ASP.NET core blazor webassembly getting token for Identity Server 4 Postman testing

Question

I am trying to test my api with postman in a blazor webassembly asp.net core hosted app with identity server 4 individual accounts. Unfortunately, despite having tried many different configuration options to get a new token, I have been unable to get one. Here is what I've tried

This one results in the postman browser emulator pop up and never finishes.

This one fails but I get the more informative error that info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

However, when I then try and use the default testing username and password I get Error: unauthorized_client

I followed the set up step by step in this article using the API authorization options instead of the profile service option (and I'm developing locally, not using azure.) What do I need to do to get a token? I appreciate the help, thanks.

EDIT: attempted adding a new Client in ConfigureServices but the same behavior happens with the postman browser emulator pop up and never finishing.

services.AddIdentityServer()
                .AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options => {
                    options.IdentityResources["openid"].UserClaims.Add("name");
                    options.ApiResources.Single().UserClaims.Add("name");
                    options.IdentityResources["openid"].UserClaims.Add("role");
                    options.ApiResources.Single().UserClaims.Add("role");
                    options.Clients.Add(new IdentityServer4.Models.Client()
                    {
                        ClientId = "postman",

                        AllowedGrantTypes = GrantTypes.Code,
                        AllowOfflineAccess = true,
                        ClientSecrets = { new Secret("secret".Sha256()) },

                        RedirectUris = { "http://localhost:21402/signin-oidc", "https://oauth.pstmn.io/v1/browser-callback" },
                        PostLogoutRedirectUris = { "http://localhost:21402/" },
                        FrontChannelLogoutUri = "http://localhost:21402/signout-oidc",

                        AllowedScopes =
                        {
                            IdentityServerConstants.StandardScopes.OpenId,
                            IdentityServerConstants.StandardScopes.Profile,
                            IdentityServerConstants.StandardScopes.Email,

                            "Onero.ServerAPI"
                        },
                    });
                });

Answer 1

After days of reading the docs and blogs to get an overall picture I finally was able to do it! What I did was the following:

Looked closely at the output from starting up my Server project, which is where I saw this:

That made me realize that I had been using the wrong endpoint for the Auth URL in Postman. So I changed it to https://localhost:5001/connect/authorize. I then used this configuration in Postman

Combined with adding the Postman client like so in the Server's Startup.cs file

 services.AddIdentityServer()
                .AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options => {
                    ...
                    options.Clients.Add(new IdentityServer4.Models.Client()
                    {
                        ClientId = "Postman",

                        AllowedGrantTypes = GrantTypes.Code,
                        AllowOfflineAccess = true,
                        ClientSecrets = { new Secret("secret".Sha256()) },

                        RedirectUris = { "http://localhost:21402/signin-oidc", "https://oauth.pstmn.io/v1/browser-callback" },
                        PostLogoutRedirectUris = { "http://localhost:21402/" },
                        FrontChannelLogoutUri = "http://localhost:21402/signout-oidc",
                        AllowedScopes =
                        {
                            "Onero.ServerAPI"
                        },
                    });;
                });

And that finally got that little Postman page to pop up, bring me to the default IdentityServer AuthUI page, login with my default user and there we go, finally get the darn token.

Biggest take away: make sure to read the server output to make sure your endpoints are correct so you can fill out the parameters in Postman correctly.

Thanks for the help!

Answer 2

If you're using authorization code grant, use this URL for the callback URL and leave Authorize using browser unchecked. You also need to add the URL to the list of RedirectUris for your app.

https://oauth.pstmn.io/v1/browser-callback

This page just posts a message to the parent of the auth popup (i.e. Postman window)

<script>
    let data = {
        isAuthCallback: true,
        queryString: window.location.search || '',
        hash: window.location.hash || ''
    };

    window.opener.postMessage(data, '*');
</script>

If you don't want to allow this URL (you probably want to protect tokens from 3rd parties) you can host this page in your app.

[HttpGet("postman-callback")]
public IActionResult PostmanCallback()
{
    return new ContentResult {
        ContentType = "text/html",
        StatusCode = 200,
        Content = @"
<html><body><script>
let data = {
    isAuthCallback: true,
    queryString: window.location.search || '',
    hash: window.location.hash || ''
};

window.opener.postMessage(data, '*');
</script></body></html>"
    };
}