So I have currently implemented IdentityServer 4 in a .Net core application using JWT bearer tokens for authentication.
The issue seems to be when using [Authorize(Roles = "Admin")]
I am getting the following from the logs: [Information] AuthenticationScheme: "Bearer" was forbidden.
When I have just the [Authorize]
attribute it works fine.
Here is the code:
services.AddDbContext<OmbiContext>(options =>
options.UseSqlite("Data Source=Ombi.db"));
services.AddIdentity<OmbiUser, IdentityRole>()
.AddEntityFrameworkStores<OmbiContext>()
.AddDefaultTokenProviders();
services.AddIdentityServer()
.AddTemporarySigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(IdentityConfig.GetIdentityResources())
.AddInMemoryApiResources(IdentityConfig.GetApiResources())
.AddInMemoryClients(IdentityConfig.GetClients())
.AddAspNetIdentity<OmbiUser>();
services.Configure<IdentityOptions>(options =>
{
options.Password.RequireDigit = false;
options.Password.RequiredLength = 1;
options.Password.RequireLowercase = false;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
});
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IMemoryCache cache)
{
app.UseIdentity();
app.UseIdentityServer();
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = options.Value.WebsiteUrl,
ApiName = "api",
ApiSecret = "secret",
EnableCaching = true,
CacheDuration = TimeSpan.FromMinutes(10), // that's the default
RequireHttpsMetadata = options.Value.UseHttps, // FOR DEV set to false
AutomaticAuthenticate = true,
AutomaticChallenge = true
});
// etc...
}
Code to create the user and role:
var result = await UserManager.CreateAsync(userToCreate, user.Password);
if (result.Succeeded)
{
if (!(await RoleManager.RoleExistsAsync("Admin")))
{
var r = await RoleManager.CreateAsync(new IdentityRole("Admin"));
}
var re = await UserManager.AddToRoleAsync(userToCreate, "Admin");
}
Looking in the database everything is linked up correctly and I can see that, that user has the correct role, but the Authorize attribute still does not work.
EDIT
After a bit more investigation, looking at the User
property on the controller when we have the [Authorize]
attribute here is the result:
So it seems that we do not even get the username or anything about the user.
I think you might be missing UseJwtBearerAuthentication
inside of your Configuration
method.
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
TokenValidationParameters = new TokenValidationParameters()
{
// You can set different kind of validations here.
// ValidateIssuerSigningKey, ValidateAudience, ValidateIssuer, etc.
}
});
Looking at the image you have provided, looks like you have 20 claims in your claim list. Try to see what roles/claims do you see in that list!
You can get the list by
var claims = HttpContext.User.Claims.ToList();
foreach (var c in claims)
{
Console.WriteLine(c.Type + c.Value);
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.