0

According to the official docs, in order to access API on a controller withing the same project as the identity provider, I'm supposed to have an equivalent to the following lines, as exemplified at the official site.

public void ConfigureServices(IServiceCollection services)
{
  ...
  services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(options =>
    {
      options.Authority = "https://demo.identityserver.io";
      options.ApiName = "api1";
    });
}

It doesn't work in my project (I get 401 despite following this answer), so I removed the option.ApiName=... altogether, only keeping the authority setting. Now it works but it confuses me now.

  1. Now, where is that api1 supposed to be set?
  2. Since I'm apparently not setting it, why does the server let me in?

To me, it appears like this.

With ApiName set.

-"Password!"
-"Hmmm... 'HakunaMatata'..."?
-"Wrong! GFY!"

Without ApiName set.

-"Password!"
-"Hmmm..." [wall of silence]?
-"Ah, well. You may pass."
-"Hehe, you can GFY..."

Konrad Viltersten
  • 36,151
  • 76
  • 250
  • 438
  • What version of .NET are you using? – Tore Nestenius Aug 07 '21 at 16:27
  • @ToreNestenius .NET Core 3.1 - I didn't mention it since it seemed so unrelated for the question. Are you thinking of something specific? – Konrad Viltersten Aug 07 '21 at 18:37
  • Check the logs, (raise `Microsoft.AspNetCore` to `Debug` if you have to) you should be able to see why you're getting `401` responses – abdusco Aug 07 '21 at 20:44
  • @abdusco I can try that, although, I'm convinced that the 401 is due to my API not being recognized by the name specified in the IdServ authentication options. Just not sure how to set a name on the API so it will be recognized. (And also confused why removing the API name specification allows all traffic to pass.) – Konrad Viltersten Aug 07 '21 at 20:50
  • Hmm. Does your token contain a scope claim that corresponds to the value of `ApiName` (`api1`)? You either need to request a token with that scope or disable scope validation, which you probably don't want to. – abdusco Aug 07 '21 at 20:57
  • show your client configuration for api1 in config.cs – GH DevOps Aug 09 '21 at 20:11
  • @gh There's no client corresponding to that call. We're not talking about the API I'm actually protecting (which is in a separate project). I'm referring to a controller that is a part of the identity service (not the default endpoint for authorization and tokens) but an extra controller for some dedicated admin stuff. – Konrad Viltersten Aug 10 '21 at 04:35

1 Answers1

0

For IdentityServer4 and .NET Core you should not use AddIdentityServerAuthentication, but instead use the AddJwtBearer. The documentation you link to is for version 3 of IdentityServer.

See this link

If the ApiName is set, then it is set as the audience and the audience is validated, see how it is handled in the code here. If it is not set, then only the scopes are validated.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • I'm not sure I agree. The link with the example is definitely for IDS4 and so is the linked question/answer. The first link is undeniably for IDS3 but I brought it in as they had more extensive documentation there (also, retaining the syntax in version 4, as far I can tell). I've read that `AddIdentityServerAuthentication` will be required of I have an API on the same project as my IDP (something about colliding routing). The actual APIs are separate but I do have a single controller tightly coupled to the IDS4 project. – Konrad Viltersten Aug 07 '21 at 18:41
  • If you look at the comment here it seems they are migrating to use AddJwtBearer instead. https://github.com/DuendeSoftware/IdentityServer/commit/a254849fcd492ea2423b2199acf213bf67e9fb60 When you use AdddentityServerAuthentication you actually add AddJwtBearer under the hood (and some other stuff) see https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/d19116205db6549a2c9610de6b5973b36c42e8cb/src/IdentityServerAuthenticationExtensions.cs – Tore Nestenius Aug 08 '21 at 11:58