Identity Server 4 API Authentication Failure










0















Using .Net Core 2.1 and Identity Server 4



I have 3 startups one for IS4, MVC App, and API App. I am able to log into my MVC application fine, and retrieve my access_token. I try to access the API with this token and am unable to authorize the request.



This is my IS4 Startup.cs localhost:5000



services.AddIdentity<ApplicationUser, IdentityRole>()
 .AddEntityFrameworkStores<IdentityContext>()
 .AddDefaultTokenProviders();

 services.AddMvc();

 services.Configure<IISOptions>(iis =>
 
 iis.AuthenticationDisplayName = "Windows";
 iis.AutomaticAuthentication = false;
 );

 services.AddIdentityServer()
 .AddAspNetIdentity<ApplicationUser>()
 .AddConfigurationStore(configDb =>
 
 configDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4ConfigurationContext"),
 sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
 )
 .AddOperationalStore(operationDb =>
 
 operationDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4PersistedGrantContext"),
 sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
 )
 .AddDeveloperSigningCredential();


My MVC Startup.cs localhost:61000



services.AddMvc();

 services.AddIdentity<ApplicationUser, IdentityRole>()
 .AddEntityFrameworkStores<IdentityContext>()
 .AddDefaultTokenProviders();

 services.AddAuthentication(options =>
 
 options.DefaultScheme = "Cookies";
 options.DefaultChallengeScheme = "oidc";
 )
 .AddCookie("Cookies")
 .AddOpenIdConnect("oidc", options =>
 
 options.SignInScheme = "Cookies";
 options.Authority = "http://localhost:5000";
 options.RequireHttpsMetadata = false;
 options.ClientId = "mvc";
 options.ClientSecret = "secret";
 options.ResponseType = "code id_token";
 options.SaveTokens = true;
 options.GetClaimsFromUserInfoEndpoint = true;
 options.Scope.Add("api1");
 options.Scope.Add("offline_access");
 options.Scope.Add("openid");
 options.Scope.Add("email");
 );


And my API Startup.cs localhost:62000



services.AddMvc();


 services.AddAuthentication(options =>
 
 options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
 options.DefaultChallengeScheme = "oidc";
 )
 .AddIdentityServerAuthentication("oidc", options =>
 
 options.Authority = "http://localhost:5000";
 options.RequireHttpsMetadata = false;
 options.ApiName = "api1";
 );


my Client info is



new Client 
 ClientId = "mvc",
 ClientName = "Example Mvc",
 AllowedGrantTypes = GrantTypes.Hybrid,
 AllowedScopes = new List<string>
 
 IdentityServerConstants.StandardScopes.OpenId,
 IdentityServerConstants.StandardScopes.Profile,
 IdentityServerConstants.StandardScopes.Email,
 "role",
 "api1"
 ,
 RedirectUris = new List<string> "http://localhost:61000/signin-oidc",
 PostLogoutRedirectUris = new List<string> "http://localhost:61000/signout-callback-oidc"


and API resource



new ApiResource 
 Name = "api1",
 DisplayName = "Custom API",
 Description = "Custom API Access",
 UserClaims = new List<string> "role",
 ApiSecrets = new List<Secret> new Secret("scopeSecret".Sha256()),
 Scopes = new List<Scope> 
 new Scope("api1"),


Whenever I try to call the API while logged in as my Client I cannot access it. It will either give the error



[10:40:11 ERR] Invalid redirect_uri: http://localhost:62000/signin-oidc

 "ClientId": "mvc",
 "ClientName": "MVC Client",
 "AllowedRedirectUris": [
 "http://localhost:61000/signin-oidc"
 ],
 "SubjectId": "anonymous",
 "RequestedScopes": "",
 "Raw": 
 "client_id": "mvc",
 "redirect_uri": "http://localhost:62000/signin-oidc",
 "response_type": "code id_token",
 "scope": "openid profile api1 offline_access email",
 "response_mode": "form_post",
 "nonce": "636778932114224044.N2M1YzZhMjktMThjMS00ZGEyLWI1OGQtZjM1YmZiMzViNDVkNDQ2NDhjZWMtNzk4Mi00NTc2LWI2YzctNjAwMzkwNjI5NGE5",
 "state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvxTH4w-8q3uXGtc1wXYyvWMHyarfbV0cQz8cFh4ESIW33n4pwtIEmLhrTpX-0Y0-_HS24cWs05nR3npx1ZIAJsYr9hIqB9hj9Ic_QYkU2Z_bcjjnaynqfbF5KIyyQhYGNlDxDfknwZUTXpPzTFEhLTcnam7O-b-xV9a3e9iWARoFZRBLjGV5Hs5i-8jS5EGM9DpqwcvrUjSUlRVDP-TzBBhYPhswn2hKsjkhL26_Gp9lluoKNLOvUVM-yq1zHbbI9uTcZzS_2GtbQoPuuGTmCuOoV-c-K2IztzXP88W-osYaY9wQP2qi8aXD951hrAhYbo",
 "x-client-SKU": "ID_NETSTANDARD1_4",
 "x-client-ver": "5.2.0.0"



I don't believe I need to have the redirect_uri registered. But I tried it anyway and when I do the same request it will just return the login screen. Because it could not authenticate my request.



