I am trying to understand all this stuff about JWT tokens in Asp.Net Core. And after bleeding work with huge amount of missunderstandings I am stuck. My task is to make WebApi server with two controllers (protected and not protected). I should grant tokens from the server and be able to get protected resources. everything seems to be fine when I run the server and try to get protected resources from postman. But when I do the same thing in me Angular client , from another domain I have strange thing. I can get unprotected resource, and I cannot get protected resource with such error:
XMLHttpRequest cannot load http://localhost:10450/api/prvalues. Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:10377' is therefore not allowed access.
To make it clear I show all my attemts. My project.json looks like
"dependencies": {
"AspNet.Security.OpenIdConnect.Server": "1.0.0-beta4",
"EntityFramework.Core": "7.0.0-rc1-final",
"EntityFramework.InMemory": "7.0.0-rc1-final",
"Microsoft.AspNet.Authentication.JwtBearer": "1.0.0-rc1-final",
"Microsoft.AspNet.Diagnostics": "1.0.0-rc1-final",
"Microsoft.AspNet.Identity.EntityFramework": "3.0.0-rc1-final",
"Microsoft.AspNet.IISPlatformHandler": "1.0.0-rc1-final",
"Microsoft.AspNet.Mvc": "6.0.0-rc1-final",
"Microsoft.AspNet.Server.Kestrel": "1.0.0-rc1-final",
"Microsoft.AspNet.StaticFiles": "1.0.0-rc1-final",
"Microsoft.Extensions.Configuration.FileProviderExtensions": "1.0.0-rc1-final",
"Microsoft.Extensions.Logging": "1.0.0-rc1-final",
"Microsoft.Extensions.Logging.Console": "1.0.0-rc1-final",
"Microsoft.Extensions.Logging.Debug": "1.0.0-rc1-final",
"NWebsec.Middleware": "1.0.0-gamma-39",
"Microsoft.AspNet.Mvc.Cors": "6.0.0-rc1-final",
"Microsoft.AspNet.Cors": "6.0.0-rc1-final"
},
My Startup.ConfigureServices() looks like
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("AllowAllOrigins",
builder =>
{
builder.AllowAnyOrigin();
builder.AllowAnyHeader();
});
});
services.AddEntityFramework()
.AddInMemoryDatabase()
.AddDbContext<ApplicationDbContext<ApplicationUser, Application, IdentityRole, string>>(options => {
options.UseInMemoryDatabase();
});
services.AddScoped<IAuthStore<ApplicationUser,Application>, AuthStore<ApplicationUser, Application, IdentityRole,
ApplicationDbContext<ApplicationUser, Application, IdentityRole, string>, string>>();
services.AddScoped<AuthManager<ApplicationUser, Application>>();
services.AddIdentity<ApplicationUser, IdentityRole>(options =>
{
options.Password = new PasswordOptions()
{
RequiredLength = 1,
RequireDigit = false,
RequireLowercase = false,
RequireUppercase = false,
RequireNonLetterOrDigit = false
};
}).AddEntityFrameworkStores<ApplicationDbContext<ApplicationUser, Application, IdentityRole, string>>().AddDefaultTokenProviders();
services.AddAuthentication();
// Add framework services.
services.AddCaching();
services.AddMvc();
}
AuthManager and AuthStore are stolen from OpenIddict. I will show them later. My Startup.Configure() looks like:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseCors("AllowAllOrigins");
app.UseIISPlatformHandler();
app.UseDeveloperExceptionPage();
app.UseStaticFiles();
// Create a new branch where the registered middleware will be executed only for API calls.
app.UseWhen(context => context.Request.Path.StartsWithSegments(new PathString("/api")), branch =>
{
branch.UseJwtBearerAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.RequireHttpsMetadata = false;
// Thisi is test, if I uncomment this and SetResource in AuthorizationProvider everything works in postman
//options.Audience = "http://localhost:10450/";
// My Angular client
options.Audience = "http://localhost:10377/";
// My Api
options.Authority = "http://localhost:10450/";
});
});
// Note: visit https://docs.nwebsec.com/en/4.2/nwebsec/Configuring-csp.html for more information.
