Hello, I've been struggling with this for quite a few long days now so I figure that it's time to reach out for help as I am working against a deadline and don't have anyone inside my company to go to. It's an issue that I just can't seem to wrap my head around after doing a lot of research but may be obvious to someone who has done it before and will be easy to explain.
The solution I am working with has two main projects, I'll refer to them as Portal and API which run on 'localhost:5000' and 'localhost:5001' respectively. We have openiddict middleware set up for Portal, which utilizes the "/connect/token" endpoint. When a user visits the site, they click login and if they have valid credentials they are signed in and issued an access token which is saved in the front end. The middleware is set up in Portal's 'Startup.cs' as follows:
// Register the OpenIddict services.
services.AddOpenIddict(options =>
{
options.AddEntityFrameworkCoreStores<ApplicationDbContext>();
options.AddMvcBinders();
options.EnableTokenEndpoint("/connect/token");
options.AllowPasswordFlow();
options.AllowRefreshTokenFlow();
options.DisableHttpsRequirement();
//options.AddSigningKey(new SymmetricSecurityKey(System.Text.Encoding.ASCII.GetBytes(Configuration["STSKey"])));
});
After successful login, the user is redirected to the home page which makes several calls to controllers within API, a separate project. I would like to add the [Authorize] header to these controllers so that they are secured but I can't figure out what middleware to add in the API 'Startup.cs' so that it authenticates incoming bearer tokens, which were generated from Portal, against the same middleware set up in Portal. From my research I am fairly certain that something along the lines of
services.AddAuthentication().AddSpecificTokenValidation();
in the ConfigureServices() method then in the Configure() method:
app.UseAuthentication();
but I am not sure where to go from there.
I am somewhat familiar with the concept of Authority and Audience and feel like those need to come in to play but I am unsure where those are being set in the token generation process or if they even need to be set at all. Also, what "type" of token validation should be used for the default tokens generated using openiddict? Any help would be greatly appreciated!
Hey,
When using the default token format (i.e not JWT), the access tokens are encrypted using ASP.NET Core Data Protection, that you must configure explicitly if you want it to work across multiple apps. https://stackoverflow.com/questions/46956866/openiddict-authorization-and-authentication-with-microservices/46961090#46961090 should put you on the right track.
Note: the snippet you shared indicates you're not using the most recent version (RC3). Consider migrating so you can benefit from the new OpenIddict validation handler.
In your API project, you can easily register it by doing:
services.AddOpenIddict()
.AddValidation();
This is exactly what I needed. Thank you!
@slimwizard Hi! Do you got this working? I followed the suggestions of @PinpointTownes, but I can't seem to validate my generated token...
In ConfigureServices I have set in both my auth and api service:
services.AddDataProtection()
.PersistKeysToFileSystem(new DirectoryInfo(@"C:\Temp"))
.SetApplicationName("MyApp");
And I have add in my api service:
services.AddOpenIddict()
.AddValidation();
and of course app.UseAuthentication();
but when I try to call the Auhtorized method I get this error:
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found.
I'm a bit in the dark here... can you help? I'm getting a token from my auth server, but I can't seem to get to use it in my API server (using Postman as a client btw)....
Many thanks in advance!
In the ConfigureServices method you need to 'add authentication' and in Configure method you need to 'use authentication'. These are methods that can be called on your services and app objects. You will also need to specify what type of authentication scheme to use in the .addAuthentication() method. If you look at the stack overflow link that is posted, you will notice that the asker already has this setup in his Startup.cs file. If you are wanting to use the default scheme then you should be able to use the same lines of code. @TheElectricCo
Thanks, it works 馃槂
Sorry for the late comment!
Most helpful comment
In the ConfigureServices method you need to 'add authentication' and in Configure method you need to 'use authentication'. These are methods that can be called on your services and app objects. You will also need to specify what type of authentication scheme to use in the .addAuthentication() method. If you look at the stack overflow link that is posted, you will notice that the asker already has this setup in his Startup.cs file. If you are wanting to use the default scheme then you should be able to use the same lines of code. @TheElectricCo