Closed vindberg closed 9 years ago
Try:
RequiredScopes = new string[] { "idmgr" }
Unfortunately its not the issue. The configuration is from the MVC Authorization example ("string" not there).
The exception happens directly at: app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
Are you're sure Authority is not null?
Yes, its same result if I hard-code it as string. Here are my complete startup config if that can help:
public void Configuration(IAppBuilder app)
{
Log.Logger = new LoggerConfiguration()
.WriteTo.ExceptionLess(b => b.AddTags("IdentityServer").AddRequestInfo())
.CreateLogger();
var defaultExceptionlessClient = ExceptionlessClient.Default;
defaultExceptionlessClient.Configuration.UseInMemoryStorage();
defaultExceptionlessClient.Register();
new Exception("System Startup").ToExceptionless().Submit();
AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.Map("/core", core =>
{
var idSvrFactory = Factory.ConfigureClientsAndScopes(Settings.Default.ConnectionStringName);
idSvrFactory.ConfigureUserService(Settings.Default.ConnectionStringName);
var viewOptions = new DefaultViewServiceOptions();
viewOptions.Stylesheets.Add("/Content/New/Site.css");
viewOptions.CacheViews = false;
idSvrFactory.ConfigureDefaultViewService(viewOptions);
var options = new IdentityServerOptions
{
SiteName = "Identity Server",
SigningCertificate = Certificate.Get(),
Factory = idSvrFactory,
EnableWelcomePage = false,
AuthenticationOptions = new AuthenticationOptions
{
IdentityProviders = ConfigureIdentityProviders,
EnablePostSignOutAutoRedirect = true,
LoginPageLinks = new LoginPageLink[] {
new LoginPageLink{
Text = "Register",
Href = "~/registration"
},
new LoginPageLink{
Text = "Forgot Password?",
Href = "~/forgotpassword"
}
}
}
};
core.UseIdentityServer(options);
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = Settings.Default.Authority,
ClientId = "idmgr",
RedirectUri = Settings.Default.IdMgrRedirectUri,
ResponseType = "id_token",
Scope = "openid idmgr",
SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
});
app.Map("/admin", adminApp =>
{
var factory = new IdentityManagerServiceFactory();
factory.ConfigureSimpleIdentityManagerService(Settings.Default.ConnectionStringName);
adminApp.UseIdentityManager(new IdentityManagerOptions()
{
Factory = factory,
SecurityConfiguration = new HostSecurityConfiguration()
{
HostAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
NameClaimType = Constants.ClaimTypes.Subject,
RoleClaimType = Constants.ClaimTypes.Role,
AdminRoleName = "SystemAdministrator",
},
});
});
// API Config
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = Settings.Default.Authority,
RequiredScopes = new string[] { "idmgr" }
});
// web api configuration
var config = new HttpConfiguration();
config.Formatters.Remove(config.Formatters.XmlFormatter);
config.MapHttpAttributeRoutes();
app.UseWebApi(config);
}
If both idsrv and the access token val MW is in the same app - there might be a race condition. Since the discovery endpoint might not be up yet when.
In 2.2 we allow configuring the val MW statically (released today)
That sounds like a solution. Where should I look?
Thanks mate.
in the docs - of course ;)
Found it: https://identityserver.github.io/Documentation/docsv2/consuming/options.html
Its working when IssuerName and SigningCertificate is added to the API config. But somehow the API config needs to be above the Identity manager mapping. If its below app.Map("/admin", adminApp => ...) then it still fails.
yeah order matters.
@leastprivilege I know this is closed, but we are seeing a similar issue (same error when enabling the feature). When you mention that order matters, can you expand on that? Why does it fail if executed after the mapping? Also, we are not using Identity Manager, just IdSrv 2.3 with EF.
In our case, much as above, we have the IdSrv and MVC client app running in the same application. There are 3 OWIN middlewares that are loaded separately in this order:
It doesn't matter if we initialize UseIdentityServerBearerTokenAuthentication in the same MVC startup, we still get the exact same error.
