0

Ok so i tried hosting the simplest oauth sample and the identity server both on iis, i have enable cors on the simplest oauth sample. So when i test the api using the javascript implicit client, on iis express it works flawlessly, it gets the token then when the token is sent the web api checks the token and authorizes the javascript client. the problem happens when i move the javascript imlicit client, the identity server, and the simple oath web api is hosted on iis, the javascript brings back the token correctly but when the token is sent to the web api it always return 401 unauthorized. So is there any configuration i have to add in order to run it on iis. i have made sure that anonymous authentication is the only enab;ed authentication mode. Any help or pointer is deeply appreciate.

I am trying to implement the samples given on iis. thanks for the help

yon86
  • 63
  • 6

1 Answers1

1

I had the same issue. It was coming from my self signed certificate.

Try adding to your IdentityServerOptions

RequireSsl = false

and switch the WebApi Authority to use http.

Edit

Server Side Configuration

   public void ConfigureIdentityServer(IAppBuilder app)
        {
            //Configure logging
            LogProvider.SetCurrentLogProvider(new DiagnosticsTraceLogProvider());
            //This is using a Factory Class that generates the client, user & scopes. Can be seen using the exmaples
            var IdentityFactory = Factory.Configure("DefaultConnection");

            app.Map("/identity", idsrvApp =>
            {
                idsrvApp.UseIdentityServer(new IdentityServerOptions
                {
                    SiteName = "Security Proof of Concept",
                    SigningCertificate = LoadCertificate(),
                    Factory = IdentityFactory,
                    CorsPolicy = CorsPolicy.AllowAll,
                    RequireSsl = false
                });
            });
        }

JavaScript

After receiving the token make sure it's inserted in the Authorization Header..

JQuery Example

    $.ajax({
    url: 'http://your.url',
    type: GET,     
    beforeSend: function (xhr) {
                  xhr.withCredentials = true;
                  xhr.setRequestHeader("Authorization", " Bearer " + apiToken);
              }
});

WebApi Resource

  app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            //Location of identity server make full url & port
            Authority = "http://localhost/identity",
            RequiredScopes = new[] { "WebApiResource" }
            //Determines if the Api Pings the Identity Server for validation or will decrypt token by it's self 
            //ValidationMode = ValidationMode.Local
        });

Best way to determine what is happening is enable logging.

Derek S
  • 178
  • 6
  • I have both the resource server and identity server running on http but I get the same result could u give me a step by step detail – yon86 Mar 03 '15 at 13:42
  • thank you Derek it works now I can't mark it as answer so could some one mark it as an answer thanks – yon86 Mar 08 '15 at 13:54