search

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

.Net Core API will not authenticate against our Identity Server 3 #63

Closed DaveAtBAndCE closed 7 years ago

DaveAtBAndCE commented 7 years ago

I am trying to port an existing API to .Net Core. I need it to authenticate against an existing Identity Server 3 instance. I cannot update any of the clients etc. in Identity Server 3 so it must work as is.

The original API I am porting from works fine using

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
    Authority = "http://localhost:5000",
    RequiredScopes = new[] { "read", "write", "profile" }
});

But when I try to use an equivalent in .Net Core

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
    Authority = "http://localhost:5000",
    RequireHttpsMetadata = false, 
    AllowedScopes = new[] { "read", "write", "profile" },
});

If it points to Identity Server 3 then I always get a 401, no matter what I do. If I point it at a test Identity Server 4 instance it works.

I need it to work with Identity Server 3. What am I doing wrong?

DaveAtBAndCE commented 7 years ago

OK, having investigated this further: The original API is using reference token which means in .Net Core I need to use ApiName and ApiSecret

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
     Authority = "http://localhost:5000",
     RequireHttpsMetadata = false,
     ApiName = "apiName",
     ApiSecret = "DontHaveOne"
});

Q. Is Identity Server 4 ApiName == Identity Server 3 Scope.Name where Type = ScopeType.Resource?

i.e.

new Scope
{
    Name = "apiName",
    DisplayName = "Display Name",
    Description = "Description",
    Type = ScopeType.Resource,
    Required = true
},

Q. Does ApiSecret map to Scope Secrets in Identity Server 3? Q. What do we do about the original scope not having Scope Secrets? Is this why the introspection fails as the ApiSecret has nothing to map to?

brockallen commented 7 years ago

Q. Does ApiSecret map to Scope Secrets in Identity Server 3?

yes

Q. What do we do about the original scope not having Scope Secrets? Is this why the introspection fails as the ApiSecret has nothing to map to?

We now only support introspection which requires an Api secret. The old pre-introspection token validation endpoint allowed anonymous access.

DaveAtBAndCE commented 7 years ago

Thanks for getting back to me so quickly, Brock. This has given me the answer. The key is that, originally, anonymous access was allowed but in the new version it requires additional authentication.

For anyone following this after with the same problem: Our original Identity Server 3 scopes had no secrets so they needed to be updated to align to the new requirement of needing the ApiSecret. Once done everything worked fine.

For example: (.Net Core API)

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
     Authority = "http://localhost:5000",
     RequireHttpsMetadata = false,
     ApiName = "apiName",
     ApiSecret = "secret"
});

(Identity Server 3 Scopes)

new Scope
{
    Name = "apiName",
    DisplayName = "Display Name",
    Description = "Description",
    Type = ScopeType.Resource,
    Required = true,
    ScopeSecrets = new List<Secret>
    {
        new Secret("secret".Sha256())
    }
},