Sending JWT token to resource server - permission denied

IdentityServer / IdentityServer3.AccessTokenValidation

OWIN Middleware to validate access tokens from IdentityServer3

Apache License 2.0

91 stars 149 forks source link

Sending JWT token to resource server - permission denied #168

Closed piotrekbigu closed 6 years ago

piotrekbigu commented 6 years ago

Hi, This is not an issue but a general qeustion about API.

I successfully implemented IdentityServer and Resource Server. I am able to create identity and access tokens and access protected resource using access tokens. Today I tried to call resource server and pass in authorization header created JWT token but I got http 401 response. I am sure that token was valid, because when I used access token created at the same moment authoirization passed successfully.

Is it possible to use identity token during access to resource server? I looked into your source and examples code and it looks like it should be possible.

I will be very grateful for any explanation/tip.

brockallen commented 6 years ago

No. id_tokens are for the client. access_tokens are for the API. Your client needs to obtain an access token to invoke the API on behalf of the user.

piotrekbigu commented 6 years ago

But in validation middleware I found code which recognizes JWT format (dot separator). For which cases is it implemented?

brockallen commented 6 years ago

Not all JWTs are access tokens.

piotrekbigu commented 6 years ago

Ok. So if I good understood I missed some element which points that my JWT token is also a access token?

brockallen commented 6 years ago

You need to learn a bit more about the OIDC and OAUth2 protocols, I think. Check our docs for links to the specs.

piotrekbigu commented 6 years ago

Thank you for help :)

piotrekbigu commented 6 years ago

Hello again, to be honest I have been sitting and reading the whole documentation for the month. Is it possible to aquip me with a tip which document (RFC, IdentityServer docs, any other resource) should I read again.

brockallen commented 6 years ago

Maybe this would help? https://mva.microsoft.com/en-US/training-courses/introduction-to-identityserver-for-aspnet-core-17945

brockallen commented 6 years ago

Oh except that is for ASP.NET COre. I don't have anything like it for Katana, but at least the high level should help.

piotrekbigu commented 6 years ago

Finally I found the solution :) It was a bug at client level - I was passing id_token instead of an access_token to my resource server.

Thank you for help.

Btw. awesome presentation :)