Identity Server 4，API未经授权调用内省端点

Question

I hope someone can point me in the right direction.

I am trying to let an javascript client communicate with an api with the help of reference tokens. I am using Identity Server 4.

What is going OK:

On login the javascript client/webapplicatoin gets routed to Identity server for user and password validation On success the user gets routed back to the javascript/webapplication and has a valid IdentityToken

What is NOT going OK:

When the javascript client/webapplication makes a call to my Api, the request gets received by the api. Then the api wants to check the received identity Token with Identity Server to get an access token, but fails to contact the server with te following error in the console:

 fail: IdentityServer4.Validation.ApiSecretValidator[0] API validation failed. fail: IdentityServer4.Endpoints.IntrospectionEndpoint[0] API unauthorized to call introspection endpoint. aborting. 

Pretty clear the Api is not allowed to communicate with te server...

I think I have a configuration error somewhere but I just cant see where. Tried all kind of different set-ups, I am out of ideas to try or to change...

This is what I have untill now:

For the javascript client:

I use the oidc-redux package, the config I use:

var userManagerConfig = {
   authority: "http://localhost:50289",
   redirect_uri: "http://localhost:3000/callback",
   client_id : "js",
   response_type : "id_token",
   scope :"openid",
};

Identity Server 4 Configs

Client definition:

public static IEnumerable<Client> GetClients()
{
    return new List<Client>
    {
        new Client
        {
            ClientId = "js",
            ClientName = "my js client",
            AllowedGrantTypes = GrantTypes.Implicit,
            RequireClientSecret = false,
            RequireConsent = false,
            RedirectUris           = { "http://localhost:3000/callback" },
            PostLogoutRedirectUris = { "http://localhost:3000" },
            AllowAccessTokensViaBrowser = false,
            AllowedCorsOrigins =     { "http://localhost:3000" },
            AllowedScopes =
            {
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile,
                "myApi"
            }
        }
    };
}

Api resources definition:

public static IEnumerable<ApiResource> GetApiResources()
{
    return new List<ApiResource>
    {
        new ApiResource("myApi")
        {
            ApiSecrets =
            {
                new Secret("superweaksecret")
            }
        }
    };
}

in Configure service I add it all together in the container:

// configure identity server with in-memory stores, keys, clients and scopes
services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddInMemoryPersistedGrants()
    .AddProfileService<CustomClaimService>()
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryApiResources(Config.GetApiResources())
    .AddInMemoryClients(Config.GetClients())
    .AddAspNetIdentity<ApplicationUser>();

The Api setup

Based on .net Core, in the ConfigureService method I have the following:

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
    {
       options.Authority = "http://localhost:50289";
       options.RequireHttpsMetadata = false;
       options.ApiSecret = "superweaksecret";
       options.ApiName = "myApi";
       options.EnableCaching = false;

    });

Hope someone sees my error.

If I missed information or code needed for a proper awnser, please let me know.

Kind regards, Roel

Answer 1

IdentityServer expects shared secrets to be hashed.

new ApiResource("myApi") {
    ApiSecrets = {
            new Secret("superweaksecret".Sha512())
    }
}