6

I have 3 projects 1- SPA, 2- Web API Project, 3- Identity (setup using openiddict, ASP.NET Core 2.0 (OpenIddict.dll version 2.0.0.-rc2-0854) with EF Core.

API and Identity Server run successfully, can get the jwt token but, when I try to get value from API method which has Authorize Attribute I get an error:

WWW-Authenticate →Bearer error="invalid_token", error_description="The access token is not valid."

In Application Insights, could see POST /connect/introspect getting called, with result Dependency result code:500 and Dependency code: Http

Same code worked before, not sure which changes break introspect.

configuration in API project

 services.AddAuthentication(options =>
        {
            options.DefaultScheme = OAuthIntrospectionDefaults.AuthenticationScheme;
        })
          .AddOAuthIntrospection(options =>
          {
              options.Authority = new Uri("http://localhost:49888");
              options.ClientId = "my-resource-server";
              options.ClientSecret = "ClientSecret";
              options.RequireHttpsMetadata = false;
          });
        services.AddCors();           
        services.AddMvc()
            .AddJsonOptions(options =>
             {
                 options.SerializerSettings.Formatting = Formatting.None;
             });

Authorized Method

  [HttpGet("GetData/{Id}")]
    [Authorize(AuthenticationSchemes = OAuthIntrospectionDefaults.AuthenticationScheme)]
    [Authorize(Roles = "Admin")]
    public IActionResult GetData(int courseId)
    {
 }

connect/introspect in Identity Project

  private async Task<AuthenticationTicket> CreateTicketAsync(OpenIdConnectRequest request, UserInfo user)
    {
        UserInfo userInfo = await _userRepository.GetUserByCredentials(request.Username, request.Password);

        if (userInfo == null)
        {
            return null;
        }

        // Create a new ClaimsIdentity holding the user identity.
        var identity = new ClaimsIdentity(
            OpenIdConnectServerDefaults.AuthenticationScheme,
            OpenIdConnectConstants.Claims.Name,
             OpenIdConnectConstants.Claims.Role
           );

        // Add a "sub" claim containing the user identifier, and attach
        // the "access_token" destination to allow OpenIddict to store it
        // in the access token, so it can be retrieved from your controllers.
        identity.AddClaim(OpenIdConnectConstants.Claims.Subject,
            user.UserId.ToString(),
            OpenIdConnectConstants.Destinations.AccessToken);
        identity.AddClaim(OpenIdConnectConstants.Claims.Name, user.Name,
            OpenIdConnectConstants.Destinations.AccessToken);

        identity.AddClaim(OpenIdConnectConstants.Claims.Role, user.Role,
           OpenIdConnectConstants.Destinations.AccessToken);

        // ... add other claims, if necessary.
        var principal = new ClaimsPrincipal(identity);

        // Create a new authentication ticket holding the user identity.
        var ticket = new AuthenticationTicket(principal,
            new Microsoft.AspNetCore.Authentication.AuthenticationProperties(),
            OpenIdConnectServerDefaults.AuthenticationScheme);

. .

Satish
  • 99
  • 1
  • 9
  • Please share your authorization server logs. You're likely hitting https://openiddict.github.io/openiddict-documentation/guide/migration.html#if-your-authorization-server-uses-introspection-make-sure-resources-are-set-in-the-authentication-ticket. – Kévin Chalet Feb 16 '18 at 00:31
  • In AuthenticationTicket() added following line new AuthenticationProperties(), In permission field added ["ept:introspection"], still no luck. Not find any entry in System log, following entries from Application Insights Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. Authorization failed for user: (null). The introspection response was successfully extracted: "active": false. Bearer was not authenticated. Failure message: Authentication failed because the authorization server rejected the access token. – Satish Feb 16 '18 at 14:50
  • These are the resource server logs. Update your question with the authorization server logs (you can find them in VS' output window in the debug menu). – Kévin Chalet Feb 16 '18 at 15:20
  • Oh yes, One of the entry as follows, OpenIddict.OpenIddictProvider:Error: The token 'c75afe3a-8915-45fe-b03e-b0165ad43f37' doesn't have any audience attached and cannot be introspected. To add an audience, use the 'ticket.SetResources(...)' extension when creating the ticket. – Satish Feb 16 '18 at 16:24
  • And have you tried calling the method suggested by the error message? In your case, it should be `ticket.SetResources("my-resource-server")` :P – Kévin Chalet Feb 16 '18 at 16:26
  • following code is present in resource server .AddOAuthIntrospection(options => { options.Authority = new Uri("http://localhost:49888/"); options.Audiences.Add("resource-server-2"); and same entries are present in connect/introspect ticket.SetResources("resource-server-1", "resource-server-2"); – Satish Feb 16 '18 at 16:45
  • In your question, the client identifier of your resource server/API is `my-resource-server`. You must include in the resources list. The `options.Audiences` property on the introspection doesn't have any influence on the security check made by OpenIddict when validating the client is allowed to introspect the token. – Kévin Chalet Feb 16 '18 at 16:47
  • Typo corrected, It looks like ticket.SetResources("resource-server-1", "resource-server-2"); doesn’t add Audience in the token, decoded token don’t show Audience value. I’m missing something? – Satish Feb 17 '18 at 08:13
  • I just tested and it works fine on my machine. If you're still seeing this issue, join me at https://gitter.im/openiddict/openiddict-core so we can figure out what's going on. – Kévin Chalet Feb 17 '18 at 14:07

1 Answers1

4

Starting with RC2, OpenIddict can be officially used with third-party applications (i.e clients you don't own). As such, we can no longer assume that all the registered applications are legit and can freely introspect tokens.

To make things explicit, you now have to specify the list of client identifiers that are able to introspect a token. For that, add the following code when creating the ticket:

var ticket = new AuthenticationTicket(
    new ClaimsPrincipal(identity),
    new AuthenticationProperties(),
    OpenIdConnectServerDefaults.AuthenticationScheme);

ticket.SetResources("tracking_api", "marketing_api");

The resources must exactly match the client_id assigned to your resource servers using the introspection handler:

services.AddAuthentication()
    .AddOAuthIntrospection(options =>
    {
        options.Authority = new Uri("http://localhost:12345/");
        options.ClientId = "marketing_api";
        options.ClientSecret = "846B62D0-DEF9-4215-A99D-86E6B8DAB342";
        options.RequireHttpsMetadata = false;
    });

https://openiddict.github.io/openiddict-documentation/guide/migration.html#if-your-authorization-server-uses-introspection-make-sure-resources-are-set-in-the-authentication-ticket

Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131