Token with invalid signature in IdentityServer4 with client Angular

Question

I doing development the a application web with a Client Angular2, and a backend in ASP.NET Core 2 with IdentityServer4 and finally a webapi protected with the authserver the IdentityServer4. I implemented the backend succesfully, and mi webapi is protected. My client Angular also is protected and use the login in mi client with a client configured in IdentityServer with AllowedGrantTypes set in flow with password and user. The problem is the generation of the token. I can generated a token with payload and header valid but I did not make a signature valid. In jwt.io my token es invalid, and I can't acces to the user info with the token, nevertheless with this token a can access to the info in my webapi. Whats is the problem? How to fixed?

My code in Angular is this:

import { Component, OnInit } from '@angular/core';
import { OAuthService } from 'angular-oauth2-oidc';
import { JwksValidationHandler } from 'angular-oauth2-oidc';
import { authConfig } from './auth.config';

@Component({
  selector: 'app-root',
  templateUrl: './app.component.html',
  styleUrls: ['./app.component.scss']
})
export class AppComponent implements OnInit {

  constructor(private oAuthService: OAuthService) {
    this.oAuthService.tokenEndpoint = 'http://localhost:5000/connect/token';
    this.oAuthService.userinfoEndpoint = 'http://localhost:5000/connect/userinfo';
    this.oAuthService.clientId = 'angular-client';
    this.oAuthService.responseType = 'id_token token';
    this.oAuthService.scope = 'api1';
    this.oAuthService.dummyClientSecret = 'password';
  }

  ngOnInit(): void {
    this.login();
  }

  login() {
    this.oAuthService.fetchTokenUsingPasswordFlow('aherrera', 'password').then((resp) => {
      // Loading data about the user
      return this.oAuthService.loadUserProfile();
    }).then(() => {
      // Using the loaded user data
      const claims = this.oAuthService.getIdentityClaims();
      if (claims) {
        // tslint:disable-next-line:no-console
        console.debug('given_name');
      }
    });
  }
}

And, my code in IdentityServer is this:

new Client
                {
                    ClientId = "angular-client",
                    ClientName = "Angular Client",
                    AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
                    AllowAccessTokensViaBrowser = true,
                    EnableLocalLogin = true,
                    AllowedCorsOrigins =
                    {
                        "httpsd://localhost:4200",
                        "http://localhost:4200"
                    },
                    AllowedScopes =
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile,
                        IdentityServerConstants.StandardScopes.Email,
                        "api1"
                    },
                    ClientSecrets = new List<Secret>() {
                        new Secret("password".Sha256())
                    }
                },

The log of the console is:

Help, please.

Answer 1

add the openid scope to your Angular code:

this.oAuthService.scope = 'openid api1';

You client should really be configurated with the Implicit Flow

AllowedGrantTypes = GrantTypes.Implicit,