Identityserver4: After upgrading my API always getting uauthorized
I recently upgraded to
"IdentityServer4": "1.1.1",
"IdentityServer4.AccessTokenValidation": "1.0.5"
I can get the token from the identity server, but when trying to access the API using the token I always get unauthorized, here is the log from the server
Failed to validate the token eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk0QjY2NjM3NUJBNzI4NTMxRkY5QjZFQjYxMzU4RTBGODYzMEQxRjUiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJsTFptTjF1bktGTWYtYmJyWVRXT0Q0WXcwZlUifQ.eyJuYmYiOjE0ODgwMDgwNTUsImV4cCI6MTQ5MDYwMDA1NSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo1MDAwIiwiYXVkIjpbImh0dHA6Ly9sb2NhbGhvc3Q6NTAwMC9yZXNvdXJjZXMiLCJzaG91cmEtYXBpLWNvcmUiXSwiY2xpZW50X2lkIjoic2hvdXJhIiwic3ViIjoiNThiMGRmOGQ3MTE2Y2MxMTgwMGRmMmQ5IiwiYXV0aF90aW1lIjoxNDg4MDA4MDU1LCJpZHAiOiJsb2NhbCIsInByZWZlcnJlZF91c2VybmFtZSI6InNob3VyYSIsInJvbGUiOiJkZXZlbG9wZXIiLCJnaXZlbl9uYW1lIjoic2hvdXJhIiwiZmFtaWx5X25hbWUiOiJzaG91cmEiLCJlbWFpbCI6InNob3VyYUBkZWx2ZWJ5dGUuY29tIiwic2NvcGUiOlsic2hvdXJhLWFwaS1jb3JlIl0sImFtciI6WyJwYXNzd29yZCJdfQ.U4HZ99XQEfX0ZwZdpTDgULr0Em_f5hK-x21Q7kLzAvISLmHGCCrSRa36qkLLhBQQUXKlu2RUoNzbabO98F8euCwPE62C6Q6NRUUQXKI4fqPBhxpVJE6QRjBreGge7zWjScf1ZU3-vQDRWdnz1dDhnqcPntRYHbfONiS4HALV7ttMP1aFqrQkFCdiMLbzZ3w8EiCSGbIiJNpbPOUV4Q0T5k3nD494fz_jc0gpP2E6bc7IPxhzVRw1WJpFPhdMO7YGoS8mulvV7E_QTZ5RclSmgx_Ra0kcUVYzHME_xa8DyfzYR6-2uhQL0LIC_IO5MXy8byYCISLTWK51C0szGf81Yw.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'http://localhost:5000/resources, shoura-api-core'. Did not match: validationParameters.ValidAudience: 'shoura-api' or validationParameters.ValidAudiences: 'null'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwt, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[7]
Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'http://localhost:5000/resources, shoura-api-core'. Did not match: validationParameters.ValidAudience: 'shoura-api' or validationParameters.ValidAudiences: 'null'.
from my API server :
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
// API
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = Constants.AUTHENTICATION_SERVER,
RequireHttpsMetadata = false,
AllowedScopes = new List<string>
{
Constants.API_SCOPE_NAME_CORE
},
ApiName = Constants.API_NAME
});
app.UseMvc();
app.UseStaticFiles();
mohamed-elsabagh
All 8 comments
check the exception message - it has all the info.
leastprivilege
on 25 Feb 2017
How can I set validation audience on both identity server and API server so they can match?
mohamed-elsabagh
on 25 Feb 2017
I managed to solve the problem by adding
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "http://localhost:5000/", // base address of your OIDC server.
Audience = "http://localhost:5000/resources", // base address of your API.
RequireHttpsMetadata = false
});
Thanks so much, this library is really awesome and the best support in all open source libraries I have ever used, keep up the good work
mohamed-elsabagh
on 25 Feb 2017
Audience = "http://localhost:5000/resources", // base address of your API.
is this right ? should the base API & Authority be the same?
FredBesterwitch
on 1 Apr 2017
I guess you are right Audience should point to the address of API server
mohamed-elsabagh
on 1 Apr 2017
This is My setup, can you please help, Thanks
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "MY ADFS SERVER", // base address of your OIDC server.
Audience = "http://localhost:5001", // base address of your API.
RequireHttpsMetadata = false,
});
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
//Authority = "http://localhost:5000",
RequireHttpsMetadata = false,
//ApiName = "api1"
Authority = "MY ADFS SERVER",
ApiName = "PDLAPI",
ApiSecret = "secret",
AllowedScopes = new[] { "openid" }
});
If you are facing the same error on the post, what I did is I took the token and translate it on https://jwt.io/ and found the list of audience from the identity server not matching the list of audience from the API server that's why I added http://localhost:5000/resources.
My configuration looks pretty same like yours except for the values of course
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
app.UseJwtBearerAuthentication(new JwtBearerOptions
{
Authority = "http://localhost:5000/", // base address of your OIDC server.
Audience = "http://localhost:5000/resources", // base address of your API.
RequireHttpsMetadata = false
});
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority ="http://localhost:5000/",
RequireHttpsMetadata = false,
AllowedScopes = new List<string>
{
Constants.API_SCOPE_NAME_CORE
},
ApiName = Constants.API_NAME
});
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 14 Jan 2020
Related issues
klioqc
路
3Comments
garymacpherson
路
3Comments
wangkanai
路
3Comments
krgm03
路
3Comments
cixonline
路
3Comments