Here is the HttpClient request I am sending to the API from the MVC



var apiUrl = "http://localhost:62000/test/api";
 var authenticate = await HttpContext.AuthenticateAsync("Cookies");
 var accessToken = authenticate.Ticket.Properties.GetTokenValue("access_token");
 var client = new HttpClient();
 client.SetBearerToken(accessToken);
 var response = await client.GetAsync(apiUrl);
 return Json(response.Content.ReadAsStringAsync());


From all of the examples and documents I cannot see why this is not working. Any help would be appreciated.



Here is the output of IS4 when I try to call the API with the bearer token.



[12:38:58 INF] Request starting HTTP/1.1 GET http://localhost:5000/connect/authorize?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A62000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20api1%20offline_access%20email&response_mode=form_post&nonce=636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0&state=CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0
[12:38:58 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[12:38:58 INF] ValidatedAuthorizeRequest

 "ClientId": "mvc",
 "ClientName": "MVC Client",
 "RedirectUri": "http://localhost:62000/signin-oidc",
 "AllowedRedirectUris": [
 "http://localhost:62000/signin-oidc",
 "http://localhost:61000/signin-oidc"
 ],
 "SubjectId": "anonymous",
 "ResponseType": "code id_token",
 "ResponseMode": "form_post",
 "GrantType": "hybrid",
 "RequestedScopes": "openid profile api1 offline_access email",
 "State": "CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg",
 "Nonce": "636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0",
 "Raw": 
 "client_id": "mvc",
 "redirect_uri": "http://localhost:62000/signin-oidc",
 "response_type": "code id_token",
 "scope": "openid profile api1 offline_access email",
 "response_mode": "form_post",
 "nonce": "636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0",
 "state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg",
 "x-client-SKU": "ID_NETSTANDARD1_4",
 "x-client-ver": "5.2.0.0"
 

[12:38:58 INF] Showing login: User is not authenticated
[12:38:58 INF] Request finished in 138.5606ms 302
[12:38:58 INF] Request starting HTTP/1.1 GET http://localhost:5000/account/login?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A62000%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520api1%2520offline_access%2520email%26response_mode%3Dform_post%26nonce%3D636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0%26state%3DCfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg%26x-client-SKU%3DID_NETSTANDARD1_4%26x-client-ver%3D5.2.0.0
[12:38:58 INF] Route matched with action = "Login", controller = "Account". Executing action ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime)
[12:38:58 INF] Executing action method ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime) with arguments (["/connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A62000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20api1%20offline_access%20email&response_mode=form_post&nonce=636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0&state=CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0"]) - Validation state: Valid
[12:38:58 INF] Executed action method ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime), returned result Microsoft.AspNetCore.Mvc.ViewResult in 41.3848ms.
[12:38:58 INF] Executing ViewResult, running view Login.
[12:38:58 INF] Executed ViewResult - view Login executed in 1.8018ms.
[12:38:58 INF] Executed action ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime) in 78.939ms
[12:38:58 INF] Request finished in 83.6512ms 200 text/html; charset=utf-8





c# postgresql asp.net-core identityserver4







share|improve this question




























    0















    Using .Net Core 2.1 and Identity Server 4



    I have 3 startups one for IS4, MVC App, and API App. I am able to log into my MVC application fine, and retrieve my access_token. I try to access the API with this token and am unable to authorize the request.



    This is my IS4 Startup.cs localhost:5000



    services.AddIdentity<ApplicationUser, IdentityRole>()
     .AddEntityFrameworkStores<IdentityContext>()
     .AddDefaultTokenProviders();

     services.AddMvc();

     services.Configure<IISOptions>(iis =>
     
     iis.AuthenticationDisplayName = "Windows";
     iis.AutomaticAuthentication = false;
     );

     services.AddIdentityServer()
     .AddAspNetIdentity<ApplicationUser>()
     .AddConfigurationStore(configDb =>
     
     configDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4ConfigurationContext"),
     sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
     )
     .AddOperationalStore(operationDb =>
     
     operationDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4PersistedGrantContext"),
     sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
     )
     .AddDeveloperSigningCredential();


    My MVC Startup.cs localhost:61000



    services.AddMvc();

     services.AddIdentity<ApplicationUser, IdentityRole>()
     .AddEntityFrameworkStores<IdentityContext>()
     .AddDefaultTokenProviders();

     services.AddAuthentication(options =>
     
     options.DefaultScheme = "Cookies";
     options.DefaultChallengeScheme = "oidc";
     )
     .AddCookie("Cookies")
     .AddOpenIdConnect("oidc", options =>
     
     options.SignInScheme = "Cookies";
     options.Authority = "http://localhost:5000";
     options.RequireHttpsMetadata = false;
     options.ClientId = "mvc";
     options.ClientSecret = "secret";
     options.ResponseType = "code id_token";
     options.SaveTokens = true;
     options.GetClaimsFromUserInfoEndpoint = true;
     options.Scope.Add("api1");
     options.Scope.Add("offline_access");
     options.Scope.Add("openid");
     options.Scope.Add("email");
     );


