Getting 401 Unauthorized with valid access token using identity server 4 with Asp.net Core API

2
votes

I am using Identity server 4 in my Asp.net core API Application , i am getting successful token on local server https://localhost:[port]/connect/token and it gives access token and when i use the bearer token to access authorize method then it working fine
but on server https://example.com/connect/token it also give successful token but when i use this token to access authorize method then it give 401 unauthorized error

  "Authority": "https://example.com",
  "Audience": "https://example.com/resources",
  "RequireHttpsMetadata": "true"


 services.AddIdentityServer(options =>
        {
            options.Events.RaiseErrorEvents = true;
            options.Events.RaiseInformationEvents = true;
            options.Events.RaiseFailureEvents = true;
            options.Events.RaiseSuccessEvents = true;
        })
            .AddDeveloperSigningCredential()
            .AddInMemoryPersistedGrants()
            .AddInMemoryIdentityResources(GetIdentityResources())
            .AddInMemoryApiResources(GetApiResources())
            .AddInMemoryClients(GetClients())
            .AddAspNetIdentity<User>();

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(options =>
          {
              options.Authority = configuration["AppSettings:Authority"];
              options.Audience = configuration["AppSettings:Audience"];
              options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AppSettings:RequireHttpsMetadata"]);
          });
        services.AddTransient<IProfileService, IdentityClaimsProfileService>();



    public static IEnumerable<IdentityResource> GetIdentityResources()
    {
        return new List<IdentityResource>
        {
            new IdentityResources.OpenId(),
            new IdentityResources.Email(),
            new IdentityResources.Profile(),
        };
    }
    public static IEnumerable<ApiResource> GetApiResources()
    {
        return new List<ApiResource>
        {
            new ApiResource("api1", "My API")
        };
    }
    public static IEnumerable<Client> GetClients()
    {
        // client credentials client
        return new List<Client>
        {

            // resource owner password grant client
            new Client
            {
                ClientId = "ro.angular",
                AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,

                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },
                AllowedScopes = {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    IdentityServerConstants.StandardScopes.Address,
                    "api1"
                },
                AllowOfflineAccess = true,
                RefreshTokenUsage = TokenUsage.ReUse,
                RefreshTokenExpiration = TokenExpiration.Sliding

            }
        };
    }
1
asp.net-core-webapiidentityserver4bearer-tokenunauthorizedauthorize-attribute
Here is my identity server setting in "AppSettings": { "Authority": "example.com", "Audience": "example.com/resources", "RequireHttpsMetadata": "true",kuldeep chopra
only one, that is tested on local then deployed on server (example.com)kuldeep chopra
There may be a configuration error. Can you verify the value of Authority in your api, possibly from your settings, something like: options.Authority = configuration["AppSettings:Authority"];.Ruard van Elburg
In authority the value is identity server domain link eg. example.comkuldeep chopra
It's working , need to send correct scope in which user is registered eg. scope : api1 to generate token prnt.sc/q3cqaokuldeep chopra

1 Answers

2
votes

This might be because of scope variable.

You have to follow these steps to check scope

  1. Copy your token
  2. Paste this on Jwt.io
  3. After decoding your token find the scope and then generate the token with right scope.