2

Jwt Authentication section from Startup.cs:

 services.AddAuthentication(options =>
        {
            options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(options =>
        {
            options.Authority = config["Authority"];
            options.RequireHttpsMetadata = Convert.ToBoolean(config["RequireHttpsMetadata"]);
            options.Authority = config["Authority"];
            options.Audience = config["Audience"];
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidAudience = config["Audience"],
                ValidateAudience = Convert.ToBoolean(config["ValidateAudience"]),
                ValidateIssuer = Convert.ToBoolean(config["ValidateIssuer"]),
            };
        });

Swagger configuration:

services.AddSwaggerGen(setup => {
        setup.SwaggerDoc("1.0", new OpenApiInfo
            {
                Title = "Switchboard Live Cloud API v1.0",
                Version = "1.0",
                Description = "Programmable access to Switchboard Live's Cloud Platform.",
            });

        setup.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
        {
            Type = SecuritySchemeType.OAuth2,
            Flows = new OpenApiOAuthFlows 
            { 
                Implicit = new OpenApiOAuthFlow 
                {
                    AuthorizationUrl = new System.Uri(string.Format("{0}/connect/authorize", authority)),
                    Scopes = new Dictionary<string, string> {
                        { "read", "R" },
                        { "write", "W" }
                    }
                } 
            }
        });

        setup.AddSecurityRequirement(new OpenApiSecurityRequirement()
        {
            {
                 new OpenApiSecurityScheme
                {
                    Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" }
                },
                new[] { "read", "write" }
            }
            });
.....

 app.UseSwagger();
    app.UseSwaggerUI(setup => {
        setup.SwaggerEndpoint("/swagger/1.0/swagger.json", "Title");
        setup.RoutePrefix = string.Empty;
    });

I don't see what am I doing wrong here, but when I start the application, check the scopes and go through the authorization process, I end up with a Bearer Token that do NOT have the audience field encrypted in it, so all my requests ends up with a 401 Unauthorized response and the following header error: 

www-authenticate: Bearer error="invalid_token", error_description="The audience 'empty' is invalid"

Any suggestions/solutions for this?

Helen
  • 87,344
  • 17
  • 243
  • 314
Radu Adrian Bob
  • 21
  • 2

1 Answers1

1

There was a major change in IdentityServer4 version v4 they are no longer setting the aud claim by default.

If you check the configuration section of the official documentation it says you need to disable the aud Claim:

https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html#configuration

So, you need set the property ValidateAudience = false with something like this:

public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();

        services.AddAuthentication("Bearer")
            .AddJwtBearer("Bearer", options =>
            {
                options.Authority = "https://localhost:5001";

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = false
                };
            });
    }
SerjG
  • 3,325
  • 3
  • 30
  • 30
KakashiJack
  • 162
  • 1
  • 8