search

aspnet-contrib / AspNet.Security.OAuth.Extensions

OAuth2 extensions for ASP.NET Core and OWIN/Katana
44 stars 19 forks source link

Issue with introspection from MVC5 client - IdentityServer4 #51

Closed ctcoulter closed 7 years ago

ctcoulter commented 7 years ago

I'm having an issue with OAuth Introspection from an MVC5 client using the Owin.Security.OAuth.Introspection library. 

[ArgumentException: Can not convert Array to String.]
   Newtonsoft.Json.Linq.JToken.op_Explicit(JToken value) +288
   Owin.Security.OAuth.Introspection.<CreateTicketAsync>d__4.MoveNext() +1525
   ...

Middleware:

app.UseOAuthIntrospection(new OAuthIntrospectionOptions
{
  AuthenticationMode = AuthenticationMode.Active,
  Authority = settings.Authority ?? "http://localhost:5000",
  ClientId = settings.ClientId ?? "client",
  ClientSecret = settings.ClientSecret ?? "secret"
}

I've got a bunch of other services that are using IdentityServer4 libraries to do introspection and they're working just fine. However, this one service I can't move up from .NET 4.5.2, which makes the extensions for IApplicationBuilder unusable.

The logs on the IdentityServer side are showing successful introspection, but it's bombing out afterwards on the CreateTicketAsync call it seems. I'm thinking maybe it has something to do with the AccessTokenFormat - but i'm not really sure what that should be.

Any help would be greatly appreciated! If any further info is needed, let me know.

ctcoulter commented 7 years ago

Example of the standard format I've been using with success for other services against the same auth server - in case it's helpful:

app.UseOAuth2IntrospectionAuthentication(new OAuth2IntrospectionOptions
{
  Authority = Configuration["OAuth:Authority"],
  ClientId = Configuration["OAuth:ApiName"],
  ClientSecret = Configuration["OAuth:ApiSecret"],
  AutomaticAuthenticate = true,
  AutomaticChallenge = true,
  NameClaimType = JwtClaimTypes.Name,
  RoleClaimType = JwtClaimTypes.Role
});
kevinchalet commented 7 years ago

Any help would be greatly appreciated! If any further info is needed, let me know.

Thanks for the bug report. It would help if you could share an example of an introspection response (returned by IdSrv4) that the OWIN introspection middleware fails to parse.

If you don't want to share it publicly, please send it to contact@kevinchalet.com

ctcoulter commented 7 years ago

Thanks for the response, Kevin!

As for the example of the introspection response - I think that's part of the reason why I'm struggling with it. I don't know how to see that. It's not logged on the IdentityServer side and the last thing I can see is by setting a breakpoint in the following: 

OnRequestTokenIntrospection = context =>
                    {
                        return Task.FromResult(0);
                    },

That context doesn't seemt o have any information that is useful for me when trying to figure out what's going on - or the response. Any hints on how to check out that response?

I'm fairly certain this is probably just a case of me doing something dumb and not a bug. I'm still not very comfortable with the workflow of OAuth stuff.

kevinchalet commented 7 years ago

Any hints on how to check out that response?

The easiest approach is to directly use something like Postman or Fiddler and send an HTTP request to IdentityServer's introspection endpoint with the access token you want to introspect:

POST /introspect HTTP/1.1
Host: server.example.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded

token=[token]&client_id=[id]&client_secret=[secret]
ctcoulter commented 7 years ago

oh... duh. i don't know why i didn't think of that. none of this is sensitive info - just using test settings, so i can post here:

{
  "nbf": 1485876609,
  "exp": 1485880209,
  "iss": "http://localhost:5000",
  "aud": [
    "http://localhost:5000/resources",
    "auth_service",
    "parties_service",
    "nopcommerce"
  ],
  "client_id": "test.code",
  "sub": "bb8f9af0-d79a-45c3-adc7-20a08392a855",
  "auth_time": 1485802083,
  "idp": "local",
  "name": "test@test.com",
  "email": "test@test.com",
  "role": [
    "admin",
    "customer_service"
  ],
  "consultant.id": "",
  "consultant.org": "XYZ",
  "amr": "pwd",
  "scope": [
    "nopcommerce"
  ],
  "active": true
}
kevinchalet commented 7 years ago

@ctcoulter thanks for the details. Actually, this is an IdentityServer4 bug, so I moved your ticket to the right place and posted more details there: https://github.com/IdentityServer/IdentityServer4/issues/759.

kevinchalet commented 7 years ago

@ctcoulter FYI, I opened 2 follow-up tickets to track improvements in the introspection middleware that would help deal with non-standard responses: https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions/issues/52 and https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions/issues/53.

ctcoulter commented 7 years ago

thanks so much for your help!

kevinchalet commented 7 years ago

@ctcoulter you're welcome.