System.NullReferenceException: Object reference not set to an instance of an object.
at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider..ctor(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
at Owin.IdentityServerBearerTokenValidationAppBuilderExtensions.ConfigureEndpointValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
at Owin.IdentityServerBearerTokenValidationAppBuilderExtensions.UseIdentityServerBearerTokenAuthentication(IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
at NFLPA.Web.Module.IdentityClient.StartupOAuthAPIFeature.<>c.<GetOwinMiddlewares>b__0_0(IAppBuilder app)
It looks like the issue may be with the logger actually. app.GetLoggerFactory() returns null and because of that, my guess is that it fails here: https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation/blob/dc9d280f75feb093dc2516f44583f6ca6d0f9c2b/source/AccessTokenValidation/Plumbing/ValidationEndpointTokenProvider.cs#L39
I have the same problem... when updated from 2.0 to 2.5 IDS3 server. Me too is a concurrency problem.. app.UseIdentityServerBearerTokenAuthentication(...); try to request discovery document in time t0 where IDS server is not ready.
A unique project with IndentityServer and API resources in a single assembly, there is some workareound? SOrry but I dind't understood if was solved.
It's even documented (now) ;)) https://identityserver.github.io/Documentation/docsv2/consuming/options.html
I can confirm this is still happening:
[NullReferenceException: Object reference not set to an instance of an object.]
IdentityServer3.AccessTokenValidation.IdentityServerBearerTokenValidationMiddleware..ctor(Func`2 next, IAppBuilder app, IdentityServerOAuthBearerAuthenticationOptions options, ILoggerFactory loggerFactory) in c:\local\identity\server3\AccessTokenValidation\source\AccessTokenValidation\IdentityServerBearerTokenValidationMiddleware.cs:52
lambda_method(Closure , Func`2 , IAppBuilder , IdentityServerOAuthBearerAuthenticationOptions , ILoggerFactory )
IdentityServer, Manager, and Admin in the same project. Tried DelayLoadMetadata
with no success.
It doesn't throw an exception when I move it before the Manager auth setup but then I can no longer access the Manager API.
I'm basically trying to expose a User API which will only be used from an application previously authenticated via IdentityServer3.
Any ideas?
@florindpreda , did you manage to find a solution for this? I am exactly at the same point as you are
It works for me now, the order matters really!!!! I put the api config before Identityserver settings
@FullyCSharped Glad to hear that it's working! It was a nice to have for me, so I ended up using basic auth + encryption on my scenario.
Can you please share your Startup.cs file? Might help others in the future.
@FullyCSharped Could you please share the startup file. I also have the issue.
@leastprivilege About the docs for static JWTs configuration, what am I expected to put in the IssuerName field? I'm trying to understand what I need to do to use a common name both in this IssuerName field and in my IdentityServer3 server, so that, when the authentication/authorization proccesses are executed, everything will work as expected. That is, my IdentityServer3 server will be properly found by my ASP.NET WebApi server.
I can confirm that the reported solution from @dcinzona resolved this issue for me. Simply place app.SetLoggerFactory(new DiagnosticsLoggerFactory());
on the line before app.UseIdentityServerBearerTokenAuthentication(....
We are using app.UseIdentityServerBearerTokenAuthentication( New IdentityServerBearerTokenAuthenticationOptions() With { .Authority = "https://first.com:443", .ValidationMode = ValidationMode.ValidationEndpoint, .ValidationResultCacheDuration = New TimeSpan(0, 0, 200), .EnableValidationResultCache = True, }) in our web API and on https://first.com:443 our identity server is running which validate the token. How could we know that identity server is down ?
Im trying to add an users API in my identityserver (IdentityServer3 2.x) solution.
Im getting this error when adding the UseIdentityServerBearerTokenAuthentication to startup. Is there a conflict with the other mappings of "core" or? Thanks in advance.
Some code from Startup:
The error: