search

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

IdentityServerAuthenticationOptions events #98

Closed phrazed closed 6 years ago

phrazed commented 6 years ago

Hi, I'm trying to set the Events property of the IdentityServerAuthenticationOptions to be able to add permissions when my api is called using a user token - I'm basing my solution based on the Combined_AspNetIdentity_and_EntityFrameworkStorage in the Quickstarts. I add the events as follows:

            services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(opts =>
                {
                    opts.Authority = "http://localhost:5000";
                    opts.RequireHttpsMetadata = false;
                    opts.ApiName = "example_api";
                    opts.Events = new JwtBearerEvents()
                    {
                        OnTokenValidated = async context =>
                        {
                            var user = context.Principal;
                            if (!user.Identity.IsAuthenticated) throw new ApplicationException("User must be authenticated before calling this method");

                            ((ClaimsIdentity)user.Identity).AddClaim(new Claim("ApiClaim", "FromTheApi"));

                            await Task.FromResult(0);
                        }
                    };
                });

my IdentityServer contains the following modification:

            services.AddIdentityServer(opts =>
            {
                opts.Events.RaiseSuccessEvents = true;
                opts.Events.RaiseFailureEvents = true;
                opts.Events.RaiseErrorEvents = true;
            })

However the OnTokenValidated method is never called and my claim is never added. I have also tried with OAuthEvents OnCreatingTicket but with no luck.

Am I doing something wrong?

Thank you

phrazed commented 6 years ago

I have noticed that there is an overload to allow you to send the JwtBearerOptions, however I'm not sure how to use it. I've tried the following, but I am receiving 401 errors

            services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(
                "Bearer",
                jwtOpts =>
                {
                    jwtOpts.Authority = "http://localhost:5000";
                    jwtOpts.RequireHttpsMetadata = false;

                    jwtOpts.Events = new JwtBearerEvents()
                    {
                        OnTokenValidated = async context =>
                        {
                            var user = context.Principal;
                            if (!user.Identity.IsAuthenticated) throw new ApplicationException("User must be authenticated before calling this method");

                            ((ClaimsIdentity)user.Identity).AddClaim(new Claim("ApiClaim", "FromTheApi"));

                            await Task.FromResult(0);
                        }
                    };
                },
                oAuthOpts =>
                {
                    oAuthOpts.Authority = "http://localhost:5000";
                    oAuthOpts.ClientId = "example_api";
                });

Is it necessary to implement methods similar to the internal methods ConfigureJwtBearer and ConfigureIntrospection?

Thanks again

leastprivilege commented 6 years ago

First of all - I personally would rather use claims transformation or just some middleware to do the claims augmentation.

The event should be called nevertheless - I will double check.

phrazed commented 6 years ago

Ok, thanks. I'll change the structure of what I was trying to do

leastprivilege commented 6 years ago

OK - I double checked - you'd need to use JwtBearerEvents instead. And that works.