    And my API Startup.cs localhost:62000



    services.AddMvc();


     services.AddAuthentication(options =>
     
     options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
     options.DefaultChallengeScheme = "oidc";
     )
     .AddIdentityServerAuthentication("oidc", options =>
     
     options.Authority = "http://localhost:5000";
     options.RequireHttpsMetadata = false;
     options.ApiName = "api1";
     );


    my Client info is



    new Client 
     ClientId = "mvc",
     ClientName = "Example Mvc",
     AllowedGrantTypes = GrantTypes.Hybrid,
     AllowedScopes = new List<string>
     
     IdentityServerConstants.StandardScopes.OpenId,
     IdentityServerConstants.StandardScopes.Profile,
     IdentityServerConstants.StandardScopes.Email,
     "role",
     "api1"
     ,
     RedirectUris = new List<string> "http://localhost:61000/signin-oidc",
     PostLogoutRedirectUris = new List<string> "http://localhost:61000/signout-callback-oidc"


    and API resource



    new ApiResource 
     Name = "api1",
     DisplayName = "Custom API",
     Description = "Custom API Access",
     UserClaims = new List<string> "role",
     ApiSecrets = new List<Secret> new Secret("scopeSecret".Sha256()),
     Scopes = new List<Scope> 
     new Scope("api1"),


    Whenever I try to call the API while logged in as my Client I cannot access it. It will either give the error



    [10:40:11 ERR] Invalid redirect_uri: http://localhost:62000/signin-oidc

     "ClientId": "mvc",
     "ClientName": "MVC Client",
     "AllowedRedirectUris": [
     "http://localhost:61000/signin-oidc"
     ],
     "SubjectId": "anonymous",
     "RequestedScopes": "",
     "Raw": 
     "client_id": "mvc",
     "redirect_uri": "http://localhost:62000/signin-oidc",
     "response_type": "code id_token",
     "scope": "openid profile api1 offline_access email",
     "response_mode": "form_post",
     "nonce": "636778932114224044.N2M1YzZhMjktMThjMS00ZGEyLWI1OGQtZjM1YmZiMzViNDVkNDQ2NDhjZWMtNzk4Mi00NTc2LWI2YzctNjAwMzkwNjI5NGE5",
     "state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvxTH4w-8q3uXGtc1wXYyvWMHyarfbV0cQz8cFh4ESIW33n4pwtIEmLhrTpX-0Y0-_HS24cWs05nR3npx1ZIAJsYr9hIqB9hj9Ic_QYkU2Z_bcjjnaynqfbF5KIyyQhYGNlDxDfknwZUTXpPzTFEhLTcnam7O-b-xV9a3e9iWARoFZRBLjGV5Hs5i-8jS5EGM9DpqwcvrUjSUlRVDP-TzBBhYPhswn2hKsjkhL26_Gp9lluoKNLOvUVM-yq1zHbbI9uTcZzS_2GtbQoPuuGTmCuOoV-c-K2IztzXP88W-osYaY9wQP2qi8aXD951hrAhYbo",
     "x-client-SKU": "ID_NETSTANDARD1_4",
     "x-client-ver": "5.2.0.0"



    I don't believe I need to have the redirect_uri registered. But I tried it anyway and when I do the same request it will just return the login screen. Because it could not authenticate my request.



    Here is the HttpClient request I am sending to the API from the MVC



    var apiUrl = "http://localhost:62000/test/api";
     var authenticate = await HttpContext.AuthenticateAsync("Cookies");
     var accessToken = authenticate.Ticket.Properties.GetTokenValue("access_token");
     var client = new HttpClient();
     client.SetBearerToken(accessToken);
     var response = await client.GetAsync(apiUrl);
     return Json(response.Content.ReadAsStringAsync());


    From all of the examples and documents I cannot see why this is not working. Any help would be appreciated.



    Here is the output of IS4 when I try to call the API with the bearer token.



    [12:38:58 INF] Request starting HTTP/1.1 GET http://localhost:5000/connect/authorize?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A62000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20api1%20offline_access%20email&response_mode=form_post&nonce=636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0&state=CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0
    [12:38:58 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
    [12:38:58 INF] ValidatedAuthorizeRequest

     "ClientId": "mvc",
     "ClientName": "MVC Client",
     "RedirectUri": "http://localhost:62000/signin-oidc",
     "AllowedRedirectUris": [
     "http://localhost:62000/signin-oidc",
     "http://localhost:61000/signin-oidc"
     ],
     "SubjectId": "anonymous",
     "ResponseType": "code id_token",
     "ResponseMode": "form_post",
     "GrantType": "hybrid",
     "RequestedScopes": "openid profile api1 offline_access email",
     "State": "CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg",
     "Nonce": "636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0",
     "Raw": 
     "client_id": "mvc",
     "redirect_uri": "http://localhost:62000/signin-oidc",
     "response_type": "code id_token",
     "scope": "openid profile api1 offline_access email",
     "response_mode": "form_post",
     "nonce": "636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0",
     "state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg",
     "x-client-SKU": "ID_NETSTANDARD1_4",
     "x-client-ver": "5.2.0.0"
     

