Identity Server 4 Cant Validate My Access Token

Question

I am using Asp.net Core 3.1 Web Api For Generate Api And Use Identity Server 4(3.1.2) With asp.net identity core In Same Project(Both In One Project) To Authenticate User. Identity Server 4 Generate Access Token But When Call Api With Postman,EveryTime Return 401. This is my Identity Server 4 Config:

 "IdentityServerSetting": {
    "IdentityServerAuthority": "https://localhost:5000",
    "IdentityResources": [
      "openID"
    ],
    "ApiResources": [
      {
        "Name": "MadPay",
        "DisplayName": "MadPay Api",
        "UserClaims": [
          "name",
          "Email"
        ]
      }
    ],
    "Client": [
      {
        "AccessTokenLifeTime": 3600,
        "AllowedGrantTypes": "password",
        "ClientId": "angular",
        "AlwaysIncludeUserClaimsInIdToken": "true",
        "AlwaysSendClientClaims": "true",
        "AllowCorsOrigins": [ "https://localhost:5000" ],
        "RequireClientSecret": "false",
        "AllowedScopes": [ "OpenId", "MadPay" ],
        "AllowOfflineAccess": "true"
      }
    ]
  }

This Is My ConfigureService

public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<JwtConfig>(_configuration.GetSection(nameof(JwtConfig)));
            services.Configure<IdentityServerSetting>(_configuration.GetSection(nameof(IdentityServerSetting)));

            services.AddScoped<IUnitOfWork, UnitOfWork<ApplicationDBContext>>();

            services.AddMapperConfigurations();
            services.AddServices();

            services.AddDbContext<ApplicationDBContext>(opt =>
            {
                opt.UseSqlServer(_configuration.GetConnectionString("ApplicationConnection"));
            });

            services.AddMvcCore(opt => opt.EnableEndpointRouting = false)
             .SetCompatibilityVersion(CompatibilityVersion.Version_3_0)
             .AddAuthorization()
             .AddNewtonsoftJson(options =>
                    options.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore);

            services.AddResponseCaching();
            services.AddIdentityServerConfig(_identityServerSetting);
            services.AddApiAuthorization();

            services.AddCors();
            services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
            services.Configure<ApiBehaviorOptions>(options =>
            {
                options.SuppressModelStateInvalidFilter = true;
            });
        }

This Is My Configure

 public void Configure(IApplicationBuilder app, IHostEnvironment env)
        {
            IdentityModelEventSource.ShowPII = true;
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
                app.UseHsts();
            }

            //app.UseHsts();

            app.UseCors(i => i.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader());
            app.AddExceptionHandling();
            app.UseResponseCaching();
            app.UseIdentityServer();
            app.UseHttpContext();
            app.UseHttpsRedirection();
            app.UseStaticFiles();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "api/{controller}/{action}/{id?}");
            });
        }

AddApiAuthorization Fuction

 public static void AddApiAuthorization(this IServiceCollection services)
        {
            services.AddAuthentication(options =>
            {
                options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            })
                .AddJwtBearer(opt =>
                 {
                     opt.Authority = "https://localhost:5000";
                     opt.RequireHttpsMetadata = false;
                     //opt.Audience = "MadPay";
                     opt.TokenValidationParameters = new TokenValidationParameters
                     {
                         ValidateAudience = false
                     };
                 });

 services.AddScoped<IAuthorizationHandler, PermissionAuthorizationHandler>();

            services.AddAuthorization(option =>
                option.AddPolicy("Permission", builder =>
                    builder.AddRequirements(new PermissionRequirement()).RequireAuthenticatedUser()
                )
            );
}

