4

I have an Identity server that was developed on Identity server 4 (v3.1.2) and a .NET Web API that was developed on .NET Framework 4.6. In the web API, I am using the Identity Server 3 Access Token Validation library (v2.14.0) to validate the Incoming request's tokens.

When I try to access a resource on the .NET web API using a JWT tokens which was generated by the identity server I always get unauthorized 401 response. I have set up the Owin middleware as below in the .NET web API.

public class Startup
{
    public void Configuration(IAppBuilder app)
    {

        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "http://localhost:9080/IdentityServer"
        });

        var config = new HttpConfiguration();
        config.MapHttpAttributeRoutes();

        app.UseWebApi(config);
    }
}

However, in order to find out whether this is an issue between Identity server 4 tokens and Identity server 3 access token validation library, I have created a separate Identity server with Identity server 3 library (v2.6.3) and provided a token generated from it to the same web API I used previously (same Startup.cs as above).

This request was authorized successfully and all were working as expected.

My Question is :

Is it possible to use a token from identity server 4 to validate using the Identity server 3 access token validation library? or is there something I am doing wrong?

diyath.nelaka
  • 193
  • 14
  • Do you get any error message ? You can aslo [trace log](https://identityserver4.readthedocs.io/en/latest/topics/logging.html) on IDS4 server side . – Nan Yu Mar 03 '20 at 02:23
  • No I don’t get any errors. I enabled the Identity server logs as well. but nothing hits there once a request comes to the web api. One thing i noticed was once I started the web api (only when started), a log on ID server prints mentioning about discovery endpoint and jwks uri. Other than that nothing. – diyath.nelaka Mar 03 '20 at 04:03
  • 1
    sorry , try to trace log on web api side not IDS side . Or you can use fiddler to trace the request/response , and check wehther any inner error message include with 401 error . – Nan Yu Mar 03 '20 at 04:17
  • I have enabled the trace log for the Owin context in the web API. Found out that there is an exception that causes because of an audience mismatch. Apparently, Identity server 3 access token validation library checks my token's audience against an audience (/resources) it creates based on the issuer within the library. The token generated from my IDS 4 has a different audience than this(/resources). Is there a possibility for me to set the audience on my own rather than letting it set by the library? – diyath.nelaka Mar 03 '20 at 10:11
  • This may be an issue with the changed token header (explicit type + removed `/resources` audience). Take a look at [this question](https://stackoverflow.com/questions/60079522/upgrading-identityserver4-to-core-3-1-tokens-are-suddenly-not-signed-correctly) + answer for more information. –  Mar 03 '20 at 10:59
  • @Ruard, Thanks. I have checked the link you have provided.in my case IDS3 validation library adds “/resources” part by default to the audience. But that’s not only the case. It uses issuer attribute of my token when checking the audience rather than using the audience attribute value it self. So is there a way I can explicitly specify the necessary audience within the IDS3 validation library or skip the validation of audience? – diyath.nelaka Mar 04 '20 at 04:11
  • i remember IDS4's access token include one default audience "/resources" , can you decode token using tool like jwt.io to confirm that ? – Nan Yu Mar 04 '20 at 09:24
  • @diyath.nelaka Did you also read the [issue](https://github.com/IdentityServer/IdentityServer4/issues/3705)? Can you solve this with the [IdentityServer options](https://identityserver4.readthedocs.io/en/latest/reference/options.html)? –  Mar 04 '20 at 14:22

1 Answers1

0

I am not sure but I think your Authority URL is incorrect. I had a similar scenario as you have and I resolved it using IdentityServer3.AccessTokenValidation NuGet package and it's working perfectly fine. So I am sure that your issue is not related to middleware.

Try to replace the below code in your startup.cs file and everything will work.

public class Startup
{
    public void Configuration(IAppBuilder app)
    {

        IdentityServerBearerTokenAuthenticationOptions options = new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = "http://localhost:9080",
                AuthenticationType = "Bearer"
            };

        app.UseIdentityServerBearerTokenAuthentication(options);

        var config = new HttpConfiguration();
        config.MapHttpAttributeRoutes();

        app.UseWebApi(config);
    }
}

I hope this will resolve your issue!

Mahesh More
  • 821
  • 1
  • 8
  • 23
  • Thanks. I was able to find out using the owin logs that unauthorized request occurred because of audience validation. I have mentioned the current issue in the above comment. Do you have any opinion on that ? – diyath.nelaka Mar 04 '20 at 04:16
  • If logs are saying that invalid audience then could you please verify your ID4 URL in Client and WebApi project? And keep in mind that this URL is case sensitive. You can decode your JWT token from https://jwt.io. – Mahesh More Mar 04 '20 at 09:05