search

skoruba / Duende.IdentityServer.Admin

The administration for the Duende IdentityServer and Asp.Net Core Identity ⚡
Apache License 2.0
542 stars 188 forks source link

Error 403 on Admin API Request #203

Open mtlive opened 4 months ago

mtlive commented 4 months ago

Describe the bug

When I send a request to an admin API (Policy = AuthorizationConsts.AdministrationPolicy attribute) I get Error 403 Unauthorized. Even though the user has the admin role and the scope is the one defined for OidcApiName.

Actually, there shouldn't be required to add the role claim for the client as it is already defined for the scope. Meaning that I can't use the admin API swagger in the cloned project even with the default settings.

To Reproduce

Send a request to the admin API with an admin role user. (like admin user in Admin API swagger) .Net SDK version: 8.0.101

I tried to find the problem, added a role claim with the admin role value defined in appsettings.json, but to no avail. I also verified the token for the claim and it was present, but for some reasons when I reviewed the claims using HttpContext.User.Claims but there was no role claim among he claims. So far my only solution is to comment the following in in adminAPI StartupHelper.cs:

(c.Type == JwtClaimTypes.Role && c.Value == adminApiConfiguration.AdministrationRole) ||
                                 (c.Type == $"client_{JwtClaimTypes.Role}" && c.Value == adminApiConfiguration.AdministrationRole))

Is there something that I did wrong or it is a bug?

mtlive commented 4 months ago

Tried Always Send Client Claim option, along with adding the role claim for the client and it worked. But this wasn't necessary in Identity4 nor was it documented. image

skoruba commented 4 months ago

Thank you for your message, I will check it - it is strange that you are not able to access API in case that your user has correct admin role.

mtlive commented 4 months ago

Yes, I have this problem even in the cloned project without touching anything.

heesung-ich commented 3 months ago

I also experienced the same problem. I solved that issue by implementing IAuthorizationMiddlewareResultHandler.

    public class ICHAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
    {
        public Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
        {
            var user = context?.User;
            if (user != null)
            {
                if (user.Identity.IsAuthenticated)
                {
                    return next(context);
                }
            }

            context.Response.StatusCode = StatusCodes.Status403Forbidden;
            return Task.CompletedTask;
        }
    }

I don't believe this is a complete solution. I'm hoping Skoruba will come up with a better solution.

skoruba commented 3 months ago

Hi guys, sorry for delay, I will check it soon.

skoruba commented 3 months ago

Please try use following code in the Startup.cs in Api project:

JwtSecurityTokenHandler.DefaultMapInboundClaims = false;

Check this commit: https://github.com/skoruba/Duende.IdentityServer.Admin/commit/a43768544ae11937dd939a0a158f704619fd3eaf

vpetkovic commented 2 months ago

Hey @skoruba - your fix solves the issue. Thank you!!!

skoruba commented 2 months ago

Thank you @vpetkovic for feedback.