Reputation: 15
OpenIddict 3 unavailable token validation from .NET 4.6
I have a Identity Server using OpenIddict 3.1. We have added a resource API with .NET 4.6. In the startup class, we are setting the token validation to use it on the [Authorize] attribute like this:
var options = new JwtBearerAuthenticationOptions
{
Provider = new OAuthBearerAuthenticationProvider(),
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audience },
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true,
ValidateIssuer = false,
IssuerSigningKey = key(SigningCertificate from OpenIddict),
ValidateLifetime = true,
ValidAudience = audience,
RequireSignedTokens = true
}
};
app.UseJwtBearerAuthentication(options);
We always get the unauthorized message.
We also have tried to use:
var options = new JwtBearerAuthenticationOptions
{
Provider = new OAuthBearerAuthenticationProvider(),
AuthenticationMode = AuthenticationMode.Active,
AllowedAudiences = new[] { audience },
TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true,
ValidateIssuer = false,
IssuerSigningKeys = issuerSigningKeys,
ValidateLifetime = true,
ValidAudience = audience,
RequireSignedTokens = true
}
};
On issuerSigningKeys, are the keys discovered from OpenIddict server JWT keys.
Our server configuration looks like this:
.AddValidation(options => {
options.UseLocalServer();
options.UseSystemNetHttp();
options.UseAspNetCore();
});
and
services
.AddAuthentication(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
options.Authority = "http://localhost:49424/";
options.MetadataAddress = "http://localhost:49424/";
options.Audience = "resource1";
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateIssuerSigningKey = true,
ValidAudiences = new List<string>
{
"resource1"
},
IssuerSigningKey = (new RsaSecurityKey(System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPublicKey(AuthenticationExtensionMethods.TokenSigningCertificate()))) // can still login with or without this key
};
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.LoginPath = "/Account/Logon";
});
Any suggestions? Is it possible to validate the tokens this way between different frameworks—such as .NET Core and .NET Framework 4.6—using OpenIddict?
Upvotes: 0
Views: 657
Answers (1)
Reputation: 19921
OpenIDDict supports two types of tokens: reference tokens (just a binary blogb) and JWT-tokens (contains user details and claims). The AddJwtBearer() method does not support the reference token format.
What you need to do is to remove the following line from your setup:
options.UseReferenceTokens();
Upvotes: 1
Related Questions
- OpenIddict migration from v2 to v3 rc1 - Login success, Authorize Failed
- OpenIddict Password Grant returns Status Code 415
- ASP.NET Web Api not accepting own Openiddict JWT
- How to properly validate OpenIddict JWT access_token in API?
- Change response code from OpenIdDict validation when token is missing
- OpenIddict authorization request not handled
- The token response was successfully returned: unsupported_grant_type
- OpenIdDict and ASP.NET Core: 401 after successfully getting the token back (full repro)
- OpenIDDict in asp.net core error " The OpenID Connect request cannot be retrieved"
- ASP.NET Core Openiddict throws "An OpenID Connect response cannot be returned from this endpoint"