app.UseCsp(options => options.DefaultSources(configuration => configuration.Self())
.ImageSources(configuration => configuration.Self().CustomSources("data:"))
.ScriptSources(configuration => configuration.UnsafeInline())
.StyleSources(configuration => configuration.Self().UnsafeInline()));
app.UseXContentTypeOptions();
app.UseXfo(options => options.Deny());
app.UseXXssProtection(options => options.EnabledWithBlockMode());
app.UseOpenIdConnectServer(options =>
{
options.Provider = new AuthorizationProvider();
// Note: see AuthorizationController.cs for more
// information concerning ApplicationCanDisplayErrors.
options.ApplicationCanDisplayErrors = true;
options.AllowInsecureHttp = true;
options.AuthorizationEndpointPath = PathString.Empty;
options.TokenEndpointPath = "/token";
// Note: by default, tokens are signed using dynamically-generated
// RSA keys but you can also use your own certificate:
// options.SigningCredentials.AddCertificate(certificate);
});
app.UseMvc();
var hasher = new PasswordHasher<Application>();
using (var database = app.ApplicationServices.GetService<ApplicationDbContext<ApplicationUser, Application, IdentityRole, string>>())
{
database.Applications.Add(new Application
{
Id = "myPublicClient",
DisplayName = "My client application",
Type = ApplicationTypes.Public
});
database.Applications.Add(new Application
{
Id = "myConfidentialClient",
DisplayName = "My client application",
Secret = hasher.HashPassword(null, "secret_secret_secret"),
Type = ApplicationTypes.Confidential
});
database.SaveChanges();
CreateUser(app).Wait();
}
}
And finally, my AthorizationProvider.GrantResourceOwnerCredentials() (I use AspNet.Security.OpenIdConnect.Server) is :
public override async Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsContext context)
{
#region UserChecking
var manager = context.HttpContext.RequestServices.GetRequiredService<AuthManager<ApplicationUser, Application>>();
var user = await manager.FindByNameAsync(context.UserName);
if (user == null)
{
context.Rejected(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid credentials.");
return;
}
// Ensure the user is not already locked out.
if (manager.SupportsUserLockout && await manager.IsLockedOutAsync(user))
{
context.Rejected(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Account locked out.");
return;
}
// Ensure the password is valid.
if (!await manager.CheckPasswordAsync(user, context.Password))
{
context.Rejected(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Invalid credentials.");
if (manager.SupportsUserLockout)
{
await manager.AccessFailedAsync(user);
// Ensure the user is not locked out.
if (await manager.IsLockedOutAsync(user))
{
context.Rejected(
error: OpenIdConnectConstants.Errors.InvalidGrant,
description: "Account locked out.");
}
}
return;
}
if (manager.SupportsUserLockout)
{
await manager.ResetAccessFailedCountAsync(user);
}
if (context.Request.ContainsScope(OpenIdConnectConstants.Scopes.Profile) &&
!context.Request.ContainsScope(OpenIdConnectConstants.Scopes.Email) &&
string.Equals(await manager.GetUserNameAsync(user),
await manager.GetEmailAsync(user),
StringComparison.OrdinalIgnoreCase))
{
context.Rejected(
error: OpenIdConnectConstants.Errors.InvalidRequest,
description: "The 'email' scope is required.");
return;
}
#endregion
var identity = await manager.CreateIdentityAsync(user, context.Request.GetScopes());
var ticket = new AuthenticationTicket(
new ClaimsPrincipal(identity),
new AuthenticationProperties(),
context.Options.AuthenticationScheme);
//ticket.SetResources(context.Request.GetResources());
// When I tested with postman
//ticket.SetResources(new[] { "http://localhost:10450/" });
ticket.SetResources(new[] { "http://localhost:10377" });
ticket.SetScopes(context.Request.GetScopes());
context.Validated(ticket);
}
I have shown all code , that I think may cause the problem. Sorry, if it long, but I do not know witch part causes problem.