    [12:38:58 INF] Showing login: User is not authenticated
    [12:38:58 INF] Request finished in 138.5606ms 302
    [12:38:58 INF] Request starting HTTP/1.1 GET http://localhost:5000/account/login?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A62000%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520api1%2520offline_access%2520email%26response_mode%3Dform_post%26nonce%3D636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0%26state%3DCfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg%26x-client-SKU%3DID_NETSTANDARD1_4%26x-client-ver%3D5.2.0.0
    [12:38:58 INF] Route matched with action = "Login", controller = "Account". Executing action ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime)
    [12:38:58 INF] Executing action method ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime) with arguments (["/connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A62000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20api1%20offline_access%20email&response_mode=form_post&nonce=636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0&state=CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0"]) - Validation state: Valid
    [12:38:58 INF] Executed action method ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime), returned result Microsoft.AspNetCore.Mvc.ViewResult in 41.3848ms.
    [12:38:58 INF] Executing ViewResult, running view Login.
    [12:38:58 INF] Executed ViewResult - view Login executed in 1.8018ms.
    [12:38:58 INF] Executed action ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime) in 78.939ms
    [12:38:58 INF] Request finished in 83.6512ms 200 text/html; charset=utf-8





    c# postgresql asp.net-core identityserver4







    share|improve this question


























      0












      0








      0








      Using .Net Core 2.1 and Identity Server 4



      I have 3 startups one for IS4, MVC App, and API App. I am able to log into my MVC application fine, and retrieve my access_token. I try to access the API with this token and am unable to authorize the request.



      This is my IS4 Startup.cs localhost:5000



      services.AddIdentity<ApplicationUser, IdentityRole>()
       .AddEntityFrameworkStores<IdentityContext>()
       .AddDefaultTokenProviders();

       services.AddMvc();

       services.Configure<IISOptions>(iis =>
       
       iis.AuthenticationDisplayName = "Windows";
       iis.AutomaticAuthentication = false;
       );

       services.AddIdentityServer()
       .AddAspNetIdentity<ApplicationUser>()
       .AddConfigurationStore(configDb =>
       
       configDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4ConfigurationContext"),
       sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
       )
       .AddOperationalStore(operationDb =>
       
       operationDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4PersistedGrantContext"),
       sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
       )
       .AddDeveloperSigningCredential();


      My MVC Startup.cs localhost:61000



      services.AddMvc();

       services.AddIdentity<ApplicationUser, IdentityRole>()
       .AddEntityFrameworkStores<IdentityContext>()
       .AddDefaultTokenProviders();

       services.AddAuthentication(options =>
       
       options.DefaultScheme = "Cookies";
       options.DefaultChallengeScheme = "oidc";
       )
       .AddCookie("Cookies")
       .AddOpenIdConnect("oidc", options =>
       
       options.SignInScheme = "Cookies";
       options.Authority = "http://localhost:5000";
       options.RequireHttpsMetadata = false;
       options.ClientId = "mvc";
       options.ClientSecret = "secret";
       options.ResponseType = "code id_token";
       options.SaveTokens = true;
       options.GetClaimsFromUserInfoEndpoint = true;
       options.Scope.Add("api1");
       options.Scope.Add("offline_access");
       options.Scope.Add("openid");
       options.Scope.Add("email");
       );


      And my API Startup.cs localhost:62000



      services.AddMvc();


       services.AddAuthentication(options =>
       
       options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
       options.DefaultChallengeScheme = "oidc";
       )
       .AddIdentityServerAuthentication("oidc", options =>
       
       options.Authority = "http://localhost:5000";
       options.RequireHttpsMetadata = false;
       options.ApiName = "api1";
       );


      my Client info is



      new Client 
       ClientId = "mvc",
       ClientName = "Example Mvc",
       AllowedGrantTypes = GrantTypes.Hybrid,
       AllowedScopes = new List<string>
       
       IdentityServerConstants.StandardScopes.OpenId,
       IdentityServerConstants.StandardScopes.Profile,
       IdentityServerConstants.StandardScopes.Email,
       "role",
       "api1"
       ,
       RedirectUris = new List<string> "http://localhost:61000/signin-oidc",
       PostLogoutRedirectUris = new List<string> "http://localhost:61000/signout-callback-oidc"


      and API resource



      new ApiResource 
       Name = "api1",
       DisplayName = "Custom API",
       Description = "Custom API Access",
       UserClaims = new List<string> "role",
       ApiSecrets = new List<Secret> new Secret("scopeSecret".Sha256()),
       Scopes = new List<Scope> 
       new Scope("api1"),


