Hi , It's me again :) I've one web app , one api resource and id server. I'm succesfully logged in web app(with getting succesfully access_token) but i can't call api resource with specific scope. I also add my scopes dynamically in ticket;
var resourceList = await _scopeManager.ListResourcesAsync(scopes);
ticket.SetResources(resourceList);
web app adding api scopes;
config.Scope.Add("email");
config.Scope.Add("roles");
config.Scope.Add("textileApi");
These are my clients and scopes ;
OpenIddictApplicationDescriptor customApp = new OpenIddictApplicationDescriptor
{
ClientId = "xx",
ClientSecret = "xx",
DisplayName = "xx",
PostLogoutRedirectUris = { new Uri("http://localhost:55467/signout-callback-oidc"), new Uri("http://localhost:55467/Home/Index") },
RedirectUris = { new Uri("http://localhost:55467/signin-oidc") },
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.Scopes.Email,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Scopes.Roles,
OpenIddictConstants.Permissions.Prefixes.Scope + "textileApi"
}
};
OpenIddictApplicationDescriptor apiClient = new OpenIddictApplicationDescriptor
{
ClientId = "HasTextileAPI",
ClientSecret = "987654",
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Introspection,
}
};
var textileApiScope = new OpenIddictScopeDescriptor
{
Name = "textileApi",
Resources = { "HasTextileAPI" }
};
And this is my api resource's startup ;
`
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Audience = "HasTextileAPI";
options.Authority = "http://localhost:53703";
options.RequireHttpsMetadata = false;
options.TokenValidationParameters.NameClaimType = "name";
options.TokenValidationParameters.RoleClaimType = "role";
});
Hey.
It's very likely due to the fact OpenIddict 3.0 always encrypts its access tokens by default. As indicated in https://kevinchalet.com/2020/06/11/introducing-openiddict-3-0-beta1/, the OpenIddict validation handler is now the recommended option (even for JWT, which is the new default access token format in 3.0). It comes with a simpler configuration option when the API is in the same project as your OpenIddict server.
Cheers.
So should i change the version of openid? I usually look at your core example projects as a reference to me and i can't see the difference between mine and yours. by the way my version is 2.0.1.
@mfarkan I had a similar issue. "Invalid token for access token"
You can consider upgrading to beta version 3.0 and following this example.
https://github.com/openiddict/openiddict-samples/tree/dev/samples/Zirku
@mangowi thanks but i think my company doesnt accept to using beta version.
@mangowi @kevinchalet so there is no solution for this on 2.0.1 , isnt it ?
You should post your complete Startup, to ensure things are correctly configured. 2.0.1 should work fine.
Well , dude you're rock again ! I figure it out. Thanks for helping. it is flying like a seagol :) :punch:
Most helpful comment
Hey.
It's very likely due to the fact OpenIddict 3.0 always encrypts its access tokens by default. As indicated in https://kevinchalet.com/2020/06/11/introducing-openiddict-3-0-beta1/, the OpenIddict validation handler is now the recommended option (even for JWT, which is the new default access token format in 3.0). It comes with a simpler configuration option when the API is in the same project as your OpenIddict server.
Cheers.