Trouble authorizing .NET 5 Web API reference tokens to IdentityServer3 using IdentityServer4.AccessTokenValidation package

1
votes

Server

Using IdentityServer3 for client/application authorization.

Using IdentityAdmin to edit clients/scopes via GUI.

Created a new Client for the API, added a SharedSecret and api scope.

API / Client

Has 2 GET endpoints.

Uses the IdentityServer4.AccessTokenValidation NuGet package.

Configuration should be simple:

Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers(c => {
        var policy = ScopePolicy.Create("api");
        c.Filters.Add(new AuthorizeFilter(policy));
    });

    services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
        .AddIdentityServerAuthentication(options => {
            options.Authority = "{base url of identity server}";
            options.ApiName = ""; // not sure what this is? client id from identity server?
            options.ApiSecret = ""; // should this be the hashed password?
            options.LegacyAudienceValidation = true;
        });

    services.AddSwaggerGen(c => {
        c.SwaggerDoc("v1", new OpenApiInfo { Title = "MarvalAPI", Version = "v1" });
    });

    RegisterServices(services);
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment()) {
        app.UseDeveloperExceptionPage();
        app.UseSwagger();
        app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "MarvalAPI v1"));
    }

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseAuthentication(); //this is added, everything else is by default
    app.UseAuthorization();

    app.UseEndpoints(endpoints => {
        endpoints.MapControllers();
    });
}

Testing:

  1. GET client reference token from identity "/connect/token" endpoint
  2. GET API's endpoint with added header "Authorization: Bearer {token}"
  3. Receive 401 Unauthorized

Things I have tried:

  • Different Startup.cs configurations
  • Tried validating token via identity "/connect/accesstokenvalidation" endpoint, token is valid.
  • Different apiname/apisecret values, because not 100% sure what they have to be.
  • Googled to no avail

I am at a loss here, am I doing something totally wrong? Is this just a compatibility issue? Or am I just not understanding anything at all? Seems like clear documentation is scarce and users have to draw out information.

Sources used

https://github.com/IdentityServer/CrossVersionIntegrationTests/blob/main/src/CoreApiIdSrv3/Startup.cs

https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation

IdentityServer3 documentation

SO / github/identityserver3 threads.

1
c#.netaccess-token.net-5identityserver3

1 Answers

0
votes

Well, some time after making this post I figured it out.

options.ApiName = "";
options.ApiSecret = "";

ApiName is the name of the scope which the client uses, so it this case the value should be api.

ApiSecret is the PRE-HASHED value of the scope secret.

e.g. if secret value is "test" and it's SHA256 value is 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08, then ApiSecret value should be test

So, after figuring this out, the above options config should look like this:

options.ApiName = "api";
options.ApiSecret = "test";

Note: SHA512 works as well.

To me this seems like a major naming issue.

I solved this after analysing this VS solution:

https://github.com/IdentityServer/CrossVersionIntegrationTests