Identity Server 3 Access Token Validation Library Cannot Validates Tokens Generated from Identity Server 4

4
votes

I have an Identity server that was developed on Identity server 4 (v3.1.2) and a .NET Web API that was developed on .NET Framework 4.6. In the web API, I am using the Identity Server 3 Access Token Validation library (v2.14.0) to validate the Incoming request's tokens.

When I try to access a resource on the .NET web API using a JWT tokens which was generated by the identity server I always get unauthorized 401 response. I have set up the Owin middleware as below in the .NET web API.

public class Startup
{
    public void Configuration(IAppBuilder app)
    {

        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "http://localhost:9080/IdentityServer"
        });

        var config = new HttpConfiguration();
        config.MapHttpAttributeRoutes();

        app.UseWebApi(config);
    }
}

However, in order to find out whether this is an issue between Identity server 4 tokens and Identity server 3 access token validation library, I have created a separate Identity server with Identity server 3 library (v2.6.3) and provided a token generated from it to the same web API I used previously (same Startup.cs as above).

This request was authorized successfully and all were working as expected.

My Question is :

Is it possible to use a token from identity server 4 to validate using the Identity server 3 access token validation library? or is there something I am doing wrong?

1
c#.netasp.net-coreidentityserver4identityserver3
Do you get any error message ? You can aslo trace log on IDS4 server side . - Nan Yu
No I don’t get any errors. I enabled the Identity server logs as well. but nothing hits there once a request comes to the web api. One thing i noticed was once I started the web api (only when started), a log on ID server prints mentioning about discovery endpoint and jwks uri. Other than that nothing. - diyath.nelaka
sorry , try to trace log on web api side not IDS side . Or you can use fiddler to trace the request/response , and check wehther any inner error message include with 401 error . - Nan Yu
I have enabled the trace log for the Owin context in the web API. Found out that there is an exception that causes because of an audience mismatch. Apparently, Identity server 3 access token validation library checks my token's audience against an audience (<issuer>/resources) it creates based on the issuer within the library. The token generated from my IDS 4 has a different audience than this(<issuer>/resources). Is there a possibility for me to set the audience on my own rather than letting it set by the library? - diyath.nelaka
This may be an issue with the changed token header (explicit type + removed /resources audience). Take a look at this question + answer for more information. - Ruard van Elburg

1 Answers

0
votes

I am not sure but I think your Authority URL is incorrect. I had a similar scenario as you have and I resolved it using IdentityServer3.AccessTokenValidation NuGet package and it's working perfectly fine. So I am sure that your issue is not related to middleware.

Try to replace the below code in your startup.cs file and everything will work.

public class Startup
{
    public void Configuration(IAppBuilder app)
    {

        IdentityServerBearerTokenAuthenticationOptions options = new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = "http://localhost:9080",
                AuthenticationType = "Bearer"
            };

        app.UseIdentityServerBearerTokenAuthentication(options);

        var config = new HttpConfiguration();
        config.MapHttpAttributeRoutes();

        app.UseWebApi(config);
    }
}

I hope this will resolve your issue!