search

IdentityServer / IdentityServer4

OpenID Connect and OAuth 2.0 Framework for ASP.NET Core
https://identityserver.io
Apache License 2.0
9.23k stars 4.01k forks source link

Switching from Access token to Reference token not work #5417

Closed chaoscn closed 2 years ago

chaoscn commented 2 years ago

Hi,

We have a react web app, an identityserver 4 and an API resource. They are hosted sepearetely in three diffent servers. We are using IdentityServer 4 implict flow with self contined Jwt token and it is working all good. Now, we want to switch to code +PKCE flow with refernece token and save reference token to "PersistedGrants" table in the database for making user access revocation easiler.

React apps using'oidc-client' library, below is the configaration for React App:

import { WebStorageStateStore, UserManager } from 'oidc-client'; const OidcConfig = { userStore: new WebStorageStateStore({ store: window.localStorage }), authority: Authority, client_id: 'ReactApp', redirect_uri: RedirectUri, response_type: 'code', scope: 'offline_access openid profile MyApi', filterProtocolClaims: true, loadUserInfo: true };

For the identity server, below is the related configuration of startup.cs :

 services                         
            .AddScoped<IIdentityServerDbContext>(x => new 
    Data.IdentityServerDbContext(x.GetService<IConfigManager<AppConfig>>().AppConfig.ConnectionString));
        var configManager = services.BuildServiceProvider().GetService<IConfigManager<AppConfig>>();
        services.AddDbContext<AspIdentityDbContext>(config =>
        {
            //config.UseInMemoryDatabase("Memory");
            config.UseNpgsql(configManager.AppConfig.ConnectionString);
        })
            .AddIdentity<IdentityUser, IdentityRole>(config =>
            {
                config.Password.RequiredLength = 0;
                config.Password.RequireDigit = false;
                config.Password.RequireNonAlphanumeric = false;
                config.Password.RequireUppercase = false;
            })
            .AddEntityFrameworkStores<AspIdentityDbContext>()
            .AddDefaultTokenProviders();

        services.ConfigureApplicationCookie(config =>
        {
            config.Cookie.Name = "IdentityServer.Cookie";
            config.LoginPath = "/Auth/Login";
        });

        services.AddIdentityServer(options => {
            options.PublicOrigin = configManager.AppConfig.PublicOrigin;
            options.InputLengthRestrictions.Scope = Common.Constants.MaxScopeLength;
        })
            .AddDeveloperSigningCredential()
            .AddAspNetIdentity<IdentityUser>()
            .AddPersistedGrantStore<PersistedGrantStore>()
            .AddConfigurationStore(options =>
            {
                options.ConfigureDbContext = b => b.UseNpgsql(configManager.AppConfig.ConnectionString, sql => sql.MigrationsAssembly(typeof(Startup).Assembly.GetName().Name));
            })
            .AddOperationalStore(options =>
            {
                options.ConfigureDbContext = b => b.UseNpgsql(configManager.AppConfig.ConnectionString, sql => sql.MigrationsAssembly(typeof(Startup).Assembly.GetName().Name));
            })
            .AddExtensionGrantValidator<DelegationGrantValidator>()

        services.AddLocalApiAuthentication();            
        services.ConfigureAuthorization();

        services
            .AddCors(options =>
                options.AddDefaultPolicy(builder => builder.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod()));

        services.AddAuthentication("Bearer")
           .AddOAuth2Introspection("Bearer", options =>
        {
            options.Authority = configManager.AppConfig.UriConfig.Authority.Address;
            options.ClientId = configManager.BaseAppConfig.ApplicationName;
            options.ClientSecret = configManager.BaseAppConfig.Secret.Sha256();                

        });

For the Api resource (MyApi), below is the related configuration of startup.cs :

services.AddAuthentication("Bearer") .AddOAuth2Introspection("Bearer", options => { options.Authority = configManager.AppConfig.UriConfig.Authority.Address; options.ClientId = configManager.BaseAppConfig.ApplicationName; options.ClientSecret = configManager.BaseAppConfig.Secret.ToSha256();
});

The property of all clients are defined in the database.

Grant type for React app is "authorization_code", accessTokenType is referenece Grant type for MyApi is "client_credentials" and "delegation", accessTokenType is referenece

Here is the error I received:

13:52:28 ERR] Error returned from introspection endpoint: Unauthorized [info13:52:28: IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler[7] Bearer was not authenticated. Failure message: Error returned from introspection endpoint: Unauthorized INF] Bearer was not authenticated. Failure message: Error returned from introspection endpoint: Unauthorized [info: IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler[12] AuthenticationScheme: Bearer was challenged. 13:52:28 INF] Bearer was not authenticated. Failure message: Error returned from introspection endpoint: Unauthorized [info: IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler[12] AuthenticationScheme: Bearer was challenged. 13:52:28 INF] Bearer was not authenticated. Failure message: Error returned from introspection endpoint: Unauthorized [13:52:28 INF] AuthenticationScheme: Bearer was challenged. [13:52:28 ERR] Error returned from introspection endpoint: Unauthorized

leastprivilege commented 2 years ago

Important update

This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.

The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.

github-actions[bot] commented 2 years ago

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.