To access to my protecetd resource (simple decorated with [Authorize]) I use such dummy code from my Angular client
$http.defaults.headers.common['Authorization'] = 'Bearer ' + 'token here';
return $http.get('http://localhost:10450/' + 'api/prvalues');
As I said, I have cors error for such request. But if I try to get unprotected resource (remove [Authorize] attribute from controller) everything works fine.
I have found the solution. When I set resources in my AthorizationProvider.GrantResourceOwnerCredentials() I set "http://localhost:10377" , but in UseJwtBearerAuthentication middleware I set "http://localhost:10377/" in authority option (slash included at the end). It is very silly mistake.
Related
I've specified an Authorization Policy that requires the scope my_custom_value, e.g.
services.AddAuthorization(AuthConfig.GetAuthorizationOptions);
// ...
public static void GetAuthorizationOptions(AuthorizationOptions options)
{
options.AddPolicy("MyPolicy", policy =>
{
policy.RequireScope("my_custom_value");
});
Requests for endpoints that are protected by MyPolicy are failing because the Principal doesn't contain any scopes
I can see that my auth token has the following scopes:
"scope": [
"openid",
"profile",
"my_custom_value",
"offline_access"
],
It appears these are not being mapped to the Principal's claims. When I inspect the Claims later when the user attempts to access a protected endpoint, there are no scopes.
policy.RequireAssertion(context =>
{
if (context.User.HasClaim(c => c.Type == "scope")) // <-- always false
{
if (context.User.HasClaim(c => c.Value == "my_custom_value"))
{
return true;
}
}
Why are the scopes not being mapped? What do I need to do to map them?
For reference, I've tried it with
options.ClaimActions.MapUniqueJsonKey(JwtClaimTypes.Scope, "scope");
options.Scope.Add("my_custom_value");
Am I supposed to implement a custom IProfileService to include the scopes in the OnUserInformationReceived event?
When doing oidc auth using MVC only the IdentityToken claims are mapped to the ClaimsPrincipal. I couldn't figure out a way to map or include access tokens claims to the ClaimsPrincipal.
I ended up writing an authorization handler that validates the access token and performs required claim checks. I assume you read about authorization policies in asp.net 5.0.
public class AccessTokenAuthorizationHandler : AuthorizationHandler<AccessTokenRequirement> {
readonly IOptionsMonitor<OpenIdConnectOptions> _openIdConnectOptions;
readonly ILogger<AccessTokenAuthorizationHandler> _logger;
readonly IOptions<OpenIdOptions> _openIdOptions;
public AccessTokenAuthorizationHandler(
ILogger<AccessTokenAuthorizationHandler> logger,
IOptionsMonitor<OpenIdConnectOptions> openIdConnectOptions,
IOptions<OpenIdOptions> openIdOptions) {
_logger = logger;
_openIdConnectOptions = openIdConnectOptions;
_openIdOptions = openIdOptions;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, AccessTokenRequirement requirement) {
if (context == null) {
throw new ArgumentNullException(nameof(context));
}
if (requirement == null) {
throw new ArgumentNullException(nameof(requirement));
}
if (context.Resource is Microsoft.AspNetCore.Mvc.ActionContext actionContext) {
ClaimsPrincipal principal = await GetAccessTokenPrincipal(actionContext.HttpContext).ConfigureAwait(false);
// verify your requirement
if (condition met) {
context.Succeed(requirement);
}
}
}
private async Task<ClaimsPrincipal> GetAccessTokenPrincipal(HttpContext httpContext) {
if (httpContext == null) {
return null;
}
String accessToken = await httpContext.GetUserAccessTokenAsync().ConfigureAwait(false);
if (!String.IsNullOrWhiteSpace(accessToken)) {
try {
TokenValidationParameters validationParameters = await BuildValidationParameters();
return new JwtSecurityTokenHandler().ValidateToken(accessToken, validationParameters, out var rawValidatedToken);
}
catch (SecurityTokenValidationException validationException) {
_logger.LogWarning(validationException, "Access token not valid.");
}
catch (Exception ex) {
_logger.LogError(ex, "Access token could not be validated.");
}
}
return null;
}
private async Task<TokenValidationParameters> BuildValidationParameters() {
var options = _openIdConnectOptions.Get(OpenIdConnectDefaults.AuthenticationScheme);
var discoveryDocument = await options.ConfigurationManager.GetConfigurationAsync(CancellationToken.None);
