Closed rvanoord closed 8 years ago
Turn on logging for the middleware Maybe this give you more info.
Sent from my iPhone
On 06.11.2015, at 10:15, rvanoord notifications@github.com wrote:
Hi,
I am using the UseIdentityServerBearerTokenAuthentication() OWIN middleware to protect APIs in a couple of applications.
In both cases, this seems to work fine for a while, but after a day or two the API returns "Unauthorized" for requests with valid access tokens. Restarting the API application in IIS temporarily resolves the issue. After a restart, valid tokens that were rejected by the API, are accepted again. This indicates that there is likely an issue in the implementation of the IdentityServerBearerTokenAuthentication, or in the underlying JwtTokenAuthentication middleware.
The issue is somewhat difficult to debug because the middleware works to start with and seems to stop working at random. Perhaps the issues is linked to some sort of caching mechanism or something?
— Reply to this email directly or view it on GitHub.
I have found the issue. If you are using thinktecture.IdentityServer3 nugget to create identity server you can’t use IdentityServer3.AccessTokenValidation. It's because thinktecture IdentityServer3 does not allows to verify token using post. And IdentityServer3.AccessTokenValidation uses post to verify token (https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation/tree/master/source/AccessTokenValidation/Plumbing line 88). So each time middleware tries to verify token it gets Method not supported exception and returns Unauthorized.
I am using IdentityServer4 with IdentityServer3.AccessTokenValidation and I am getting the same issue is there a fix for this?
Hi,
I am using the UseIdentityServerBearerTokenAuthentication() OWIN middleware to protect APIs in a couple of applications.
In both cases, this seems to work fine for a while, but after a day or two the API returns "Unauthorized" for requests with valid access tokens. Restarting the API application in IIS temporarily resolves the issue. After a restart, valid tokens that were rejected by the API, are accepted again. This indicates that there is likely an issue in the implementation of the IdentityServerBearerTokenAuthentication, or in the underlying JwtTokenAuthentication middleware.
The issue is somewhat difficult to debug because the middleware works to start with and seems to stop working at random. Perhaps the issues is linked to some sort of caching mechanism or something?