0

I'm developing an .netcore 1.1 MVC app, which is an Open ID Connect client using authorisation with IdentityServer4. It also consumes an API that requires authorisation.

Currently, when the access token expires and a call is made to the API, I am experiencing an System.UnauthorizedAccessException 'attempted to perform an unauthorized operation'.

I cannot seem to figure out how to fix it.

This is how the client is configured (note the API is added to the Scope):

In the Startup.cs, I have registered the API I want to consume, as follows:

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions()
       {
           AuthenticationScheme = "oidc",
                SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme,
                Authority = identityServerServiceOptions.GetValue<string>("AuthorityUrl"),
                RequireHttpsMetadata = false,
                ResponseType = OpenIdConnectResponseType.CodeIdToken,
                ClientId = identityServerServiceOptions.GetValue<string>("ClientId"),
                ClientSecret = identityServerServiceOptions.GetValue<string>("ClientSecret"),
                GetClaimsFromUserInfoEndpoint = true,
                TokenValidationParameters = new TokenValidationParameters
                {
                    ValidateIssuer = true,
                    NameClaimType = "name",
                    RoleClaimType = "role"
                },
                SaveTokens = true,

                Scope =
                {
                    "[APIName]",
                    "roles",
                    "offline_access"
                }
            });

The client has the following Scopes defined in the IdentityServer4 table 'ClientScopes':

  • roles
  • email
  • profile
  • openid
  • offline_access
  • [APIName]

Also, [APIName] was added tot ApiResources, ApiClaims and ApiScopes.

I already tried:

  • Setting AllowOfflineAccess in Clients to 'true'
  • Setting UpdateAccessTokenClaimsOnRefresh in Clients to 'true'
elvenstone
  • 43
  • 6
  • As a sidenote: you should upgrade to .net core 2.1 as there are a lot of breaking changes between the versions concerning security. –  Sep 28 '18 at 21:45

1 Answers1

0

If your access token expires you’ll need to renew it using the refresh token you obtained during sign in.

mackie
  • 4,996
  • 1
  • 17
  • 17
  • It’s all covered by the OIDC spec. You can use the refresh token and a call to the token endpoint to obtain a new access token. You’ll need to enable refresh tokens for the client in question and specify the offline_access scope in the authorise endpoint request. It looks like the IdentityModel library has stuff built in to deal with this scenario so I’d be investigating that. – mackie Sep 29 '18 at 22:23
  • Thanks a million! The complete (accepted) solution was found in https://stackoverflow.com/questions/40032851/how-to-handle-expired-access-token-in-asp-net-core-using-refresh-token-with-open. – elvenstone Oct 01 '18 at 10:10