var signingKeys = discoveryDocument.SigningKeys;
var validationParameters = new TokenValidationParameters {
RequireExpirationTime = true,
RequireSignedTokens = true,
ValidateIssuer = true,
ValidIssuer = options.Authority,
ValidateIssuerSigningKey = true,
IssuerSigningKeys = signingKeys,
ValidateLifetime = true,
ValidateAudience = true,
ValidAudience = "your audience",
ValidateActor = false,
ValidTypes = new String[] { "at+jwt" },
ClockSkew = TimeSpan.FromMinutes(2),
};
return validationParameters;
}
}
I am not happy i had to do it this way, though i think it is done properly. To retrieve the access token i am using nuget package IdentityModel.AspNetCore, Version=3.0.0.0
I don't understand why not more people have this problem. Of course if your app consumes data from an api you pass on the access token, and there the access token becomes the claims principal. But if your mvc app performs direct database access (and might be later extracted to an api) you need to somehow be able to check claims of the access token. Maybe we have some conceptual misunderstanding...
Regarding the profile service. I think trying to include access token claims into the identity token would not be the correct approach. I think it wouldn't even be possible because you have no information about requested scopes when the service is called for the identity token.
I configured Twitch authentication for my website using this tutorial: https://blog.elmah.io/cookie-authentication-with-social-providers-in-asp-net-core/
In the Twitch dev console I added the https://localhost:44348/signin-twitch url to the callback urls. I've implemented oauth for other providers before, but having troubles with Twitch.
When I try to login, I get the Twitch authorization screen, but after clicking 'Authorize' it redirects me to /signin-twitch + params which returns a Correlation Failed exception.
Exception: An error was encountered while handling the remote login.
I have a feeling it might have to do with the routing. It's setup like this because I have a frontend application with it's own routing (hence the Fallback)
Here is all relevant code.
public void ConfigureServices(IServiceCollection services)
{
...
services.AddAuthentication(options =>
{
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.LoginPath = "/signin";
options.LogoutPath = "/signout";
})
.AddTwitch(TwitchAuthenticationDefaults.AuthenticationScheme, options =>
{
options.ClientId = "xxx";
options.ClientSecret = "xxx";
options.Scope.Add("user:read:email");
options.SaveTokens = true;
options.AccessDeniedPath = "/";
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
...
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
endpoints.MapFallbackToController("Index", "Home");
});
}
public class AuthenticationController : Controller
{
[HttpGet("~/signin")]
public IActionResult SignIn(string returnUrl = "")
{
return Challenge(TwitchAuthenticationDefaults.AuthenticationScheme);
}
}
I think that the error occurs because you're trying to access the URL which is assigned as Callback Path.
Try some variant of this:
[HttpGet("~/signin")]
public IActionResult SignIn()
{
var authProperties = _signInManager
.ConfigureExternalAuthenticationProperties("Twitch",
Url.Action("LoggingIn", "Account", null, Request.Scheme));
return Challenge(authProperties, "Twitch");
}
Source: this answer and this one.
Other stuff to check:
Multiple clients with the same Callback Path
CookiePolicyOptions
HTTPS redirect
I am currently learning how microservices work for an application i am building for my portfolio and for a small community of people that want this specific application. I have followed a tutorial online and successfully got IdentityServer4 to authenticate an MVC Client, however, I am trying to get swagger to work alongside the API's especially if they require authentication. Each time I try to authorize swagger with IdentityServer4, I am getting invalid_scope error each time I try authenticate. I have been debugging this problem for many hours an am unable to figure out the issue. I have also used the Microsoft eShopOnContainers as an example but still no luck. Any help would be greatly appreciated. Ill try keep the code examples short, please request any code not shown and ill do my best to respond asap. Thank you.
