C# .NET: Server is not able to validate Angular Client [IdentityServer]

Question

So I have the following setup:

Frontend: AngularJS App

Backend: WebApi with Identity Server to validate clients

In my Backend I create a new in-memory client like so:

new Client
{
    Enabled = true,
    ClientId = "myapp.mycompany",
    ClientUri = "https://myapp.mycompany.com",
    ClientName = "My Client",
    Flow = Flows.Implicit,
    AllowAccessToAllScopes = true,
    IdentityTokenLifetime = 300,
    AccessTokenLifetime = 3600,
    RequireConsent = false,
    RedirectUris = new List<string>
    {
        "https://myapp.mycompany.com/assets/idSrv/callback.html",
        "https://myapp.mycompany.com/assets/idSrv/silentrefreshframe.html"
    },
    PostLogoutRedirectUris = new List<string>
    {
        "https://myapp.mycompany.com/index.html"
    }
},

In my front-end I have the following code that declares the client, I use the oidc-token-manager.js client

var authority = 'https://sts.mycompany.com/identity';

return {
    baseUri: protocol,
    tokenConfig: {
        'client_id': 'myapp.mycompany',
        'authority': authority,
        'redirect_uri': 'https://myapp.mycompany.com/assets/idSrv/callback.html',
        'post_logout_redirect_uri': 'https://myapp.mycompany.com/index.html',
        'response_type': 'id_token token',
        'scope': 'openid profile roleScope webApiScope',
        'silent_redirect_uri': 'https://myapp.mycompany.com/assets/idSrv/silentrefreshframe.html',
        'silent_renew': true
    },
    isDebugging: isDebugging
};

When I try to access my website at:

http://myapp.mycompany.com

I get the following error:

The client application is not known or is not authorized.

I have enabled logging, this is what I get:

"Unknown client or not enabled: myapp.mycompany"
 "{
  \"RedirectUri\": \"https://myapp.mycompany.com/assets/idSrv/callback.html\",
  \"SubjectId\": \"unknown\",
  \"Flow\": \"AuthorizationCode\",
  \"RequestedScopes\": \"\",
  \"Raw\": {
    \"state\": \"18141519257414835\",
    \"nonce\": \"8585758378803323\",
    \"client_id\": \"myapp.mycompany\",
    \"redirect_uri\": \"https://myapp.mycompany.com/assets/idSrv/callback.html\",
    \"response_type\": \"id_token token\",
    \"scope\": \"openid profile roleScope webApiScope\"
  }
}"

End authorize request
3001: "Endpoint failure" / "Endpoints" (Failure), Context: EventContext { ..., Details: EndpointDetail { EndpointName: "authorize" }

The client ids and redirect uris are the same between the client and server not sure why it's saying it can't recognize the client. — Eric Bergman, Oct 25 '18 at 15:41
I added it to Cors Origins but I still get the same result. "The client application is not known or is not authorized." — Eric Bergman, Oct 25 '18 at 19:57
It looks like you haven't registered your clients correctly. Are you sure you Client is added to Identity Server clients store? — bobek, Nov 02 '18 at 18:43

Fateh Mohamed · Answer 1 · 2018-11-02T09:49:20.487

5

may be you have to allow your clientRoot in cors origins and i see that the flow is not the same.
i see Implicit flow in your client config but server displaying Authorization code flow!

  "myApp": {
    "ClientId": "spa-myApp",
    "ClientName": "myAppSPA",
    "ClientUri": "http://localhost:4200",
    "RequireConsent": false,
    "AllowedGrantTypes": [ "implicit" ],
    "AllowAccessTokensViaBrowser": true,
    "RedirectUris": [
      "http://localhost:4200/assets/html/popup-login-redirect.html",
      "http://localhost:4200/assets/html/silent-refresh-redirect.html"
    ],
    "PostLogoutRedirectUris": [ "http://localhost:4200?postLogout=true" ],
    "FrontChannelLogoutUri": "http://localhost:4200?frontchannellogout=true",
    "FrontChannelLogoutSessionRequired": true,
    "AllowedCorsOrigins": [ "http://localhost:4200" ], // here you have to add your client root
    "AllowedScopes": [ "openid", "profile", "qsdqsdqs", "qdqsd" ],
    "IdentityTokenLifetime": 18000,
    "AccessTokenLifetime": 18000
  },

edited Nov 02 '18 at 09:49

answered Oct 25 '18 at 18:16

Fateh Mohamed

20,445
5
43
52

I added it to Cors Origins but I still get the same result. "The client application is not known or is not authorized." – Eric Bergman Oct 25 '18 at 19:57
the flow doesn't match check my update of the answer – Fateh Mohamed Oct 25 '18 at 20:11
In the Server I use Implicit Flow: **Flow = Flows.Implicit**, in my client code I specified the correct values for **scope** and **response_type**, I must mention that I'm using IdentityServer3 and the oidc-token-manager.js client, I did notice the Logs it says "AuthorizationCode" for some reason which doesn't make sense to me, why would the **Flow** convert from **Implicit** to **AuthorizationCode** – Eric Bergman Oct 25 '18 at 21:07
The Flow in the Server is Implicit – Eric Bergman Oct 27 '18 at 17:43

score 0 · Answer 2 · answered Oct 29 '18 at 16:01

0

In implicit flow, the redirect_uri is the uri the IdP redirects to after the flow is complete. NOT the callback url of idsrv. It should be something like http://myapp.mycompany.com/index.html

answered Oct 29 '18 at 16:01

Leo Bartkus

1,925
13
17

C# .NET: Server is not able to validate Angular Client [IdentityServer]

2 Answers2