So, I have IdentityServer4 setup in a separate app that will be referenced in the code by WebConfigurationManager.AppSettings["IdentityServer:Authority"].
I have a .NET Framework 4.6.1 WebApi app that needs to hit this app to authenticate requests. I have the WebApi app setup as an ApiResource "mywebppi" in the IdentityServer4 app.
To do this in a .NET Core app, this is simply done by adding the following code in the Startup.cs:
services.AddAuthentication(Authentication.Bearer)
.AddJwtBearer(Authentication.Bearer, options =>
{
options.Authority = Configuration.GetSection("IdentityServer:Authority").Value;
options.RequireHttpsMetadata = false;
options.Audience = "mywebppi";
});
But, since this is a .NET Framework 4.6.1 WebApi app, I cannot do that. I read that you can utilize IdentityServer3.AccessTokenValidation and Owin to do this, but since the IdentityServer3 nuget package relies on IdentityModel 1.9.2 to 2.0.0 and my WebApi app already uses IdentityModel 3.10.10 and cannot be downgraded that far, this is not an option.
I found elsewhere about trying to use Owin's UseOpenIdConnectAuthentication. I tried this:
[assembly: OwinStartup(typeof(MyWebApi.Startup))]
namespace MyWebApi
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType("Bearer");
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = WebConfigurationManager.AppSettings["IdentityServer:Authority"],
Scope = "mywebapi",
ResponseType = "id_token",
UseTokenLifetime = false,
RequireHttpsMetadata = false,
AuthenticationMode = Microsoft.Owin.Security.AuthenticationMode.Passive,
SignInAsAuthenticationType = "Bearer"
});
}
}
}
But, I keep getting "Message": "Authorization has been denied for this request."