Identiy.API project startup.cs:
public class Startup {
public void ConfigureServices(IServiceCollection services)
{
services.AddIdentityServer()
.AddInMemoryClients(Config.GetClients())
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryApiScopes(Config.GetApiScopes())
.AddTestUsers(Config.GetTestUsers())
.AddDeveloperSigningCredential(); // #note - demo purposes only. need X509Certificate2 for production)
services.AddControllersWithViews();
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseRouting();
app.UseStaticFiles();
app.UseIdentityServer();
app.UseAuthorization();
app.UseEndpoints(endpoints => endpoints.MapDefaultControllerRoute());
}
}
Config.cs (i removed the test users to keep the code shorter, since it is not relevant).
#note -I created a WeatherSwaggerUI client specifically for use with swagger since this was apart of eShopOnContainers example project provided by microsoft:
public static class Config
{
public static List<TestUser> GetTestUsers()
{
return new List<TestUser>(); // removed test users for this post
}
public static IEnumerable<Client> GetClients()
{
// #note - clients can be defined in appsettings.json
return new List<Client>
{
// m2m client credentials flow client
new Client
{
ClientId = "m2m.client",
ClientName = "Client Credentials Client",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = { new Secret("SuperSecretPassword".ToSha256())},
AllowedScopes = { "weatherapi.read", "weatherapi.write" }
},
// interactive client
new Client
{
ClientId = "interactive",
ClientSecrets = {new Secret("SuperSecretPassword".Sha256())},
AllowedGrantTypes = GrantTypes.Code,
RedirectUris = {"https://localhost:5444/signin-oidc"},
FrontChannelLogoutUri = "https://localhost:5444/signout-oidc",
PostLogoutRedirectUris = {"https://localhost:5444/signout-callback-oidc"},
AllowOfflineAccess = true,
AllowedScopes = {"openid", "profile", "weatherapi.read"},
RequirePkce = true,
RequireConsent = false,
AllowPlainTextPkce = false
},
new Client
{
ClientId = "weatherswaggerui",
ClientName = "Weather Swagger UI",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = {"https://localhost:5445/swagger/oauth2-redirect.html"},
PostLogoutRedirectUris = { "https://localhost:5445/swagger/" },
AllowedScopes = { "weatherswaggerui.read", "weatherswaggerui.write" },
}
};
}
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("weatherapi", "Weather Service")
{
Scopes = new List<string> { "weatherapi.read", "weatherapi.write" },
ApiSecrets = new List<Secret> { new Secret("ScopeSecret".Sha256()) },
UserClaims = new List<string> { "role" }
},
new ApiResource("weatherswaggerui", "Weather Swagger UI")
{
Scopes = new List<string> { "weatherswaggerui.read", "weatherswaggerui.write" }
}
};
}
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResource
{
Name = "role",
UserClaims = new List<string> { "role" }
},
};
}
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
// weather API specific scopes
new ApiScope("weatherapi.read"),
new ApiScope("weatherapi.write"),
// SWAGGER TEST weather API specific scopes
new ApiScope("weatherswaggerui.read"),
new ApiScope("weatherswaggerui.write")
};
}
}
Next project is the just the standard weather api when creating a web api project with vs2019
WeatherAPI Project startup.cs (note i created extension methods as found in eShopOnContainers as i liked that flow):
public class Startup
{
public Startup(IConfiguration configuration)
{
Configuration = configuration;
}
public IConfiguration Configuration { get; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddCustomAuthentication(Configuration)
