Identity Server: Token Type jwt vs reference using Implicit Flow Authentication with OIDC

1
votes

I am following the example provided by damienbod Ang2 Id Serv 4 OIDC, where I have the following : an identity Server (modified implementation), Resource API and ng-2 application.

After getting authenticated from the identity server and trying to access my protected API, it always give me error 401 (Unauthorized).

I have changed the Client on the identity Server to use Token Type of jwt instead of reference and then it worked.

Client configuration on the identity server:

                ClientName = "angular2client",
                ClientId = "angular2client",
                AccessTokenType = AccessTokenType.Jwt,               
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,
                //redirect urls are ommited
                AllowedScopes = new List<string>
                {
                   "openid",
                   "resourceAPIs",
                    "role",
                }

Resource API: Identity Validation

 app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
        {
            Authority = "http://localhost:44311",
            ScopeName = "resourceAPIs",

            RequireHttpsMetadata = false
        });

I need to know, why the jwt token type made it work and what code to modify to make the reference type token works?

1
angularjwtthinktecture-ident-serveridentityserver4openid-connect

1 Answers

3
votes

To use reference token you need to provide scope secret. See docs

The introspection endpoint requires authentication using a scope secret.

Identity Server:

            ClientName = "angular2client",
            ClientId = "angular2client",
            ClientSecrets = new List<Secret>
            {
                new Secret("secret".Sha256())
            },
            AccessTokenType = AccessTokenType.Jwt,               
            AllowedGrantTypes = GrantTypes.Implicit,
            AllowAccessTokensViaBrowser = true,
            //redirect urls are ommited
            AllowedScopes = new List<string>
            {
               "openid",
               "resourceAPIs",
                "role",
            }

Resource Server

    app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
    {
        Authority = "http://localhost:44311",
        ScopeName = "resourceAPIs",
        ScopeSecret = "secret",
        RequireHttpsMetadata = false
    });