2

I have an IdentityServer and a MVC-Client, IdentityServer has its own web API's to provide user management to its clients. MVC client uses HybridAndClientCredentials grant type to interact with IdentityServer. I have no problem with authenticating client's user. The problem is when I try to call some API from IdentityServer with authenticated user, server returns login view instead of API's result.

Here is my client configuration:

new Client
{
    ClientId = "mvc.identity.management",
    ClientName = "Identity Management",
    AllowedGrantTypes = GrantTypes.Hybrid,

    RequireConsent = false,

    ClientSecrets =
    {
        new Secret("somesecret".Sha256())
    },

    RedirectUris = { "http://localhost:5001/signin-oidc" },
    PostLogoutRedirectUris = { "http://localhost:5001/signout-callback-oidc" },

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile
    }
}

And client

    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
        options.SignInScheme = "Cookies";

        options.Authority = "http://localhost:5000";
        options.RequireHttpsMetadata = false;

        options.ClientSecret = "somesecret";
        options.ResponseType = "code id_token";
        options.GetClaimsFromUserInfoEndpoint = true;

        options.ClientId = "mvc.identity.management";
        options.SaveTokens = true;
    });

Any advice will be helpful.

Saber Amani
  • 6,409
  • 12
  • 53
  • 88
  • Why are you calling an API From your identity server? You're user is authenticated, the user should call the API, Or the IdentityServer, should have its own credentials to call the api. – johnny 5 Jun 27 '18 at 18:46
  • I'm calling API within my Client – Saber Amani Jun 27 '18 at 19:08
  • Where the code for your api, your api needs to validate that token against identity server – johnny 5 Jun 27 '18 at 19:12
  • Exactly, that's the problem, I'm able to get access_token from server and set HttpClient bearer, but when I try to call API instead of result, server returns a login view as String to client. – Saber Amani Jun 27 '18 at 19:16
  • post your start up code for the API, the Api needs to validate the token back against Identity Server. – johnny 5 Jun 27 '18 at 19:21
  • Both API and IdentityServer are in the same project. Not separated. Client which is MVC application calls API inside IdentityServer. I know if API was in separate project should validate token by given authority against server. But I have both in same project. – Saber Amani Jun 27 '18 at 19:29
  • the token server probably shouldn't be a part of your api. But given that you've decided to use this archiecture, my guess IdentityServer only validates the cookie for their methods, and you need to create an Authorization policy to verify the cookie for your methods still. I would recommend starting from a clone of one of their test projects. – johnny 5 Jun 27 '18 at 19:37
  • Can you explain in more detail or point some sample, I almost read and examined all their project, but no luck. – Saber Amani Jun 27 '18 at 19:40
  • I'll describe the flow I know best. I usually use JWT so I don't need XSRF Tokens, Login to the server the server returns a token, Then token is appended to the head of the request made to the api. The api has an authorization policy which grabs out the token from the header, and then the API makes a call back to IdentityServer to Validate the user is logged in. For more information check out this [Question](https://stackoverflow.com/questions/42121854/net-core-identity-server-4-authentication-vs-identity-authentication). TBH OIDC is quite confusing, starting from the examples is the ... – johnny 5 Jun 27 '18 at 19:46
  • easiest way to full understand a flow because, you're start from a point where something is already working – johnny 5 Jun 27 '18 at 19:46
  • I believe `id_token` should be used for these purposes, not `access_token`. – Brad Jun 27 '18 at 23:56

1 Answers1

0

Maybe it's late but this question may arise for others. the solution is to use the LocalApi which is a built in feature of IdentityServer4. You create a LocalApi and authorize it with a custom scope which your clients should add that scope which is IdentityServerApi. The complete resource is available here: https://docs.identityserver.io/en/latest/topics/add_apis.html

Nima Maskani
  • 85
  • 8