search

IdentityServer / IdentityServer3.AccessTokenValidation

OWIN Middleware to validate access tokens from IdentityServer3
Apache License 2.0
90 stars 149 forks source link

using UseIdentityServerBearerTokenAuthentication #31

Closed stevenfirstrowinc closed 9 years ago

stevenfirstrowinc commented 9 years ago

I'm using the following code to ensure my access token is correct

            JwtSecurityTokenHandler.InboundClaimTypeMap = ClaimMappings.None;

            app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = "https://localhost:44310/identity",
                RequiredScopes = new[] { "csRA" },
            });

I was expecting that any request that came through that did not have this scope would return a 404 and exit the pipeline, but instead it seems as though the pipeline continues with an unauthenticated user instead.

I'm using Owin and WebApi 2.2 and the above are the first lines in my startup class. Should I be adding this method to the end of my startup instead?

brockallen commented 9 years ago

You still need to have an [Authorize] attribute on your Web APIs (or as a global filter).

stevenfirstrowinc commented 9 years ago

yep, have that in all cases, but honestly I'm not 100% sure I understand why I would need that. Is it the case that UseIdentityServerBearerTokenAuthentication is saying "when authentication is required, make sure the token contains this scope?" and that is why the request continues so that the [Authorize] attribute can be evaluated?

brockallen commented 9 years ago

Authentication happens first. Authorization is the job of the application layer (typically).

stevenfirstrowinc commented 9 years ago

oh. duh! so if I want to force Authentication for all requests, I'd need to use an Authentication filter in addition to UseIdentityServerBearerTokenAuthentication (which is part of authorization)?

brockallen commented 9 years ago

You mean authorization, right? The bearer token is authentication. If that works, then great, but if not then the request is anonymous. Authorization ensures that the current request is allowed. If anonymous is not allowed, then that authorization is required.

leastprivilege commented 9 years ago

The scope is only enforced when a valid token has been found. Otherwise the request is anonymous.

You need additional authZ rules - in any case.

stevenfirstrowinc commented 9 years ago

@brockallen that isn't what I meant, but it's clear now. This all comes down to one of my injected services that depends on an authenticated user. Now that I understand this process better I can handle the unauthenticated use case. I was thinking the UseIdentityServerBearerTokenAuthentication method would prevent the request getting all the way down the pipeline but I get it now.