So I have a solution with the following projects: - MVC for my Authorization Server (Identity Server with Identity) - MVC client - MVC API
What I try to achieve is to have a user connecting in the MVC client with the help of the authorization server and then using the access token delivered to call my API.
So I have the following configuration:
Authorization server :
In the Startup.cs :
// Add Identity Server 4
services.AddIdentityServer()
.AddSigningCredential(cert)
.AddInMemoryPersistedGrants()
.AddClientStore<ClientStore>()
.AddResourceStore<ResourceStore>()
.AddAspNetIdentity<User>();
services.AddAuthentication().AddMicrosoftAccount(microsoftOptions =>
{
microsoftOptions.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
microsoftOptions.ClientSecret = Configuration["Authentication:Microsoft:Password"];
});
Configuration of the client :
new Client
{
ClientId = "EchinoManagerMVC",
ClientName = "MVC for Echino Manager",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets =
{
new Secret("EchinoManagerMVCSecret".Sha256())
},
// where to redirect to after login
RedirectUris = { "https://localhost:44380/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:44380/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"echinomanagerapi"
},
AllowOfflineAccess = true,
AlwaysIncludeUserClaimsInIdToken = true,
AlwaysSendClientClaims = true,
RequireConsent = false
}
My APIResource :
new ApiResource
{
Name = "EchinoManagerAPI",
ApiSecrets =
{
new Secret("EchinoManagerAPISecret".Sha256())
},
UserClaims =
{
JwtClaimTypes.Email
},
Scopes =
{
new Scope()
{
Name = "echinomanagerapi",
DisplayName = "Access to the API of Echino Manager"
}
}
}
In my MVC client:
Startup.cs :
public void ConfigureServices(IServiceCollection services)
{
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = Configuration["ApplicationOptions:AuthorizeServer"];
options.ClientId = Configuration["ApplicationOptions:ClientId"];
options.ClientSecret = Configuration["ApplicationOptions:ClientSecret"];
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("echinomanagerapi");
options.Scope.Add("offline_access");
});
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
}
In my controller calling the API:
[Authorize]
public class TenantController : Controller
{
public async Task<IActionResult> Index()
{
var accessToken = await HttpContext.GetTokenAsync("access_token");
var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
//var content = await client.GetStringAsync("https://loginservices.echino2.p.azurewebsites.net/echinoapi/tenant");
//var content = await client.GetStringAsync("https://localhost:44366/echinoapi/tenant");
var content = await client.GetStringAsync("https://localhost:44300/api/values");
ViewBag.Json = JArray.Parse(content).ToString();
return View();
}
}
In my MVC API:
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.AddAuthorization();
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = Configuration["ApplicationOptions:AuthorizeServer"];
options.ApiName = Configuration["ApplicationOptions:ApiName"];
options.ApiSecret = Configuration["ApplicationOptions:ApiSecret"];
});
}
The controller :
[Route("api/[controller]")]
[ApiController]
[Authorize(AuthenticationSchemes = "Bearer")]
public class ValuesController : ControllerBase
{
// GET api/values
[HttpGet]
public ActionResult<IEnumerable<string>> Get()
{
return new string[] { "value1", "value2" };
}
// GET api/values/5
[HttpGet("{id}")]
public ActionResult<string> Get(int id)
{
return "value";
}
}
So when I launch my solution and i access the /tenant in my MVC client it's redirect me to the authorization server where I have to log in, and then I get back in the MVC client. This part is working fine.
But my call to my API return me a 401 unauthorized.
I've checked I if have an access token in my tenant controller and I got one, for example :
eyJhbGciOiJSUzI1NiIsImtpZCI6IjJFMzdFNzQ5N0RCODI4QzRFNzdFQUI4NTE4MDU3OUZGQ0IwMDgwMTAiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJMamZuU1gyNEtNVG5mcXVGR0FWNV84c0FnQkEifQ.eyJuYmYiOjE1NDQ3MDQ1OTksImV4cCI6MTU0NDcwODE5OSwiaXNzIjoiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMzQiLCJhdWQiOlsiaHR0cHM6Ly9sb2NhbGhvc3Q6NDQzMzQvcmVzb3VyY2VzIiwiRWNoaW5vTWFuYWdlckFQSSJdLCJjbGllbnRfaWQiOiJFY2hpbm9NYW5hZ2VyTVZDIiwic3ViIjoiNWMxMjMyZTIzYWExODE3MGVjYTJmMjdlIiwiYXV0aF90aW1lIjoxNTQ0NzA0NTk5LCJpZHAiOiJsb2NhbCIsImVtYWlsIjoic3RlcGhhbmUubWFydGlnbmllcjFAd2l0Y2hsYWtlLmNoIiwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSIsImVjaGlub21hbmFnZXJhcGkiLCJvZmZsaW5lX2FjY2VzcyJdLCJhbXIiOlsicHdkIl19.g61xKFcROTDuw_rmFWLHKSoJIIhyzzil-hPK44PvCioKVeeKB3ZrKtmNvw0aa240e_6Y6X2r3QZ2CR0V3T-lZmAJeIm0oN8MznUNjKB-h5FxxVvwwnbBU3_HYS5fNIl6XhKeOZGsIU-ZNBYBZ3FrDwrLPm3uHXVYyCQ5X1ZAldjV1HJ_th6T-PEdQozHZn37EXcqakU4uY1RpiT_ZEMFnllXWZVFBYCEy3OsOmAv5NlD5jkUp2XeuCoQ5vsT1XhO2Qkj5HS398MmJp0wObs-V1dUz2iKVjbQzo3eHZo3lsEiqKfg5lpTxrQHm07sGuyB84utuPYrKFCI_4nkeHF9tM9SEF1Au0DbD2O2nWYUoxa7RjFlMLxOu1uH6FNLYzBlbhbPsB9rhLK0byySmZM5bAaVHC4e71iyI2ZHJJx_K7VuHkAmqoraJ5KtcJB-zAdkKserdUc7xcPI9scIQpGf28EdrWG_xKUc1OjjtvZApJmKiDc7REFGiAIRA6xm20PSaySEyrQjb2nQxDer9f04bBhignb02NRC_n8sLciw7cOM4yVBW5FKHj_7jCTzU6U1XY65-UX0z_pKkvrxtqJpRl8JexEU7c6XQ6FcCwXB6TKxhZ7NzjgS6vmSMRXrEBEgtnWqrZv5A_sA7yhVeLHbSfx94nPUc4ru6POWbSzFja8
(use JWT.io to see the content).
Apparently I have an issue with the validate audience, because in my log I can find :
"Audience validation failed. Audiences: 'https://localhost:44334/resources, EchinoManagerAPI'. Did not match: validationParameters.ValidAudience: 'EchinoManagerMVC' or validationParameters.ValidAudiences: 'null'."
So my question is : What I am missing in my configuration so I can use the access_token delivered by the authorization server to call my API?
Thanks in advance
Configuration["ApplicationOptions:ApiName"]
is 'EchinoManagerAPI'? – Ruard van Elburg{ "ApplicationOptions": { "AuthorizeServer": "https://localhost:44334", "ApiSecret": "EchinoManagerAPI", "ApiName": "EchinoManagerAPISecret" },
– S.Martignier