      Whenever I try to call the API while logged in as my Client I cannot access it. It will either give the error



      [10:40:11 ERR] Invalid redirect_uri: http://localhost:62000/signin-oidc

       "ClientId": "mvc",
       "ClientName": "MVC Client",
       "AllowedRedirectUris": [
       "http://localhost:61000/signin-oidc"
       ],
       "SubjectId": "anonymous",
       "RequestedScopes": "",
       "Raw": 
       "client_id": "mvc",
       "redirect_uri": "http://localhost:62000/signin-oidc",
       "response_type": "code id_token",
       "scope": "openid profile api1 offline_access email",
       "response_mode": "form_post",
       "nonce": "636778932114224044.N2M1YzZhMjktMThjMS00ZGEyLWI1OGQtZjM1YmZiMzViNDVkNDQ2NDhjZWMtNzk4Mi00NTc2LWI2YzctNjAwMzkwNjI5NGE5",
       "state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvxTH4w-8q3uXGtc1wXYyvWMHyarfbV0cQz8cFh4ESIW33n4pwtIEmLhrTpX-0Y0-_HS24cWs05nR3npx1ZIAJsYr9hIqB9hj9Ic_QYkU2Z_bcjjnaynqfbF5KIyyQhYGNlDxDfknwZUTXpPzTFEhLTcnam7O-b-xV9a3e9iWARoFZRBLjGV5Hs5i-8jS5EGM9DpqwcvrUjSUlRVDP-TzBBhYPhswn2hKsjkhL26_Gp9lluoKNLOvUVM-yq1zHbbI9uTcZzS_2GtbQoPuuGTmCuOoV-c-K2IztzXP88W-osYaY9wQP2qi8aXD951hrAhYbo",
       "x-client-SKU": "ID_NETSTANDARD1_4",
       "x-client-ver": "5.2.0.0"



      I don't believe I need to have the redirect_uri registered. But I tried it anyway and when I do the same request it will just return the login screen. Because it could not authenticate my request.



      Here is the HttpClient request I am sending to the API from the MVC



      var apiUrl = "http://localhost:62000/test/api";
       var authenticate = await HttpContext.AuthenticateAsync("Cookies");
       var accessToken = authenticate.Ticket.Properties.GetTokenValue("access_token");
       var client = new HttpClient();
       client.SetBearerToken(accessToken);
       var response = await client.GetAsync(apiUrl);
       return Json(response.Content.ReadAsStringAsync());


      From all of the examples and documents I cannot see why this is not working. Any help would be appreciated.



      Here is the output of IS4 when I try to call the API with the bearer token.



      [12:38:58 INF] Request starting HTTP/1.1 GET http://localhost:5000/connect/authorize?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A62000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20api1%20offline_access%20email&response_mode=form_post&nonce=636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0&state=CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0
      [12:38:58 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
      [12:38:58 INF] ValidatedAuthorizeRequest

       "ClientId": "mvc",
       "ClientName": "MVC Client",
       "RedirectUri": "http://localhost:62000/signin-oidc",
       "AllowedRedirectUris": [
       "http://localhost:62000/signin-oidc",
       "http://localhost:61000/signin-oidc"
       ],
       "SubjectId": "anonymous",
       "ResponseType": "code id_token",
       "ResponseMode": "form_post",
       "GrantType": "hybrid",
       "RequestedScopes": "openid profile api1 offline_access email",
       "State": "CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg",
       "Nonce": "636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0",
       "Raw": 
       "client_id": "mvc",
       "redirect_uri": "http://localhost:62000/signin-oidc",
       "response_type": "code id_token",
       "scope": "openid profile api1 offline_access email",
       "response_mode": "form_post",
       "nonce": "636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0",
       "state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg",
       "x-client-SKU": "ID_NETSTANDARD1_4",
       "x-client-ver": "5.2.0.0"
       

      [12:38:58 INF] Showing login: User is not authenticated
      [12:38:58 INF] Request finished in 138.5606ms 302
      [12:38:58 INF] Request starting HTTP/1.1 GET http://localhost:5000/account/login?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A62000%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520api1%2520offline_access%2520email%26response_mode%3Dform_post%26nonce%3D636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0%26state%3DCfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg%26x-client-SKU%3DID_NETSTANDARD1_4%26x-client-ver%3D5.2.0.0
      [12:38:58 INF] Route matched with action = "Login", controller = "Account". Executing action ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime)
      [12:38:58 INF] Executing action method ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime) with arguments (["/connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A62000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20api1%20offline_access%20email&response_mode=form_post&nonce=636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0&state=CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0"]) - Validation state: Valid
      [12:38:58 INF] Executed action method ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime), returned result Microsoft.AspNetCore.Mvc.ViewResult in 41.3848ms.
      [12:38:58 INF] Executing ViewResult, running view Login.
      [12:38:58 INF] Executed ViewResult - view Login executed in 1.8018ms.
      [12:38:58 INF] Executed action ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime) in 78.939ms
      [12:38:58 INF] Request finished in 83.6512ms 200 text/html; charset=utf-8





      c# postgresql asp.net-core identityserver4







      share|improve this question
















      Using .Net Core 2.1 and Identity Server 4



      I have 3 startups one for IS4, MVC App, and API App. I am able to log into my MVC application fine, and retrieve my access_token. I try to access the API with this token and am unable to authorize the request.



