search

IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.02k forks source link

Generating Reference Token Instead of JWT #5411

Closed asalhani closed 1 year ago

asalhani commented 2 years ago

Please find below the steps I applied in order to generate Reference Token instead of JWT:

  1. In the [Clients] table, I updated property [AccessTokenType] = 1. Please note that this is the client configured to be used from Angular Frontend app. image [Client] Table

image [ClientScopes] Table

  "IdentityGuardsConfig": {
    "oidcSettings": {
      "authority": "http://localhost:5000",
      "client_id": "local_spa",
      "redirect_uri": "http://localhost:4200/#/identity-guards/auth-callback#",
      "post_logout_redirect_uri": "http://localhost:4200",
      "response_type": "id_token token",
      "scope": "openid profile inspection_profile",
      "filterProtocolClaims": true,
      "loadUserInfo": true,
      "automaticSilentRenew": true,
      "silent_redirect_uri": "http://localhost:4200/#/identity-guards/silent-refresh#"
    },
    "enableConsoleLogging": true,
    "postLoginRedirectUrl": "/portal"
  }

OIDC client configuration (Angular App)

  1. Since API (/connect/introspect) is secure, I had to create API Resource and API Secret (as per this thread). Also as per the thread, I had to assign the exact scopes requested from Frontend client (3 scopes ==> opened, profile, inspection_profile)

image [ApiResources] Table

image [ApiSecrets] Table

image [ApiScopes] Table

After applying the above configuration, IdentityServer service is returning reference token, also the reference token is being persisted in [PersistedGrants] table.

To validate the reference token, I was able to do that by hitting (/connect/introspect) API from Postman (below is the converted cURL request)

curl --location --request POST 'http://localhost:5000/connect/introspect' \
--header 'Authorization: Basic bG9jYWxfc3BhOlBAc3N3MHJk' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=f007eff8fc2a3d8d9af7cb605b93b78d7004880d24356acebf928dae5a48dd8e'

Response:

{
    "iss": "http://localhost:5000",
    "nbf": 1640694748,
    "exp": 1640698348,
    "aud": "http://localhost:5000/resources",
    "client_id": "local_spa",
    "sub": "f6a5ccec-9d70-4c7c-ab50-7a932f685cac",
    "auth_time": 1640694748,
    "idp": "local",
    "amr": "pwd",
    "email": "admin@isp.com",
    "name": "admin@isp.com",
    "given_name": "admin",
    "phone_number": "0506198339",
    "role": "SystemAdmin",
    "preferred_username": "admin@isp.com",
    "active": true,
    "scope": "openid profile inspection_profile"
}

Issue: When I tried to access (/.well-known/openid-configuration) I’m getting the below exception:

An unhandled exception occurred while processing the request. Exception: Found identity scopes and API scopes that use the same names. This is an invalid configuration. Use different names for identity scopes and API scopes. Scopes found: openid, profile, inspection_profile IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable identity, IEnumerable apiResources) in IResourceStoreExtensions.cs, line 60

Complete Stack trace:

Exception: Found identity scopes and API scopes that use the same names. This is an invalid configuration. Use different names for identity scopes and API scopes. Scopes found: openid, profile, inspection_profile IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable identity, IEnumerable apiResources) in IResourceStoreExtensions.cs IdentityServer4.Stores.IResourceStoreExtensions.GetAllEnabledResourcesAsync(IResourceStore store) in IResourceStoreExtensions.cs IdentityServer4.ResponseHandling.DiscoveryResponseGenerator.CreateDiscoveryDocumentAsync(string baseUrl, string issuerUri) in DiscoveryResponseGenerator.cs IdentityServer4.Endpoints.DiscoveryEndpoint.ProcessAsync(HttpContext context) in DiscoveryEndpoint.cs IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) in IdentityServerMiddleware.cs IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) in IdentityServerMiddleware.cs IdentityServer4.Hosting.MutualTlsTokenEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in MtlsTokenEndpointMiddleware.cs Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context) IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in BaseUrlMiddleware.cs Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

leastprivilege commented 2 years ago

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.