How to add an 'aud' claim to access_token

Question

I'm new to IdentityServer 4 and OpenIdConnect, trying to get my Asp.NET Core + Angular 9 SPA app to work with JwtBearer tokens, and the problem is what I cannot set my access_token's 'aud' claim properly, I'm getting 401 with message:

Bearer error="invalid_token", error_description="The audience 'empty' is invalid

The audience 'empty' is invalid

found in WWW-Authenticate header.

If however, instead of this I will use an id_token constantly (which should be used only once to log user into the app as I suppose), I will get access to my protected resources, because it has this 'aud' claim.

I suppose it is not a proper behaviour (or is it?)

Is there any way, how I may explicitly set the access_token's 'aud' claim? I've looked already in many places, stackOverflow, OpenId.net docs and the others, and still I cannot find an answer. May some1 help me with that?

Here's my AddAuthentication method in my API & app.UseAuthentication/app.UseAuthorization: https://pastebin.com/YdE3WQ7b

and my client config: https://pastebin.com/AdAjntjc

PrintScreen of jwt.io:

access_token_at_jwt_io_img

Problem solved already – Mariusz Budzisz May 19 '20 at 22:07 — Mariusz Budzisz, May 19 '20 at 22:07
How did you solve it? I'm facing with the same issue. – Lóri Nóda Jul 23 '20 at 14:42 — Lóri Nóda, Jul 23 '20 at 14:42

score 0 · Answer 1 · answered Aug 08 '22 at 11:29

0

Maybe this does not explain how to add the aud claim. However it is a very valid post and does solve the "Bearer error="invalid_token", error_description="The audience 'empty' is invalid" issue.

answered Aug 08 '22 at 11:29

AlanM

41
4

score -1 · Answer 2 · answered Jul 23 '20 at 16:18

There was a major change in IdentityServer4 version v4 they are no longer setting the aud claim by default.

Probably you followed an old article, like this for example:

https://medium.com/@marcodesanctis2/securing-blazor-webassembly-with-identity-server-4-ee44aa1687ef

Which is using IS4 v3

But if you check the configuration section of the oficcial documentation it says you need to disable the aud Claim:

https://identityserver4.readthedocs.io/en/latest/quickstarts/1_client_credentials.html#configuration

{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllers();

        services.AddAuthentication("Bearer")
            .AddJwtBearer("Bearer", options =>
            {
                options.Authority = "https://localhost:5001";

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateAudience = false
                };
            });
    }

    public void Configure(IApplicationBuilder app)
    {
        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllers();
        });
    }
}

Hi, sorry for late answer, I solved it already a few months ago, it was caused by a lack of ApiResource defined properly as I may recall it but I have terrible memory so cannot be sure about that... What I am fully certain is that where I found a solution for it, it was on Jason Watmoore's blog: https://jasonwatmore.com/post/2019/10/11/aspnet-core-3-jwt-authentication-tutorial-with-example-api maybe there you'll find a solution for problem? — Mariusz Budzisz, Jul 24 '20 at 20:02

How to add an 'aud' claim to access_token

2 Answers2

Linked