Identityserver4: Authorization problem for .net 4.6 after IdentityServer4 3.0.0-preview3.4

Created on 17 Sep 2019 · 10Comments · Source: IdentityServer/IdentityServer4

Hello,

I have IdentityServer4 - .net core 3.0 (latest - right now rc1)

PackageReference Include="IdentityServer4" Version="3.0.0-preview3.4"
PackageReference Include="IdentityServer4.AspNetIdentity" Version="3.0.0-preview3.4"
PackageReference Include="IdentityServer4.Storage" Version="3.0.0-preview3.4"

I have WebApi - .net core 3.0 (latest - right now rc1)

everything works ok - before and after nuget upgrade.

I have WebApi .net 4.6

package id="IdentityModel" version="1.13.1" targetFramework="net46"
package id="IdentityServer3.AccessTokenValidation" version="2.14.0" targetFramework="net46"
package id="Microsoft.Owin" version="3.1.0" targetFramework="net46"
package id="Microsoft.Owin.Cors" version="3.1.0" targetFramework="net46"
package id="Microsoft.Owin.Host.SystemWeb" version="3.1.0" targetFramework="net46"
package id="Microsoft.Owin.Security" version="3.1.0" targetFramework="net46"
package id="Microsoft.Owin.Security.Cookies" version="3.1.0" targetFramework="net46"
package id="Microsoft.Owin.Security.Jwt" version="3.1.0" targetFramework="net46"
package id="Microsoft.Owin.Security.OAuth" version="3.1.0" targetFramework="net46"
package id="System.IdentityModel.Tokens.Jwt" version="4.0.4.403061554" targetFramework="net46"

After I upgrade nuget for IdentityServer4 to latest one or even to 3.0.0-preview7.33 or 3.0.0-preview8.19 - authoization for WebApi .net 4.6 stop working - "Message": "Authorization has been denied for this request."

I think problem is in dependencies:

in 3.0.0-preview3.4 you use IdentityModel (>= 3.10.6), in newer one IdentityModel (>= 4.0.0-preview.3).

Could you advise some solution? Or I should use IdentityServer4 3.0.0-preview3.4 till I have .net 4.6 WebApi?

Many thanks,
Best regards,
Serhii Kryvets

question

Source

kriwec

Most helpful comment

I'm experiencing this issue with OWIN based clients. The solution I'm considering is:
1) Set typ header back to "JWT" using AccessTokenJwtType on IdentityServerOptions
2) Extend DefaultTokenService to add /resources back to aud
3) Eventually upgrade clients to a new token validation library that works with the new style tokens

alexcmoss on 16 Oct 2019

👍3

All 10 comments

Hard to tell. Probably wait until everything is finally released.

leastprivilege on 17 Sep 2019

Thanks for reply.
Do you know if there is some example how to connect WebApi .NET 4.6 to IdentityServer4?

kriwec on 17 Sep 2019

You can use Microsoft's standard JWT authentication middleware.

leastprivilege on 18 Sep 2019

Similar: #3705

dpawlik00 on 8 Oct 2019

There seem to be 2 issues

a) the typ header has changed - it seems older versions of Microsoft JWT handler don't like this
b) we removed the /resources audience from our tokens (because of a))

leastprivilege on 9 Oct 2019

Were you able to solve the problem?

leastprivilege on 11 Oct 2019

alexcmoss on 16 Oct 2019

👍3

If you want to work on a PR for that

https://github.com/IdentityServer/IdentityServer4/issues/3741

leastprivilege on 16 Oct 2019

I just added a switch to bring back the /resources audience. It defaults to off - but you can turn it on for better compat with older token validators.

It will be released with 3.0.2 - today or tomorrow...

leastprivilege on 23 Oct 2019

👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.