3

A .net core 2.0 web api, setup using openiddict and the code using Implicit flow. My Identity and resource server are in different projects. I have test cases to ensure authorized user should get an access, but valid access token users are getting denied and getting a 401 status code. A resource and clientId are equal when using the introspection endpoint. Acesss_token is valid, checked on http://calebb.net/. Not sure what I’m missing.

Auth Server public void ConfigureServices(IServiceCollection services) { services.AddMvc();

var connection = Configuration.GetConnectionString("DefaultConnection");

services.AddDbContext<IdentityDbContext>(options =>
{
    options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"));
    options.UseOpenIddict();
});

services.AddOpenIddict(options =>
{
    // Register the Entity Framework stores.
    options.AddEntityFrameworkCoreStores<IdentityDbContext>();

    options.AddMvcBinders();
    // Enable the token endpoint.
    options.EnableAuthorizationEndpoint("/connect/authorize")
           .EnableLogoutEndpoint("/connect/logout")
           .EnableIntrospectionEndpoint("/connect/introspect")
           .EnableTokenEndpoint("/connect/token")
           .EnableUserinfoEndpoint("/api/userinfo");

    options.AllowImplicitFlow();

    // Register a new ephemeral key, that is discarded when the application
    // shuts down. Tokens signed using this key are automatically invalidated.
    // This method should only be used during development.
    options.AddEphemeralSigningKey();

    //options.AddSigningCertificate(_cert);

    options.UseJsonWebTokens();

    // During development, you can disable the HTTPS requirement.
    options.DisableHttpsRequirement();
});

services.AddDbContext<IdentityDbContext>(options => options.UseSqlServer(connection));
services.AddScoped<IUserRepository, UserRepository>();

services.AddAuthentication(o =>
{
    o.DefaultAuthenticateScheme = OAuthValidationDefaults.AuthenticationScheme;
    o.DefaultChallengeScheme = OAuthValidationDefaults.AuthenticationScheme;
})

.AddOAuthValidation();

services.AddAuthorization(options =>
{
    options.AddPolicy("RequiredApplicationManagerRole", policy => policy.RequireRole("ApplicationManager"));
    options.AddPolicy("RequireAdministratorRole", policy => policy.RequireRole("Administrator"));
    options.AddPolicy("RequireUserRole", policy => policy.RequireRole("User"));
});

//services.AddDataProtection(opts =>
//{
//    opts.ApplicationDiscriminator = "identity";
//});

}

Resource Server

  private void ConfigureAuthService(IServiceCollection services)

{

services.AddAuthentication(options =>
{
    options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
})
.AddOAuthIntrospection(options =>
{
    options.Authority = new Uri("http://localhost:49819/");
    options.Audiences.Add("resource-server-1");
    options.ClientId = "resource-server-1";
    options.ClientSecret = "ClientSecret";
    options.RequireHttpsMetadata = false;

            // Note: you can override the default name and role claims:
            // options.NameClaimType = "custom_name_claim";
            //options.RoleClaimType = "Administrator";
        });

services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddTransient<IIdentityService, IdentityService>();

}

Satish
  • 99
  • 1
  • 9
  • Any chance you could share your server logs? It will tell you why the introspection request was rejected. – Kévin Chalet Nov 24 '17 at 16:11
  • During the trial and error run, when I removed Audiences from resources server, then it works. Ref : https://github.com/openiddict/openiddict-core/issues/180. I hope the changes made are correct? – Satish Nov 27 '17 at 12:25
  • Introspect doesn’t works in Docker, but same code woks without it. Getting error in postman. `code`
    IOException: IDX10804: Unable to retrieve document from: 'http://localhost:32774/.well-known/openid-configuration'.

    Microsoft.IdentityModel.Protocols.HttpDocumentRetriever+<GetDocumentAsync>d__8.MoveNext()

    InvalidOperationException: IDX10803: Unable to obtain configuration from: 'http://localhost:32774/.well-known/openid-configuration'.
     – Satish Nov 30 '17 at 12:04
  • And following error in server logs. The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool. – Satish Nov 30 '17 at 12:06

0 Answers0