AddIdentityServerConfig Fuction

 public static void AddIdentityServerConfig(this IServiceCollection services, IdentityServerSetting config)
        {
            var finalConfig = MapJsonToConfig(config);

            services.AddIdentity<User, Role>(opt =>
            {
                opt.Password.RequireLowercase = false;
                opt.Password.RequireUppercase = false;
                opt.Password.RequireNonAlphanumeric = false;

                opt.User.RequireUniqueEmail = true;

                opt.SignIn.RequireConfirmedAccount = true;
                opt.SignIn.RequireConfirmedEmail = true;
            })
            .AddEntityFrameworkStores<ApplicationDBContext>()
            .AddUserManager<AppUserManager>()
            //.AddSignInManager<AppSignInManager>()
            .AddErrorDescriber<AppErrorDescriberService>()
            .AddDefaultTokenProviders();

            services.AddIdentityServer(options =>
            {
                options.Events.RaiseErrorEvents = true;
                options.Events.RaiseInformationEvents = true;
                options.Events.RaiseFailureEvents = true;
                options.Events.RaiseSuccessEvents = true;
            })

                    .AddDeveloperSigningCredential()
                    .AddInMemoryIdentityResources(finalConfig.IdentityResources)
                    .AddInMemoryApiResources(finalConfig.Apis)
                    .AddInMemoryClients(finalConfig.Clients)
                    .AddAspNetIdentity<User>()
                    .AddResourceOwnerValidator<AppIdentityPasswordValidator<User>>();
        }

This is My Paload from access token

{
  "nbf": 1597823415,
  "exp": 1597827015,
  "iss": "https://localhost:5000",
  "aud": "MadPay",
  "client_id": "angular",
  "sub": "1",
  "auth_time": 1597823413,
  "idp": "local",
  "name": "osali",
  "scope": [
    "MadPay",
    "offline_access"
  ],
  "amr": [
    "pwd"
  ]
}

And For Call Api Use This url: https://localhost:5000/... And Send Token in Authorization Header: Bearer....

i think Issued access token is not a problem. I spent a few days And Cant Understand Why is not working and very confused what is wrong!!

Answer 1

You could set all the token validation parameters to false, and then enable them one by one, to see what triggers the error.

            options.TokenValidationParameters.ValidateAudience = false;
            options.TokenValidationParameters.ValidateIssuer = false;
            options.TokenValidationParameters.ValidateIssuerSigningKey = false;
            options.TokenValidationParameters.ValidateLifetime = false;
            options.TokenValidationParameters.ValidateTokenReplay = false;

You can also try to enable the following and check the response from the API in postman or Fiddler.

            //True if token validation errors should be returned to the caller.
            options.IncludeErrorDetails = true;

How is the API Controllers protected? Do you use any authorization policies?

In your API startup you should not use IdentityServer, instead you should use the AddMyJwtBearer method. and in your configure method you should use:

        app.UseAuthentication();
        app.UseAuthorization();

Here's a sample startup.cs class for a typical API:

public class Startup
{
    // This method gets called by the runtime. Use this method to add services to the container.
    // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddControllersWithViews();

        
        services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddMyJwtBearer(options =>
        {

            options.Audience = "payment";
            options.Authority = "https://localhost:6001/";

            //True if token validation errors should be returned to the caller.
            options.IncludeErrorDetails = true;

            //If the signing key is not found, do a refresh from the JWKS endpoint
            //This allows for automatic recovery in the event of a  key rollover
            options.RefreshOnIssuerKeyNotFound = true;

            //Gets or sets if HTTPS is required for the metadata address or authority.
            //Should always be true in production!
            options.RequireHttpsMetadata = true;

            //True if the token should be stored in the AuthenticationProperties
            //after a successful authorization.
            options.SaveToken = true;

            //Parameters
            options.TokenValidationParameters.ClockSkew = TimeSpan.FromMinutes(5);
            options.TokenValidationParameters.NameClaimType = "name";
            options.TokenValidationParameters.RoleClaimType = "role";

        });
    }

    // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseHttpsRedirection();

        app.UseRouting();

        app.UseAuthentication();
        app.UseAuthorization();


        app.UseEndpoints(endpoints =>
        {
            endpoints.MapControllerRoute(
                name: "default",
                pattern: "{controller=Home}/{action=Index}/{id?}");
        });
    }
}

Answer 2

you are missing below:-

app.UseAuthentication();
app.UseAuthorization();

can you add above in the startup.cs Configure method in api and give it a try?