Identityserver4: UserInfo Endpoint Forbidden - no openid scope?

Created on 12 Apr 2017 · 5Comments · Source: IdentityServer/IdentityServer4

Hi,

I've been puzzling over this for the day and have tried everything I can think of.

Basically I need to get the user's email address from the claims. To do this, it seems I have to authenticate the user, then I can make a request using the UserInfoClient to get the various claim values. Fine, I think.

So, in my API, I've been trying to get this working:

            var discoveryClient = new DiscoveryClient("http://localhost:5000");
            var doc = await discoveryClient.GetAsync();

            var tokenClient = new TokenClient(doc.TokenEndpoint, "odysseyweb.mvc.ui", "0yHTZNYEGwY9NpeHStaN");
            var tokenClientResponse = await tokenClient.RequestClientCredentialsAsync("odysseyweb.api");
            var token = tokenClientResponse.AccessToken;

            var userInfoClient = new UserInfoClient(doc.UserInfoEndpoint);
            var response = await userInfoClient.GetAsync(token);

            var claims = response.Claims;

However, in the reponse, I'll just get a 'forbidden' error.

In the log, initially I'm getting:

2017-04-12 13:23:57.958 +01:00 [Verbose] Creating userinfo response
2017-04-12 13:23:57.960 +01:00 [Debug] Scopes in access token: "openid profile odysseyweb.api"

However, further down, when I try the UserInfo request, I'm getting:

2017-04-12 12:39:11.198 +01:00 [Verbose] Start access token validation
2017-04-12 12:39:11.199 +01:00 [Error] Checking for expected scope openid failed

Here's my setup:

IdentityServer:

public static IEnumerable<ApiResource> GetApiResources()
        {
            return new List<ApiResource>
            {
                new ApiResource("odysseyweb.api", "OdysseyWeb API")
            };
        }

        public static IEnumerable<Client> GetClients()
        {
            return new List<Client>
            {
                new Client
                {
                    ClientId = "odysseyweb.mvc.ui",
                    ClientName = "OdysseyWeb MVC UI",
                    AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                    ClientSecrets =
                    {
                        new Secret("0yHTZNYEGwY9NpeHStaN".Sha256())
                    },

                    RedirectUris = { "http://localhost:64811/signin-oidc" },

                    PostLogoutRedirectUris = { "http://localhost:64811/signout-callback-oidc" },

                    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        "odysseyweb.api"
                    },
                    RequireConsent = true,

                    AlwaysIncludeUserClaimsInIdToken = true,
                    AlwaysSendClientClaims = true
                },
            };
        }

        public static IEnumerable<IdentityResource> GetIdentityResources()
        {
            return new List<IdentityResource>
            {
                new IdentityResources.OpenId(),
                new IdentityResources.Profile()
            };
        }

API:

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
            {
                Authority = "http://localhost:5000",
                ApiName = "odysseyweb.api",
                RequireHttpsMetadata = false,
                AllowedScopes = { "odysseyweb.api", "openid" }
            });

MVC UI:

JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
            app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
            {
                AuthenticationScheme = "oidc",
                SignInScheme = "Cookies",

                Authority = "http://localhost:5000",
                RequireHttpsMetadata = false,

                ClientId = "odysseyweb.mvc.ui",
                ClientSecret = "0yHTZNYEGwY9NpeHStaN",

                ResponseType = "code id_token",
                Scope = { "openid", "profile", "odysseyweb.api" },

                GetClaimsFromUserInfoEndpoint = true,
                SaveTokens = true
            });

So it's all pretty similar to the quickstarts.

Thanks in advance!

Source

cwn00

All 5 comments

You are requesting a token using client credentials flow - and then want to use that token at the userinfo endpoint - but no user is involved here.

clients != users

leastprivilege on 12 Apr 2017

😄1

Ok, thank you. I understand clients are not users.

My plan is, on the API side, after the user has authenticated, I will pick up their username or email, add that to the application's database and then from there I have more control as to what that user can see in the individual applications and have a more fine control over their permissions (I can't rely on the identity server for that as they might be logging in through Google or wherever which obviously won't have my permission/role set).

So from my API, I need to pick up some user claims, whether it's their username or their email, but it seems I need to use the UserInfoClient to do that?

Now in the MVC client, I'm getting all the user information I could wish for, including User.Identity.Name, but that's no good as I need to be authenticating/applying permissions/roles in the API, not in the client.

cwn00 on 12 Apr 2017

👍1

This seems to be a general question about IdentityServer - not a bug report or an issue.

Please use StackOverflow for that. This has the advantage that questions and answers can be easily found by search engines, and that there are more people answering questions than just us.

For IdentityServer3
https://stackoverflow.com/questions/tagged/?tagnames=identityserver3&sort=newest

For IdentityServer4
https://stackoverflow.com/questions/tagged/?tagnames=identityserver4&sort=newest

For commercial support options - visit
https://identityserver.io

leastprivilege on 12 Apr 2017

👍1

Hello,

Did you find a solution to this?

Thanks