Openiddict introspect not working (The access token is not valid.)

3
votes

I have 3 projects 1- SPA, 2- Web API Project, 3- Identity (setup using openiddict, ASP.NET Core 2.0 (OpenIddict.dll version 2.0.0.-rc2-0854) with EF Core.

API and Identity Server run successfully, can get the jwt token but, when I try to get value from API method which has Authorize Attribute I get an error:

WWW-Authenticate →Bearer error="invalid_token", error_description="The access token is not valid."

In Application Insights, could see POST /connect/introspect getting called, with result Dependency result code:500 and Dependency code: Http

Same code worked before, not sure which changes break introspect.

configuration in API project

 services.AddAuthentication(options =>
        {
            options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
        })
          .AddOAuthIntrospection(options =>
          {
              options.Authority = new Uri("http://localhost:49888");
              options.ClientId = "my-resource-server";
              options.ClientSecret = "ClientSecret";
              options.RequireHttpsMetadata = false;
          });
        services.AddCors();           
        services.AddMvc()
            .AddJsonOptions(options =>
             {
                 options.SerializerSettings.Formatting = Formatting.None;
             });

Authorized Method

  [HttpGet("GetData/{Id}")]
    [Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]
    [Authorize(Roles = "Admin")]
    public IActionResult GetData(int courseId)
    {
 }

connect/introspect in Identity Project

  private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, UserInfo user)
    {
        UserInfo userInfo = await _userRepository.GetUserByCredentials(request.Username, request.Password);

        if (userInfo == null)
        {
            return null;
        }

        // Create a new ClaimsIdentity holding the user identity.
        var identity = new ClaimsIdentity(
            OpenIdConnectServerDefaults.AuthenticationScheme,
            OpenIdConnectConstants.Claims.Name,
             OpenIdConnectConstants.Claims.Role
           );

        // Add a "sub" claim containing the user identifier, and attach
        // the "access_token" destination to allow OpenIddict to store it
        // in the access token, so it can be retrieved from your controllers.
        identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
            user.UserId.ToString(),
            OpenIdConnectConstants.Destinations.AccessToken);
        identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name,
            OpenIdConnectConstants.Destinations.AccessToken);

        identity.AddClaim(OpenIdConnectConstants.Claims.Role, user.Role,
           OpenIdConnectConstants.Destinations.AccessToken);

        // ... add other claims, if necessary.
        var principal = new ClaimsPrincipal(identity);

        // Create a new authentication ticket holding the user identity.
        var ticket = new AuthenticationTicket(principal,
            new Microsoft.AspNetCore.Authentication.AuthenticationProperties(),
            OpenIdConnectServerDefaults.AuthenticationScheme);

. .

1
openiddict
Please share your authorization server logs. You're likely hitting openiddict.github.io/openiddict-documentation/guide/…. - Kévin Chalet
In AuthenticationTicket() added following line new AuthenticationProperties(), In permission field added ["ept:introspection"], still no luck. Not find any entry in System log, following entries from Application Insights Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. Authorization failed for user: (null). The introspection response was successfully extracted: "active": false. Bearer was not authenticated. Failure message: Authentication failed because the authorization server rejected the access token. - Satish
These are the resource server logs. Update your question with the authorization server logs (you can find them in VS' output window in the debug menu). - Kévin Chalet
Oh yes, One of the entry as follows, OpenIddict.OpenIddictProvider:Error: The token 'c75afe3a-8915-45fe-b03e-b0165ad43f37' doesn't have any audience attached and cannot be introspected. To add an audience, use the 'ticket.SetResources(...)' extension when creating the ticket. - Satish
And have you tried calling the method suggested by the error message? In your case, it should be ticket.SetResources("my-resource-server") :P - Kévin Chalet

1 Answers

2
votes

Starting with RC2, OpenIddict can be officially used with third-party applications (i.e clients you don't own). As such, we can no longer assume that all the registered applications are legit and can freely introspect tokens.

To make things explicit, you now have to specify the list of client identifiers that are able to introspect a token. For that, add the following code when creating the ticket:

var ticket = new AuthenticationTicket(
    new ClaimsPrincipal(identity),
    new AuthenticationProperties(),
    OpenIdConnectServerDefaults.AuthenticationScheme);

ticket.SetResources("tracking_api", "marketing_api");

The resources must exactly match the client_id assigned to your resource servers using the introspection handler:

services.AddAuthentication()
    .AddOAuthIntrospection(options =>
    {
        options.Authority = new Uri("http://localhost:12345/");
        options.ClientId = "marketing_api";
        options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
        options.RequireHttpsMetadata = false;
    });

https://openiddict.github.io/openiddict-documentation/guide/migration.html#if-your-authorization-server-uses-introspection-make-sure-resources-are-set-in-the-authentication-ticket