Openiddict-core: Invalid token for access token.

Created on 23 Jun 2020  路  7Comments  路  Source: openiddict/openiddict-core

Hi , It's me again :) I've one web app , one api resource and id server. I'm succesfully logged in web app(with getting succesfully access_token) but i can't call api resource with specific scope. I also add my scopes dynamically in ticket;

            var resourceList = await _scopeManager.ListResourcesAsync(scopes);
            ticket.SetResources(resourceList);

web app adding api scopes;

                config.Scope.Add("email");
                config.Scope.Add("roles");
                config.Scope.Add("textileApi");

These are my clients and scopes ;

 OpenIddictApplicationDescriptor customApp = new OpenIddictApplicationDescriptor
                    {
                        ClientId = "xx",
                        ClientSecret = "xx",
                        DisplayName = "xx",
                        PostLogoutRedirectUris = { new Uri("http://localhost:55467/signout-callback-oidc"), new Uri("http://localhost:55467/Home/Index") },
                        RedirectUris = { new Uri("http://localhost:55467/signin-oidc") },
                        Permissions =
                        {
                            OpenIddictConstants.Permissions.Endpoints.Authorization,
                            OpenIddictConstants.Permissions.Endpoints.Logout,
                            OpenIddictConstants.Permissions.Endpoints.Token,
                            OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
                            OpenIddictConstants.Permissions.Scopes.Email,
                            OpenIddictConstants.Permissions.Scopes.Profile,
                            OpenIddictConstants.Permissions.Scopes.Roles,
                            OpenIddictConstants.Permissions.Prefixes.Scope + "textileApi"
                        }
                    };
OpenIddictApplicationDescriptor apiClient = new OpenIddictApplicationDescriptor
                    {
                        ClientId = "HasTextileAPI",
                        ClientSecret = "987654",
                        Permissions =
                        {
                            OpenIddictConstants.Permissions.Endpoints.Introspection,
                        }
                    };
                    var textileApiScope = new OpenIddictScopeDescriptor
                    {
                        Name = "textileApi",
                        Resources = { "HasTextileAPI" }
                    };

And this is my api resource's startup ;

` services.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(options => { options.Audience = "HasTextileAPI"; options.Authority = "http://localhost:53703"; options.RequireHttpsMetadata = false; options.TokenValidationParameters.NameClaimType = "name"; options.TokenValidationParameters.RoleClaimType = "role"; });

question

Most helpful comment

Hey.

It's very likely due to the fact OpenIddict 3.0 always encrypts its access tokens by default. As indicated in https://kevinchalet.com/2020/06/11/introducing-openiddict-3-0-beta1/, the OpenIddict validation handler is now the recommended option (even for JWT, which is the new default access token format in 3.0). It comes with a simpler configuration option when the API is in the same project as your OpenIddict server.

Cheers.

All 7 comments

Hey.

It's very likely due to the fact OpenIddict 3.0 always encrypts its access tokens by default. As indicated in https://kevinchalet.com/2020/06/11/introducing-openiddict-3-0-beta1/, the OpenIddict validation handler is now the recommended option (even for JWT, which is the new default access token format in 3.0). It comes with a simpler configuration option when the API is in the same project as your OpenIddict server.

Cheers.

So should i change the version of openid? I usually look at your core example projects as a reference to me and i can't see the difference between mine and yours. by the way my version is 2.0.1.

@mfarkan I had a similar issue. "Invalid token for access token"

You can consider upgrading to beta version 3.0 and following this example.

https://github.com/openiddict/openiddict-samples/tree/dev/samples/Zirku

@mangowi thanks but i think my company doesnt accept to using beta version.

@mangowi @kevinchalet so there is no solution for this on 2.0.1 , isnt it ?

You should post your complete Startup, to ensure things are correctly configured. 2.0.1 should work fine.

Well , dude you're rock again ! I figure it out. Thanks for helping. it is flying like a seagol :) :punch:

Was this page helpful?
0 / 5 - 0 ratings

Related issues

levitatejay picture levitatejay  路  3Comments

matthewwren picture matthewwren  路  3Comments

masakura picture masakura  路  3Comments

DaljitBhail picture DaljitBhail  路  4Comments

pealmeid picture pealmeid  路  4Comments