      This is my IS4 Startup.cs localhost:5000



      services.AddIdentity<ApplicationUser, IdentityRole>()
       .AddEntityFrameworkStores<IdentityContext>()
       .AddDefaultTokenProviders();

       services.AddMvc();

       services.Configure<IISOptions>(iis =>
       
       iis.AuthenticationDisplayName = "Windows";
       iis.AutomaticAuthentication = false;
       );

       services.AddIdentityServer()
       .AddAspNetIdentity<ApplicationUser>()
       .AddConfigurationStore(configDb =>
       
       configDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4ConfigurationContext"),
       sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
       )
       .AddOperationalStore(operationDb =>
       
       operationDb.ConfigureDbContext = db => db.UseNpgsql(Configuration.GetConnectionString("IdentityServer4PersistedGrantContext"),
       sql => sql.MigrationsAssembly(typeof(IdentityServer4Startup).GetTypeInfo().Assembly.GetName().Name));
       )
       .AddDeveloperSigningCredential();


      My MVC Startup.cs localhost:61000



      services.AddMvc();

       services.AddIdentity<ApplicationUser, IdentityRole>()
       .AddEntityFrameworkStores<IdentityContext>()
       .AddDefaultTokenProviders();

       services.AddAuthentication(options =>
       
       options.DefaultScheme = "Cookies";
       options.DefaultChallengeScheme = "oidc";
       )
       .AddCookie("Cookies")
       .AddOpenIdConnect("oidc", options =>
       
       options.SignInScheme = "Cookies";
       options.Authority = "http://localhost:5000";
       options.RequireHttpsMetadata = false;
       options.ClientId = "mvc";
       options.ClientSecret = "secret";
       options.ResponseType = "code id_token";
       options.SaveTokens = true;
       options.GetClaimsFromUserInfoEndpoint = true;
       options.Scope.Add("api1");
       options.Scope.Add("offline_access");
       options.Scope.Add("openid");
       options.Scope.Add("email");
       );


      And my API Startup.cs localhost:62000



      services.AddMvc();


       services.AddAuthentication(options =>
       
       options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
       options.DefaultChallengeScheme = "oidc";
       )
       .AddIdentityServerAuthentication("oidc", options =>
       
       options.Authority = "http://localhost:5000";
       options.RequireHttpsMetadata = false;
       options.ApiName = "api1";
       );


      my Client info is



      new Client 
       ClientId = "mvc",
       ClientName = "Example Mvc",
       AllowedGrantTypes = GrantTypes.Hybrid,
       AllowedScopes = new List<string>
       
       IdentityServerConstants.StandardScopes.OpenId,
       IdentityServerConstants.StandardScopes.Profile,
       IdentityServerConstants.StandardScopes.Email,
       "role",
       "api1"
       ,
       RedirectUris = new List<string> "http://localhost:61000/signin-oidc",
       PostLogoutRedirectUris = new List<string> "http://localhost:61000/signout-callback-oidc"


      and API resource



      new ApiResource 
       Name = "api1",
       DisplayName = "Custom API",
       Description = "Custom API Access",
       UserClaims = new List<string> "role",
       ApiSecrets = new List<Secret> new Secret("scopeSecret".Sha256()),
       Scopes = new List<Scope> 
       new Scope("api1"),


      Whenever I try to call the API while logged in as my Client I cannot access it. It will either give the error



      [10:40:11 ERR] Invalid redirect_uri: http://localhost:62000/signin-oidc

       "ClientId": "mvc",
       "ClientName": "MVC Client",
       "AllowedRedirectUris": [
       "http://localhost:61000/signin-oidc"
       ],
       "SubjectId": "anonymous",
       "RequestedScopes": "",
       "Raw": 
       "client_id": "mvc",
       "redirect_uri": "http://localhost:62000/signin-oidc",
       "response_type": "code id_token",
       "scope": "openid profile api1 offline_access email",
       "response_mode": "form_post",
       "nonce": "636778932114224044.N2M1YzZhMjktMThjMS00ZGEyLWI1OGQtZjM1YmZiMzViNDVkNDQ2NDhjZWMtNzk4Mi00NTc2LWI2YzctNjAwMzkwNjI5NGE5",
       "state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvxTH4w-8q3uXGtc1wXYyvWMHyarfbV0cQz8cFh4ESIW33n4pwtIEmLhrTpX-0Y0-_HS24cWs05nR3npx1ZIAJsYr9hIqB9hj9Ic_QYkU2Z_bcjjnaynqfbF5KIyyQhYGNlDxDfknwZUTXpPzTFEhLTcnam7O-b-xV9a3e9iWARoFZRBLjGV5Hs5i-8jS5EGM9DpqwcvrUjSUlRVDP-TzBBhYPhswn2hKsjkhL26_Gp9lluoKNLOvUVM-yq1zHbbI9uTcZzS_2GtbQoPuuGTmCuOoV-c-K2IztzXP88W-osYaY9wQP2qi8aXD951hrAhYbo",
       "x-client-SKU": "ID_NETSTANDARD1_4",
       "x-client-ver": "5.2.0.0"



      I don't believe I need to have the redirect_uri registered. But I tried it anyway and when I do the same request it will just return the login screen. Because it could not authenticate my request.



