search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

Reference Tokens - Creating introspection response for inactive token #2922

Closed olee closed 8 years ago

olee commented 8 years ago

I tried to enable reference tokens for my API access. First I got the error No scope with that name found. aborting, but after some trial & error I got that part running (no idea exactly how however).

But now I still get 401 responses from my API and the server outputs the following log:

iisexpress.exe Information: 0 : 2016-05-25 12:00:32.631 +02:00 [Information] Start introspection request
2016-05-25 12:00:32.675 +02:00 [Debug] Start scope validation
2016-05-25 12:00:32.676 +02:00 [Debug] Start parsing Basic Authentication secret
2016-05-25 12:00:32.678 +02:00 [Debug] Parser found secret: "BasicAuthenticationSecretParser"
iisexpress.exe Information: 0 : 2016-05-25 12:00:32.679 +02:00 [Information] Secret id found: "c3client"
2016-05-25 12:00:32.741 +02:00 [Debug] Secret validator success: "HashedSharedSecretValidator"
iisexpress.exe Information: 0 : 2016-05-25 12:00:32.742 +02:00 [Information] Scope validation success
iisexpress.exe Information: 0 : 2016-05-25 12:00:32.784 +02:00 [Information] Start access token validation
iisexpress.exe Information: 0 : 2016-05-25 12:00:32.832 +02:00 [Information] "Token validation success"
"{
  \"ValidateLifetime\": true,
  \"AccessTokenType\": \"Reference\",
  \"TokenHandle\": \"f46d814524f737663c13ac9b50b288b5\",
  \"Claims\": {
    \"aud\": \"http://localhost:54709/core/resources\",
    \"iss\": \"http://localhost:54709/core\",
    \"nbf\": \"1464170177\",
    \"exp\": \"1464188177\",
    \"client_id\": \"c3client\",
    \"scope\": [
      \"openid\",
      \"profile\",
      \"email\",
      \"client\",
      \"api\"
    ],
    \"sub\": \"48b7ab04-d831-49f2-b500-0aa4f735bdd3\",
    \"auth_time\": 1464170172,
    \"idp\": \"Facebook\",
    \"amr\": \"external\",
    \"role\": \"ADMIN\"
  }
}"
iisexpress.exe Information: 0 : 2016-05-25 12:00:32.872 +02:00 [Information] Creating introspection response
iisexpress.exe Information: 0 : 2016-05-25 12:00:32.904 +02:00 [Information] Creating introspection response for inactive token.

Could you give me some pointers on how to fix this / is there some good tutorial on how to support reference tokens?

brockallen commented 8 years ago

Do you have your token handle store configured? You need a DB when using reference tokens. The default in-mem should work while debugging/development (assuming you don't recycle). Also, we cover this in the docs.

olee commented 8 years ago

I used in-memory storage for testing and I looked at all the documentation (I could find). As you can see from the logs the token is found and validated correctly. However I couldn't find any information on what happens after that and what's the matter with that Creating introspection response for inactive token

Thanks for your quick reply!

brockallen commented 8 years ago

Hmm... yea, not clear then to me either. Check the expiration: \"exp\": \"1464188177\", -- that's might be it.

olee commented 8 years ago

The expiration is also ok. I just can't figure out where it fails... Do you maybe have some tips where I could do some checks to find out what I'm missing?

brockallen commented 8 years ago

Download the code for the version/tag you're using and debug... shrug

If/when you find it, then perhaps the logging can be beefed up to indicate what about the token failed to validate.

olee commented 8 years ago

I tried adding some test-blocks around the API auth check:

            app.Use(async (context, next) =>
            {
                await next.Invoke();
            });

            app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = CoreConstants.IdentityServerAuthority,
                RequiredScopes = new string[] { "api" },
                .......
            });

            app.Use(async (context, next) =>
            {
                await next.Invoke();
            });

I noticed, that a breakpoint second block at the bottom is triggered, (and it shows all those log messages before that), however context.Authentication.User is still the same - an empty user.

Do you have any tips on how to debug this / links to some explanation on what is needed for reference tokens to work?

leastprivilege commented 8 years ago

Enable logging.

https://identityserver.github.io/Documentation/docsv2/consuming/diagnostics.html