Authorize Attribute not working in asp.net core

Question

I am developing a simple web app in asp.net core 2.0 to test identity server 4's implementation. I have created a new project (WebApplication (Model-View-Controller). I can successfully generate accessToken and refreshToken using TokenClient.RequestRefreshTokenAsync method but when I am trying to call any action that has Authorize Attribute on it, it gives me login page as html in postman response's section. I have also passed the accessToken in Authorization header of the call. I am doing it for the first time so I think I have some issue in startup file. Here is the code:

public void ConfigureServices(IServiceCollection services)
    {
        services.AddDbContext<ApplicationDbContext>(options =>
            options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

        services.AddScoped<Microsoft.AspNetCore.Identity.IUserClaimsPrincipalFactory<ApplicationUser>, AppClaimsPrincipalFactory>();
        // configure identity server with in-memory stores, keys, clients and scopes
        services.AddIdentityServer()
        .AddDeveloperSigningCredential()
        .AddInMemoryPersistedGrants()
        .AddInMemoryIdentityResources(Config.GetIdentityResources())
        .AddInMemoryApiResources(Config.GetApiResources())
        .AddInMemoryClients(Config.GetClients())
        .AddAspNetIdentity<ApplicationUser>();


        services.AddIdentity<ApplicationUser, IdentityRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders();

        // Add application services.
        services.AddTransient<IEmailSender, EmailSender>();


        services.AddMvc();
    }

And here is the action that is creating a token:

var disco = await DiscoveryClient.GetAsync("http://localhost:5000");
                if (disco.IsError)
                {
                    Console.WriteLine(disco.Error);
                    return BadRequest();
                }
                var tokenClient = new TokenClient(disco.TokenEndpoint, "ro.client", "secret");

                var tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync(model.Email, model.Password, "api1");

and here is the action with Authorize Attribute:

 [HttpGet]
    [Authorize]
    public ObjectResult Test()
    {
        return new ObjectResult(Ok());
    }

and here is the postman call: Postman Call

Can anybody tell what am I doing wrong. Thanks

@Derek, I have edit my question with postman call screenshot. Kindly review that — philanthropist, Feb 22 '18 at 10:00
I'm confused. The Postman result returns 200 ok. Which means that your call to the Test endpoint is successful. — Derek, Feb 22 '18 at 15:33

score 0 · Answer 1 · answered Feb 23 '18 at 03:01

I can't see any setup here that tells me that you have enabled token based authorization, which is what you are trying to do based on the Postman call. Looks like your server is only using cookies but you want to authenticate via bearer token.

You need to implement Bearer based authentication on your protected server and point it to your ID4 implementation.

E.g. The api server setup could look something like this:

services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://localhost:5000"; //This is your ID4 server
                options.RequireHttpsMetadata = false;

                options.ApiName = "api1";
            });

Have a read of this page here which will explain what nuget package to install as well as how to configure protection using token. http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html

Authorize Attribute not working in asp.net core

1 Answers1