      Here is the HttpClient request I am sending to the API from the MVC



      var apiUrl = "http://localhost:62000/test/api";
       var authenticate = await HttpContext.AuthenticateAsync("Cookies");
       var accessToken = authenticate.Ticket.Properties.GetTokenValue("access_token");
       var client = new HttpClient();
       client.SetBearerToken(accessToken);
       var response = await client.GetAsync(apiUrl);
       return Json(response.Content.ReadAsStringAsync());


      From all of the examples and documents I cannot see why this is not working. Any help would be appreciated.



      Here is the output of IS4 when I try to call the API with the bearer token.



      [12:38:58 INF] Request starting HTTP/1.1 GET http://localhost:5000/connect/authorize?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A62000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20api1%20offline_access%20email&response_mode=form_post&nonce=636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0&state=CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0
      [12:38:58 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
      [12:38:58 INF] ValidatedAuthorizeRequest

       "ClientId": "mvc",
       "ClientName": "MVC Client",
       "RedirectUri": "http://localhost:62000/signin-oidc",
       "AllowedRedirectUris": [
       "http://localhost:62000/signin-oidc",
       "http://localhost:61000/signin-oidc"
       ],
       "SubjectId": "anonymous",
       "ResponseType": "code id_token",
       "ResponseMode": "form_post",
       "GrantType": "hybrid",
       "RequestedScopes": "openid profile api1 offline_access email",
       "State": "CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg",
       "Nonce": "636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0",
       "Raw": 
       "client_id": "mvc",
       "redirect_uri": "http://localhost:62000/signin-oidc",
       "response_type": "code id_token",
       "scope": "openid profile api1 offline_access email",
       "response_mode": "form_post",
       "nonce": "636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0",
       "state": "CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg",
       "x-client-SKU": "ID_NETSTANDARD1_4",
       "x-client-ver": "5.2.0.0"
       

      [12:38:58 INF] Showing login: User is not authenticated
      [12:38:58 INF] Request finished in 138.5606ms 302
      [12:38:58 INF] Request starting HTTP/1.1 GET http://localhost:5000/account/login?returnUrl=%2Fconnect%2Fauthorize%2Fcallback%3Fclient_id%3Dmvc%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A62000%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520api1%2520offline_access%2520email%26response_mode%3Dform_post%26nonce%3D636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0%26state%3DCfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg%26x-client-SKU%3DID_NETSTANDARD1_4%26x-client-ver%3D5.2.0.0
      [12:38:58 INF] Route matched with action = "Login", controller = "Account". Executing action ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime)
      [12:38:58 INF] Executing action method ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime) with arguments (["/connect/authorize/callback?client_id=mvc&redirect_uri=http%3A%2F%2Flocalhost%3A62000%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20api1%20offline_access%20email&response_mode=form_post&nonce=636779003387253889.MThjYjQ5MzItOTY3NS00NmM1LWJhZDItMzkxMzYyMWQzZTUwZThjNThmMjUtMmQyZC00M2YyLTk3OTktN2E3OTc1ZDcyNmM0&state=CfDJ8EzT-5PsjT5Htj2FYGOkFvzm1YFOhTLHlbLS3LpJd_xUBgDz8hWjGkXxSzfnWKqoVU5d4L7ESHCSDGxqmxqnMh1-j-IUGBLzt5uEYFi2M4QV6WmGN1Lv5bMkUDRbrE9pdCNc7vLDUDZY1OWlp4HfQ0vEMr8-OfUH4Q00fOn1v9zpcE6QlHI5Aye9xiFOshHRyMCNwEEcVrLz4Y06Hsa-40OKom3xb8sie09JtiSMZJL9WyKgKYGRgqUIpD6wqryBafzMl_t1tvegYWESq59TafnIpvrFd3ifdOzJx6cXul4ZCcFv0wfvsqpUgCF7t7xyMSwtheDSiE2AySkbnrpr_Dg&x-client-SKU=ID_NETSTANDARD1_4&x-client-ver=5.2.0.0"]) - Validation state: Valid
      [12:38:58 INF] Executed action method ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime), returned result Microsoft.AspNetCore.Mvc.ViewResult in 41.3848ms.
      [12:38:58 INF] Executing ViewResult, running view Login.
      [12:38:58 INF] Executed ViewResult - view Login executed in 1.8018ms.
      [12:38:58 INF] Executed action ASC.ADEX.Runtime.Controllers.AccountController.Login (ASC.ADEX.Runtime) in 78.939ms
      [12:38:58 INF] Request finished in 83.6512ms 200 text/html; charset=utf-8





      c# postgresql asp.net-core identityserver4




      c# postgresql asp.net-core identityserver4






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 15 '18 at 17:39







      A. Hasemeyer

















      asked Nov 15 '18 at 15:46









      A. HasemeyerA. Hasemeyer

      15711




      15711






















          2 Answers
          2






          active

          oldest

          votes


















          1














          I set up my API authentication using AddJwtBearer as shown below. And I see you use AddIdentityServerAuthentication. May be that's the reason?



