I'm having a Client in my IdentityServer3
new Client
{
ClientName = "Client Credentials Flow Client with Client Certificate",
ClientId = "certclient",
ClientSecrets = new List<Secret>
{
new Secret
{
Value = "61B754C541BBCFC6A45A9E9EC5E47D8702B78C29",
Type = Constants.SecretTypes.X509CertificateThumbprint,
}
},
Flow = Flows.ClientCredentials,
AllowedScopes = new List<string>
{
"read",
"write"
},
}
I hosted the Token Service in my local IIS and I tried to ping the Token using Postman, but it given an error {"error":"invalid_client"}
Host URL:
https://localhost:5775/core/connect/token
Header:
Content-Type:application/x-www-form-urlencoded
Authorization:Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Body:
grant_type=client_credentials
&cliend_id=certclient
&client_secret=61B754C541BBCFC6A45A9E9EC5E47D8702B78C29
Note: I'm using pure IdentityServer3 package not Thinktecture
Related
I'm protecting a .NET Core Web API with an access token issued by an IDS4.
It works and I added some claims in the client configuration, as follows:
// ... other code
new Client
{
ClientId = "apiclient",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = {
new Secret("mysupersecret".Sha256())
},
AllowedScopes = {
"joinot",
JwtClaimTypes.Role,
},
Claims = new List<Claim>() { new Claim("role", "WonderWoman"), new Claim("VatId", "123abc") },
},
// ... other code
These are the claims that I see in the webapi.
I found what I added with the prefix "client_".
For testing purposes I'm using swagger and I have this config for it:
new Client {
ClientId = "swagger_api_client",
ClientName = "Swagger API Client",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = {"http://localhost:57303/swagger/oauth2-redirect.html"},
AllowedScopes = {
"joinot",
JwtClaimTypes.Role,
},
Claims = new List<Claim>() { new Claim("role", "ManOfSteel"), new Claim("VatId", "abc123") },
RequireConsent = false
},
This means that I have to authenticate with an interactive user and than I can call the webapi.
When I do it, the claims I found in the webapi are not as I expected.
"client_role" and "client_VatId" are not in the list.
How can I insert the claims for both the console and the swagger client?
You can set AlwaysSendClientClaims to true :
Claims = new List<Claim>() { new Claim("role", "WonderWoman"), new Claim("VatId", "123abc") },
AlwaysSendClientClaims =true,
If set, the client claims will be sent for every flow. If not, only for client credentials flow (default is false) . So your console application which use client credential flow would work even not set that property.
Reference document : http://docs.identityserver.io/en/latest/reference/client.html
I have and IdentityServer3 installed on my ASP.NET MVC website and a client (a NopCommerce plugin) defined as below (urls are just for test):
new Client
{
ClientName = "Deep Stores",
ClientId = "deepstores",
ClientSecrets = new List<Secret>
{
new Secret("0B0A3FD3-F30C-428C-B1A3-6E570103614D".Sha256())
},
AccessTokenType = AccessTokenType.Reference,
RedirectUris = new List<string>
{
"http://localhost:2030/plugins/ExternalAuthDeepStudies/logincallback"
},
Flow = Flows.AuthorizationCode,
AllowAccessToAllScopes = true,
AllowedScopes = StandardScopes.All.Select(x => x.Name).ToList()
}
When trying to get authorization token with a url like below, It works for the first time (login appears and grant page blah blah) but for the rest of requests it returns error=invalid_scope for my callback!
request to authorize endpoint :
https://127.0.0.1/core/connect/authorize?client_id=deepstores&redirect_uri=http%3A%2F%2Flocalhost%3A2030%2Fplugins%2FExternalAuthDeepStudies%2Flogincallback&scope=profile&response_type=code
what happens? and why do i get this error?
scopes are defined as :
public static IEnumerable<Scope> Get()
{
return new[]
{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.Address,
StandardScopes.Phone,
StandardScopes.OfflineAccess,
StandardScopes.RolesAlwaysInclude,
StandardScopes.AllClaims,
};
}
Note that I use EntityFramework and all my staff are stored in database. plus that I use ASP.NET Identity for managing users and roles.
I'm using oidc-client in my SPA application against IdentityServer3, using implicit flow.
Revoking my reference token on sign out is not working.
I have set revokeAccessTokenOnSignout: true and client_secret to a dummy secret, and I see the request being sent out. However I'm getting a "400 bad request invalid client" response.
Here's the request being sent:
And here's the response:
{"error":"invalid_client"}
And here's the IdentityServer config:
new Client
{
ClientName = "Client Name",
ClientId = "myclientid",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
AccessTokenType = AccessTokenType.Reference,
Flow = Flows.Implicit,
RequireConsent = false,
RedirectUris = new List<string>
{
...
},
AllowedCorsOrigins = new List<string>
{
...
},
PostLogoutRedirectUris = new List<string>
{
...
},
AllowedScopes = new List<string>
{
...
} //.. allowed
}, //..new client
Any ideas what I might be doing wrong?
I'm having a Client in my IdentityServer3
new Client
{
ClientName = "Client Credentials Flow Client",
Enabled = true,
ClientId = "clientcredentials.reference",
Flow = Flows.ClientCredentials,
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256()),
},
AllowedScopes = new List<string>()
{
"read",
"write"
}
}
I hosted the Token Service in my local IIS and I tried to ping the Token using Postman, but it given an error {"error":"invalid_scope"}
Host URL:
https://localhost:5775/core/connect/token
Header:
Content-Type:application/x-www-form-urlencoded
Body:
grant_type=client_credentials
&cliend_id=clientcredentials.reference
&client_secret=secret
Note: I'm using pure IdentityServer3 package not Thinktecture
Check the Scopes "read" and "write" in Scopes declaration
new Scope
{
Name = "read",
DisplayName = "Read data",
Type = ScopeType.Resource,
Emphasize = false,
ScopeSecrets = new List<Secret>
{
new Secret("secret".Sha256())
}
},
new Scope
{
Name = "write",
DisplayName = "Write data",
Type = ScopeType.Resource,
Emphasize = true,
ScopeSecrets = new List<Secret>
{
new Secret("secret".Sha256())
}
}
I think its missed... Check it once...
I have created Identity server 4 RC 3 with asp.net identity and in memory clients and scopes. I have created a secure api and an mvc client. i am trying to call api from MVC client and it works well. Now, I created a web form client ( asp.net 4.5) and configured opendidopetions in it, i am trying to call api from webform client but getting 401, I see that when api is hit then isauthenticated = false and Name is null in api user.claims. i tried to log the error and it says: "[Information] "Bearer" was not authenticated. Failure message: "No SecurityTokenValidator available for token: ". My web form client has these options:
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "oidc",
Authority = "http://localhost:5000",
ClientId = "mvcClient",
ClientSecret = "secret",
RedirectUri = "http://localhost:5002",
PostLogoutRedirectUri = "http://localhost:5002",
ResponseType = "code id_token token",
Scope = "openid profile NamfusAPI offline_access roles",
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{ ..... // code to authenitcate
This is api code:
public IActionResult Get()
{
return new JsonResult(from c in User.Claims select new {c.Type, c.Value });
}
i see claims is empty and user.isauthenticated is false