使用 IdentityServer4.AccessTokenValidation 包将 .NET 5 Web API 参考令牌授权给 IdentityServer3 时遇到问题

Question

Server

Using IdentityServer3 for client/application authorization.

Using IdentityAdmin to edit clients/scopes via GUI.

Created a new Client for the API, added a SharedSecret and api scope.

API / Client

Has 2 GET endpoints.

Uses the IdentityServer4.AccessTokenValidation NuGet package.

Configuration should be simple:

Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    services.AddControllers(c => {
        var policy = ScopePolicy.Create("api");
        c.Filters.Add(new AuthorizeFilter(policy));
    });

    services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
        .AddIdentityServerAuthentication(options => {
            options.Authority = "{base url of identity server}";
            options.ApiName = ""; // not sure what this is? client id from identity server?
            options.ApiSecret = ""; // should this be the hashed password?
            options.LegacyAudienceValidation = true;
        });

    services.AddSwaggerGen(c => {
        c.SwaggerDoc("v1", new OpenApiInfo { Title = "MarvalAPI", Version = "v1" });
    });

    RegisterServices(services);
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment()) {
        app.UseDeveloperExceptionPage();
        app.UseSwagger();
        app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "MarvalAPI v1"));
    }

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseAuthentication(); //this is added, everything else is by default
    app.UseAuthorization();

    app.UseEndpoints(endpoints => {
        endpoints.MapControllers();
    });
}

Testing:

1. GET client reference token from identity "/connect/token" endpoint
2. GET API's endpoint with added header "Authorization: Bearer {token}"
3. Receive 401 Unauthorized

Things I have tried:

• Different Startup.cs configurations
• Tried validating token via identity "/connect/accesstokenvalidation" endpoint, token is valid .
• Different apiname/apisecret values, because not 100% sure what they have to be.
• Googled to no avail

I am at a loss here, am I doing something totally wrong? Is this just a compatibility issue? Or am I just not understanding anything at all? Seems like clear documentation is scarce and users have to draw out information.

Sources used

https://github.com/IdentityServer/CrossVersionIntegrationTests/blob/main/src/CoreApiIdSrv3/Startup.cs

https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation

IdentityServer3 documentation

SO / github/identityserver3 threads.

Answer 1

Well, some time after making this post I figured it out.

options.ApiName = "";
options.ApiSecret = "";

ApiName is the name of the scope which the client uses, so it this case the value should be api .

ApiSecret is the PRE-HASHED value of the scope secret .

eg if secret value is "test" and it's SHA256 value is 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08, then ApiSecret value should be test

So, after figuring this out, the above options config should look like this:

options.ApiName = "api";
options.ApiSecret = "test";

Note: SHA512 works as well.

To me this seems like a major naming issue.

I solved this after analysing this VS solution:

https://github.com/IdentityServer/CrossVersionIntegrationTests