1

I am making the API call after the successfully login through Identity server from my vue application (SPA).

Firstly i was adding the Access token in the Header and it was Authorize but i was not getting the claim. Which i have the separate Question on SO, and now i tried by removing the access token from the header during API call the application is still being Authorized.

I don't understand how i should solve the problem. 

service.interceptors.request.use(config => {
  return authService
    .getToken()
    .then(tokenResponse => {
      app.$Progress.start();
      //config.headers.Authorization = `Bearer ${tokenResponse}`; removed Token
      return Promise.resolve(config);
    })
    .catch(error => {
      app.prototype.$Progress.fail();
      alert("error");
    });
});

Oidc Client Manager

export default {
    authority: "https://localhost:44305",
    client_id: "js",
    redirect_uri: `${domain}/authredirect`,
    response_type: "id_token token",
    scope:"openid profile email api1 role",
    post_logout_redirect_uri : `${domain}`,
    silent_redirect_uri: `${domain}/silent`,
}

Identity Server Client Configuration

new Client

    {
        ClientId = "js",
        ClientName = "JavaScript Client",
        AllowedGrantTypes = GrantTypes.Implicit,
        AllowAccessTokensViaBrowser = true,
        AlwaysIncludeUserClaimsInIdToken = true,
        RedirectUris =            new List<string> {"http://localhost:8080/silent","http://localhost:8080/authredirect"},
        PostLogoutRedirectUris =   { "http://localhost:8080" },
        AllowedCorsOrigins =     { "http://localhost:8080" },

        AllowedScopes =
        {
            IdentityServerConstants.StandardScopes.OpenId,
            IdentityServerConstants.StandardScopes.Profile,
             IdentityServerConstants.StandardScopes.Email,
            "api1",
            "role"
        }
    }

API Configure Services

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvcCore().AddJsonFormatters();

    services.AddAuthorization();
    services.AddCors(options =>
    {
        // this defines a CORS policy called "default"
        options.AddPolicy("default", policy =>
        {
            policy.WithOrigins("http://localhost:8080")
                .AllowAnyHeader()
                .AllowAnyMethod();
        });
    });

    var connectionString = Configuration.GetConnectionString("DefaultConnection");
    services.AddDbContext<MyContext>(o => o.UseSqlServer(connectionString));
    services.AddIdentity<User, IdentityRole<Guid>>().AddEntityFrameworkStores<MyContext>().AddDefaultTokenProviders();

    // register the repository
    services.AddScoped(typeof(IRepository<>), typeof(EfRepository<>));

    services.AddMvcCore().AddJsonFormatters();
}

I have added the Project on Github. Please suggest me something. Link for Project not available currently, i will add again

Image showing my Controller with [Authorize] attribute and debugging on the value for User.Identity

Rasik
  • 1,961
  • 3
  • 35
  • 72
  • Do you have any cookies in play in your API app? – mackie May 09 '18 at 08:18
  • No i am not managing any cookies by myself. – Rasik May 09 '18 at 08:29
  • Do you definitely have the [Authorize] attribute on your API controller/actions? What does User.Identity return inside you API actions? – mackie May 09 '18 at 08:34
  • Yeah i have the [Authorize] attribute on my actions. and i User.Identity is null. – Rasik May 09 '18 at 08:40
  • @mackie i have attached the screenshot with the `User.Identity`. – Rasik May 09 '18 at 08:55
  • The fact it's hitting your action code with no identity suggests a configuration problem with MVC. What does your pipeline look like in Configure()? – mackie May 09 '18 at 09:42
  • https://github.com/aakashbashyal21/VueJsIndentiyServer4/blob/master/IdentityServer/Veritty.Admin/Startup.cs ... you can see here. – Rasik May 09 '18 at 09:53
  • You may need to specify the scheme name in the Authorize attribute in order to tell it to use "Bearer" – mackie May 09 '18 at 10:08
  • I used `[Authorize(AuthenticationSchemes = "Bearer")]`. Still it is authorized. – Rasik May 09 '18 at 10:58
  • Try looking at the logs, they should output debug and info messages about what it's doing in the auth pipeline – mackie May 09 '18 at 12:17
  • yeah I was missing the 'DefaultChallengeScheme'. I have added the answer on my question. – Rasik May 09 '18 at 12:24

1 Answers1

1

I was able to solved the problems on this.

I was missing the DefaultChallengeScheme on my API ConfigureServices

services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = "oidc";
})
.AddIdentityServerAuthentication(options =>
{
  options.Authority = "https://localhost:44305";
  options.RequireHttpsMetadata = false;
  options.ApiName = "api1";
});
Rasik
  • 1,961
  • 3
  • 35
  • 72