.AddSwagger(Configuration);
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.UseSwagger()
.UseSwaggerUI(options =>
{
options.SwaggerEndpoint("/swagger/v1/swagger.json", "Weather.API V1");
options.OAuthClientId("weatherswaggerui");
options.OAuthAppName("Weather Swagger UI");
});
}
app.UseHttpsRedirection();
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapControllers();
});
}
}
public static class CustomExtensionMethods
{
public static IServiceCollection AddSwagger(this IServiceCollection services, IConfiguration configuration)
{
services.AddSwaggerGen(options =>
{
options.SwaggerDoc("v1", new OpenApiInfo
{
Title = "Find Scrims - Weather HTTP API Test",
Version = "v1",
Description = "Randomly generates weather data for API testing"
});
options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
{
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows()
{
Implicit = new OpenApiOAuthFlow()
{
AuthorizationUrl = new Uri($"{ configuration.GetValue<string>("IdentityUrl")}/connect/authorize"),
TokenUrl = new Uri($"{ configuration.GetValue<string>("IdentityUrl")}/connect/token"),
Scopes = new Dictionary<string, string>()
{
{ "weatherswaggerui", "Weather Swagger UI" }
},
}
}
});
options.OperationFilter<AuthorizeCheckOperationFilter>();
});
return services;
}
public static IServiceCollection AddCustomAuthentication(this IServiceCollection services, IConfiguration configuration)
{
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Remove("sub");
var identityUrl = configuration.GetValue<string>("IdentityUrl");
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = identityUrl;
options.RequireHttpsMetadata = false;
options.Audience = "weatherapi";
});
return services;
}
}
Lastly is the AuthorizeCheckOperationFilter.cs
public class AuthorizeCheckOperationFilter : IOperationFilter
{
public void Apply(OpenApiOperation operation, OperationFilterContext context)
{
var hasAuthorize = context.MethodInfo.DeclaringType.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any() ||
context.MethodInfo.GetCustomAttributes(true).OfType<AuthorizeAttribute>().Any();
if (!hasAuthorize) return;
operation.Responses.TryAdd("401", new OpenApiResponse { Description = "Unauthorized" });
operation.Responses.TryAdd("403", new OpenApiResponse { Description = "Forbidden" });
var oAuthScheme = new OpenApiSecurityScheme
{
Reference = new OpenApiReference {
Type = ReferenceType.SecurityScheme,
Id = "oauth2"
}
};
operation.Security = new List<OpenApiSecurityRequirement>
{
new OpenApiSecurityRequirement
{
[oAuthScheme ] = new [] { "weatherswaggerui" }
}
};
}
}
again, any help, or recommendations on a guide would be greatly appreciated as google has not provided me with any results to fixing this issue. Im quite new to IdentityServer4 and am assuming its a small issue due with clients and ApiResources and ApiScopes. Thank you.
The swagger client needs to access the api and to do so it requires api scopes. What you have for swagger scopes are not doing this. Change the scopes for swagger client ‘weatherswaggerui’ to include the api scopes like this:
AllowedScopes = {"weatherapi.read"}
I'm following https://learn.microsoft.com/en-gb/graph/auth-v2-user in the hope of calling Microsoft Graph Api from my web app. On section 2 of the article it explains how to get the auth code which is required for making the request to get the access token ...
Can someone please advise where I get the 'code' from as part of the request in part 2? I was expecting this to be returned in the redirect URL as a query string param, but this is not the case.
