I am using Identity Server 4 .Net Core 3, my API endpoint does not validate access token if I use standard configuration in startup, I keep getting 401 Unauthorized, however when I set the authentication scheme in the controller with the authorize property, I can successfully access my endpoint with the same token...
[Route("api/[controller]")]
[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[ApiController]
public class MyWebAPiControllerController : ControllerBase
{
.......
Here is my Identity Server Config:
//API resource
public IEnumerable<ApiResource> Apis()
{
var resources = new List<ApiResource>();
resources.Add(new ApiResource("identity", "My API", new[] { JwtClaimTypes.Subject, JwtClaimTypes.Email, JwtClaimTypes.Role, JwtClaimTypes.Profile }));
return resources;
}
My Client configuration:
public IEnumerable<Client> Clients()
{
var Clients = new List<Client>();
Clients.Add(new Client
{
ClientId = "client",
ClientSecrets = { new Secret(_securityConfig.Secret.Sha256()) },
AllowedGrantTypes = GrantTypes.ClientCredentials,
// scopes that client has access to
AllowedScopes = { "identity" }
});
Clients.Add(new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
//RequirePkce = true,
ClientSecrets = { new Secret(_securityConfig.Secret.Sha256()) },
RequireConsent = false,
RedirectUris = _securityConfig.RedirectURIs,
FrontChannelLogoutUri = _securityConfig.SignoutUris,
PostLogoutRedirectUris = _securityConfig.PostLogoutUris,
AllowOfflineAccess = true,
AllowAccessTokensViaBrowser = true,
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
IdentityServerConstants.StandardScopes.OfflineAccess,
"identity"
}
});
return Clients;
}
My API Configuration
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = _securityConfig.Authority;
options.RequireHttpsMetadata = false;
options.Audience = "identity";
});
and Finally my web app, OIDC configuration and how I get the access token:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
}).AddCookie(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
options.Cookie.Name = "identity_cookie";
})
.AddOpenIdConnect("oidc", options =>
{
options.Events = new OpenIdConnectEvents
{
OnUserInformationReceived = async ctx =>
{
//Get Token here and assign to Cookie for use in Jquery
ctx.HttpContext.Response.Cookies.Append("bearer_config", ctx.ProtocolMessage.AccessToken);
}
};
options.Authority = _securityConfig.Authority;
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = _securityConfig.Secret;
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.Scope.Clear();
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.Scope.Add("identity");
options.Scope.Add("offline_access");
options.ClaimActions.MapAllExcept("iss", "nbf", "exp", "aud", "nonce", "iat", "c_hash");
options.GetClaimsFromUserInfoEndpoint = true;
//options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role,
};
});
Any ideas as to why I keep getting 401 Unauthorized?
UseAuthorization
statement. – Ruard van Elburgapp.UseHttpsRedirection(); app.UseRouting(); app.UseAuthorization(); app.UseAuthentication();
– Jacques Bronkhorst