhost:5001/resources",
as you can see the both issuer and audience claims are the same with is wrong.
but even scopes are correct. I really appreciate any help.
Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'http://localhost:5001/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
its is the last error i got.
Upvotes: 3
Views: 2107
Answers (1)
Reputation: 19921
The http://localhost:5001/resources is a generic resource that is added when you have not defined or associated any ApiResources with the requested ApiScope.
From the documentation here, it says:
When using the scope-only model, no aud (audience) claim will be added to the token since this concept does not apply. If you need an aud claim, you can enable the EmitStaticAudienceClaim setting on the options. This will emit an aud claim in the issuer_name/resources format. If you need more control of the aud claim, use API resources.
To get api1.rw as your audience, you need to add a ApiResource to your IdentityServer configuration. You can name the ApiResource and ApiScope api1.rw
To complement this answer, I write a blog post that goes into more detail about this topic: IdentityServer – IdentityResource vs. ApiResource vs. ApiScope
Upvotes: 4
Related Questions
- IdentityServer4: audience is empty when calling web api?
- Why is the access token generated by IdentityServer4 always invalid?
- IdentityServer4 client for Password Flow not including TestUser claims in access token
- IdentityServer4 - ASP .Net core 2 - getting unauthorized even using a valid token
- Invalid Audience Token Validation
- IdentityServer4 claims are not part of the token on hybrid flow
- IdentityServer Hybrid Flow - Access Token is null after user successful login
- Token from identity server connection\token is not valid for my API
- Roles not in Token via IdentityServer4
- Identity Server4 Unauthorized error