Hi there,
I'm trying out the new openiddict 3.0 and am still quite new to the scene. I currently have 2 projects, an openiddict 3.0 server (the one from Mvc.Server sample) and a Web API.
I want to secure my Web API using bearer tokens that get validated by the openiddict server. I'm not quite sure if this is possible but, I've tried several things.
I've tried using the .AddJwtBearer() authentication middleware for my API and using the openiddict server as authority but this does not seem to work.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = "https://localhost:5000";
options.Audience = "resource_server";
});
I also tried adding options.UseJsonWebTokens() but that option seems to be removed in 3.0?
I've also tried using OpenIddict().AddValidation() but that does not seem to solve it either. I'm kind of in the dark here since there's little documentation available for openiddict 3.0. Maybe someone can fill me in.
I'm sorry, I think I've found the issue myself. I tried validating with a different audience than the default resource_server but forgot to change the resources in the authorization controller from the sample. So in short, the snippet from above works fine as long you don't change the audience. Otherwise you will have to change the resources in the authorization controller.
They can be found at: https://github.com/openiddict/openiddict-core/blob/dev/samples/Mvc.Server/Controllers/AuthorizationController.cs
On line: 165, 253, 344, 454
I moved over from IdentityServer4 so I thought this was handled automatically.
Hey,
Glad you found the root cause of your issue! I'll update the comment associated to options.AddAudiences("resource_server") to make that more obvious.
I moved over from IdentityServer4 so I thought this was handled automatically.
May I ask you why you decided to try OpenIddict? 馃槂
Hi there,
I felt like OpenIddict was a more modern option and I also liked the implementation with ASP.NET Core Identity out-of-the-box. I also found that IdentityServer doesn't meet my personal requirements when it comes to code quality. I get the feeling OpenIddict has a higher code quality and thus I think it will serve me better than IdentityServer.
And from the point of writing this comment I'm not disappointed!
(And curiosity might have gotten a hold of me 馃槃 )
Thanks for sharing your thoughts! It's always interesting to know why people opt for a specific library instead of another, as it's a good way to focus on what people want 馃槃