Thanks,
Edit
I have opted against using MSAL becuase of the bugs I have encountered when using the library. Instead my configartion is the following;
Startup.cs
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
var serviceProvider = services.BuildServiceProvider();
var userAuthenticationTicketRepository = serviceProvider.GetService<IUserAuthenticationTicketRepositoryWrapper>();
var configSettings = serviceProvider.GetService<IConfigSettings>();
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
sharedOptions.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddAzureAd(options => configuration.Bind("Config:AzureAd", options))
.AddCookie(options =>
{
options.SessionStore =
new AuthenticationTicketStore(userAuthenticationTicketRepository, configSettings);
});
Implementation of AddAzureAd
public static AuthenticationBuilder AddAzureAd(this AuthenticationBuilder builder, Action<AzureADOptions> configureOptions)
{
builder.Services.Configure(configureOptions);
builder.Services.AddSingleton<IConfigureOptions<OpenIdConnectOptions>, ConfigureOidcOptions>();
builder.AddOpenIdConnect(options =>
{
options.Events = new OpenIdConnectEvents
{
OnRemoteFailure = context =>
{
context.HandleResponse();
context.Response.Redirect("Account/AccessDenied");
return Task.FromResult(0);
}
};
});
return builder;
}
ConfigureOidcOptions
public class ConfigureOidcOptions : IConfigureNamedOptions<OpenIdConnectOptions>
{
private readonly AzureADOptions _azureOptions;
public ConfigureOidcOptions(IOptions<AzureADOptions> azureOptions)
{
_azureOptions = azureOptions.Value;
}
public void Configure(string name, OpenIdConnectOptions options)
{
options.ClientId = _azureOptions.ClientId;
options.ClientSecret = _azureOptions.ClientSecret;
options.Authority = new Uri(new Uri(_azureOptions.Instance), _azureOptions.TenantId).ToString();
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.CallbackPath = _azureOptions.CallbackPath;
options.UseTokenLifetime = true;
}
public void Configure(OpenIdConnectOptions options)
{
Configure(Options.DefaultName, options);
}
}
The Authorization request should be
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id={client_id}
&response_type=code
&redirect_uri=http://localhost/myapp/
&response_mode=query
&scope=offline_access user.read mail.read
&state=12345
Replace the tenant and client_id with your value. And the redirect_uri should be consistent with the one in the portal.
When you request the url in the browser, you will be asked for logging in. After that, you will get the code parameter in the url.
I want to use JWT bearer token authorization using Swagger in my application.
when I use Postman tool the authorization works fine. But when I try authorize using Swagger the controller method always return unauthorized even after passing the token.
Am I missing some line of code for accepting token? Code implemented is as follows.
public void ConfigureServices(IServiceCollection services)
{
// Register the Swagger generator, defining one or more Swagger documents
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info { Title = "XYZ API", Version = "v1", Description = "This is a API for XYZ client applications.", });
c.IncludeXmlComments(GetXmlCommentsPath());
c.AddSecurityDefinition("Bearer", new ApiKeyScheme { In = "header", Description = "Please paste JWT Token with Bearer + White Space + Token into field", Name = "Authorization", Type = "apiKey" });
//c.AddSecurityDefinition("basic", new BasicAuthScheme { Type = "basic" });
});
services.AddCors(config =>
{
var policy = new CorsPolicy();
policy.Headers.Add("*");
policy.Methods.Add("*");
policy.Origins.Add("*");
policy.SupportsCredentials = true;
config.AddPolicy("policy", policy);
});
services.AddAuthorization(auth =>
{
auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().Build());
});
services.AddAuthentication(options =>
{
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = _signingKey,
ValidAudience = "Audience",
ValidIssuer = "Issuer",
// ClockSkew = TimeSpan.FromMinutes(0)
ClockSkew = TimeSpan.Zero
};
});
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseCors("policy");
app.UseAuthentication();
app.UseMvc();
// Enable middleware to serve generated Swagger as a JSON endpoint.
app.UseSwagger();
// Enable middleware to serve swagger-ui (HTML, JS, CSS etc.), specifying the Swagger JSON endpoint.
app.UseSwaggerUI(c =>
{
c.SwaggerEndpoint("/swagger/v1/swagger.json", "XYZ API V1");
});
}
Controller
[Authorize("Bearer")]
[Route("api/[controller]")]
public class ValuesController : Controller
{
}
You also need to add the AddSecurityRequirement in swagger schema definition to indicate that the scheme is applicable to all operations in your API.
like below:
c.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>>
{
{ "Bearer", new string[] { } }
});
So, the complete definition will be:
services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Info { Title = "XYZ API", Version = "v1", Description = "This is a API for XYZ client applications."});
c.IncludeXmlComments(GetXmlCommentsPath());
c.AddSecurityDefinition("Bearer", new ApiKeyScheme
{
In = "header",
Description = "Please paste JWT Token with Bearer + White Space + Token into field",
Name = "Authorization",
Type = "apiKey"
});
c.AddSecurityRequirement(new Dictionary<string, IEnumerable<string>>
{
{ "Bearer", new string[] { } }
});
});