0

We've implemented an Identity-Provider using IdentityServer4. Recently we upgraded the application to .net core 3.1 (from 2.1) and with it, we upgraded IdentityServer4-Nuget-Packages from Version 2.2.0 to 3.1.3.

These are the actual contents of an access-token provided by the old state (with .net 2.1 and IdentityServer4 2.2.0)

{
  "nbf": 1597236398,
  "exp": 1597239998,
  "iss": "https://lab10vm-tri-2:8777/usermgmt/identityprovider",
  "aud": [
    "https://lab10vm-tri-2:8777/usermgmt/identityprovider/resources",
    "basecommon"
  ],
  "client_id": "Webportal",
  "sub": "d860efca-22d9-47fd-8249-791ba61b07c7",
  "auth_time": 1597236392,
  "idp": "local",
  "upn": "Administrator",
  "scope": [
    "openid",
    "profile",
    "basecommon"
  ],
  "amr": [
    "pwd"
  ]
}

And these are the contents of an access-token provided by the new state (with .net 3.1 and IdentityServer4 3.1.3):

{
  "nbf": 1597236389,
  "exp": 1597239989,
  "iss": "https://lab10vm-tri-3:8777/usermgmt/identityprovider",
  "aud": "basecommon",
  "client_id": "Webportal",
  "sub": "d860efca-22d9-47fd-8249-791ba61b07c7",
  "auth_time": 1597236383,
  "idp": "local",
  "upn": "Administrator",
  "scope": [
    "openid",
    "profile",
    "basecommon"
  ],
  "amr": [
    "pwd"
  ]
}

As you can see, the old version contains an audience called "https://lab10vm-tri-2:8777/usermgmt/identityprovider/resources", and the newer version does not.

Please tell me: how I can restore the behaviour from before so that the audience is attached?

What I've tried: Google, very, very much on topics like "IdentityServer 3.1 audience missing" and such. All the results I found that way did not match my case and I don't know where to look anymore.

Ravior
  • 561
  • 2
  • 9
  • 30

2 Answers2

2

You need to set options.EmitLegacyResourceAudienceClaim = true; when setting up the IdentityServer4, the default value is false. It emits an aud claim with the format issuer/resources

Here is how ur code will look like:

namespace IdentityServer
{
    public class Startup
    {
        public void ConfigureServices(IServiceCollection services)
        {
            var builder = services.AddIdentityServer(                
                options =>
                {
                    options.EmitLegacyResourceAudienceClaim = true; //Default value is false
                })
                .AddInMemoryIdentityResources(Config.Ids)
                .AddInMemoryApiResources(Config.Apis)
                .AddInMemoryClients(Config.Clients)
                .AddTestUsers(TestUsers.Users);
        }
    }
}

Read more about EmitLegacyResourceAudienceClaim here

nahidf
  • 2,260
  • 1
  • 15
  • 22
0

Try to upgrade to version 4.0x of IdentityServer 4, think its back again in the latest release. Because I didn't see it in version 3.13 but I saw that it appeared in v4.0.0

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40