Code flow not working for Identity Server 4

4
votes

I'm trying to update my .NET Core 3.0 React SPA to use code flow as opposed to implicit.

It is failing with "Invalid authorization code" in the logs of Identity Server.

Can anyone tell what is going wrong or what to check / try?

Do i need to do anything for PKCE? or just set it to true? (RequirePkce = true)

Seems to get a fair way before erroring.

I'm using oidc-client NPM package on the front end.

[13:14:44 Information] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.DiscoveryEndpoint" for "/.well-known/openid-configuration" (IdentityServer4.Hosting.IdentityServerMiddleware)

[13:14:44 Information] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.TokenEndpoint" for "/connect/token" (IdentityServer4.Hosting.IdentityServerMiddleware)

[13:14:44 Information] ClientAuthenticationSuccessEvent { ClientId: "MyProject.web", AuthenticationMethod: "NoSecret", Category: "Authentication", Name: "Client Authentication Success", EventType: Success, Id: 1010, Message: null, ActivityId: "80000050-0007-fe00-b63f-84710c7967bb", TimeStamp: 09/13/2019 03:14:44, ProcessId: 19196, LocalIpAddress: "::1:44343", RemoteIpAddress: "::1" } (IdentityServer4.Events.DefaultEventService)

[13:14:44 Information] Token request validation success TokenRequestValidationLog { ClientId: "MyProject.web", ClientName: "MyProject.web", GrantType: "authorization_code", Scopes: null, AuthorizationCode: "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171", RefreshToken: null, UserName: null, AuthenticationContextReferenceClasses: null, Tenant: null, IdP: null, Raw: [("client_id": "MyProject.web"), ("code": "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171"), ("redirect_uri": "https://localhost:44343/authentication/login-callback"), ("code_verifier": "7103488868084ec4aa94a62bcb9b422eac6fc24203eb4b14a8fdc9f3cad9839c358780cc40c546ecb8d58ac5e118b63e"), ("grant_type": "authorization_code")] } (IdentityServer4.Validation.TokenRequestValidator)

[13:14:44 Information] TokenIssuedSuccessEvent { ClientId: "MyProject.web", ClientName: "MyProject.web", RedirectUri: null, Endpoint: "Token", SubjectId: null, Scopes: "openid profile MyProject.webAPI", GrantType: "authorization_code", Tokens: [Token { TokenType: "id_token", TokenValue: "****gPHA" }, Token { TokenType: "access_token", TokenValue: "****YH5A" }], Category: "Token", Name: "Token Issued Success", EventType: Success, Id: 2000, Message: null, ActivityId: "80000050-0007-fe00-b63f-84710c7967bb", TimeStamp: 09/13/2019 03:14:44, ProcessId: 19196, LocalIpAddress: "::1:44343", RemoteIpAddress: "::1" } (IdentityServer4.Events.DefaultEventService)

[13:14:44 Information] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.UserInfoEndpoint" for "/connect/userinfo" (IdentityServer4.Hosting.IdentityServerMiddleware)

[13:14:44 Information] Profile service returned the following claim types: "given_name family_name" (IdentityServer4.ResponseHandling.UserInfoResponseGenerator)

[13:14:44 Information] Invoking IdentityServer endpoint: "IdentityServer4.Endpoints.TokenEndpoint" for "/connect/token" (IdentityServer4.Hosting.IdentityServerMiddleware)

[13:14:44 Information] ClientAuthenticationSuccessEvent { ClientId: "MyProject.web", AuthenticationMethod: "NoSecret", Category: "Authentication", Name: "Client Authentication Success", EventType: Success, Id: 1010, Message: null, ActivityId: "8000000c-0002-fc00-b63f-84710c7967bb", TimeStamp: 09/13/2019 03:14:44, ProcessId: 19196, LocalIpAddress: "::1:44343", RemoteIpAddress: "::1" } (IdentityServer4.Events.DefaultEventService)

[13:14:44 Error] Invalid authorization code{ code: "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171" }, details: TokenRequestValidationLog { ClientId: "MyProject.web", ClientName: "MyProject.web", GrantType: "authorization_code", Scopes: null, AuthorizationCode: "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171", RefreshToken: null, UserName: null, AuthenticationContextReferenceClasses: null, Tenant: null, IdP: null, Raw: [("client_id": "MyProject.web"), ("code": "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171"), ("redirect_uri": "https://localhost:44343/authentication/login-callback"), ("code_verifier": "7103488868084ec4aa94a62bcb9b422eac6fc24203eb4b14a8fdc9f3cad9839c358780cc40c546ecb8d58ac5e118b63e"), ("grant_type": "authorization_code")] } (IdentityServer4.Validation.TokenRequestValidator)

[13:14:44 Information] TokenIssuedFailureEvent { ClientId: "MyProject.web", ClientName: "MyProject.web", RedirectUri: null, Endpoint: "Token", SubjectId: null, Scopes: null, GrantType: "authorization_code", Error: "invalid_grant", ErrorDescription: null, Category: "Token", Name: "Token Issued Failure", EventType: Failure, Id: 2001, Message: null, ActivityId: "8000000c-0002-fc00-b63f-84710c7967bb", TimeStamp: 09/13/2019 03:14:44, ProcessId: 19196, LocalIpAddress: "::1:44343", RemoteIpAddress: "::1" } (IdentityServer4.Events.DefaultEventService)

1
identityserver4openid-connect.net-core-3.0
It would be helpful if you actually provided some codejohnny 5
Provide some code. In your logs you can see you've issued a token in the TokenIssuedSuccessEvent. But then for some reason you decide to make a request with the authorization code Invalid authorization code{ code: "d473eae4ba0ca70d14ac02b1907466067ae97847cdba5f46ba78ce6a51d4c171" }. The authorization code should only be used to obtain the token. The token should be used for subsequent requestsjohnny 5

1 Answers

1
votes

Below is an implementation of Authorization Code Flow with Identity Server 4

public class Example
{
    public static IEnumerable<Test> Get()
    {
        var shakey = new Secret { Value = "mysecret".Sha512() };

        return new List<Test> {
            new Test {
                TestId = "authorizationCodeTest2",
                TestName = "Authorization Code Test",
                TestSecrets = new List<Secret> { shakey },
                Enabled = true,
                AllowedGrantTypes = new List<string> { "authorization_code" },
                AllowRememberConsent = false,
                RequireConsent = true,
                RedirectUris =
                  new List<string> {
                       "http://localhost:<<port>>/account/oAuth2"
                  },
                PostLogoutRedirectUris =
                  new List<string> {"http://localhost:<<port>>"},
                AllowedScopes = new List<string> {
                    "api"
                },
                AccessTokenType = AccessTokenType.Jwt
            }
        };
    }
}

Check if you are missing something on the Authentication Token and retry.