          services.AddJwtBearer(o =>
           
           o.Authority = "<id-server>";
           o.Audience = "<api-audience>";
           o.RequireHttpsMetadata = true;
           );


          And the API controllers have the AuthenticationSchemes specified as shown below:



          [Route("api/rates")]
          [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
          public class RatesController : Controller







          share|improve this answer























          • When I update to that code I get the error An unhandled exception has occurred while executing the request. System.InvalidOperationException: No authentication handler is registered for the scheme 'Bearer'. The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("Bearer",...)?

            – A. Hasemeyer
            Nov 15 '18 at 16:09











          • In my case the projects are not just pure API projects. So I do the following - services.AddAuthentication(...) .AddCookie() .AddOpenIdConnect(...) .AddJwtBearer(...); I guess you probably removed AddAuthentication? I would suggest adding that back and following the pattern above.

            – k25
            Nov 15 '18 at 16:32












          • Check out this too - stackoverflow.com/a/46372426/312219

            – k25
            Nov 15 '18 at 16:35











          • k25 are you saying to add those to the API startup? Or the MVC

            – A. Hasemeyer
            Nov 15 '18 at 16:37











          • To the API project, you don't need the AddOpenIdConnect(..) part if its a purely API only project, but you would still need AddAuthentication(...). The stackoverflow link comment will offer some insight perhaps.

            – k25
            Nov 15 '18 at 16:39


















          1














          You typically only get Invalid redirect_uri when the Client - i.e. your MVC app - is redirecting to the Identity Server so that a user can authenticate, not when calling the API, nor caused by the API itself, so you should remove the challenge from the API's config and leave that to the UI only. Your API also needs its secret for some back-channel calls to the Identity Server, so change your API's Startup.cs to this:



           services.AddAuthorization();
           services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
           .AddIdentityServerAuthentication(
           options =>
           
           options.Authority = "http://localhost:5000";
           options.ApiName = "api1";
           options.ApiSecret = "scopeSecret";
           options.RequireHttpsMetadata = false;

           // You will almost certainly want these at some point too,
           // to prevent the API talking to the IS for every
           // API call. Adjust the duration as desired.
           options.EnableCaching = true;
           options.CacheDuration = TimeSpan.FromMinutes(10);
           );


          You don't show the Configure() part of your API's Startup.cs, but ensure it has 



          .UseAuthentication();


          before the call to



          .AddMvc()


          Now you should just need to decorate the protected API methods with [Authorize] and ensure you pass through the user's bearer token to calls to those API methods.






          share|improve this answer
























            Your Answer






            StackExchange.ifUsing("editor", function ()
            StackExchange.using("externalEditor", function ()
            StackExchange.using("snippets", function ()
            StackExchange.snippets.init();
            );
            );
            , "code-snippets");

            StackExchange.ready(function()
            var channelOptions =
            tags: "".split(" "),
            id: "1"
            ;
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function()
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled)
            StackExchange.using("snippets", function()
            createEditor();
            );

            else
            createEditor();

            );

            function createEditor()
            StackExchange.prepareEditor(
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader:
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            ,
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            );



            );













            draft saved

            draft discarded


















            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53323063%2fidentity-server-4-api-authentication-failure%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown

























            2 Answers
            2






            active

            oldest

            votes








            2 Answers
            2






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            I set up my API authentication using AddJwtBearer as shown below. And I see you use AddIdentityServerAuthentication. May be that's the reason?



            services.AddJwtBearer(o =>
             
             o.Authority = "<id-server>";
             o.Audience = "<api-audience>";
             o.RequireHttpsMetadata = true;
             );


            And the API controllers have the AuthenticationSchemes specified as shown below:



            [Route("api/rates")]
            [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
            public class RatesController : Controller







            share|improve this answer























            • When I update to that code I get the error An unhandled exception has occurred while executing the request. System.InvalidOperationException: No authentication handler is registered for the scheme 'Bearer'. The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("Bearer",...)?

              – A. Hasemeyer
              Nov 15 '18 at 16:09











            • In my case the projects are not just pure API projects. So I do the following - services.AddAuthentication(...) .AddCookie() .AddOpenIdConnect(...) .AddJwtBearer(...); I guess you probably removed AddAuthentication? I would suggest adding that back and following the pattern above.

              – k25
              Nov 15 '18 at 16:32












            • Check out this too - stackoverflow.com/a/46372426/312219

              – k25
              Nov 15 '18 at 16:35











            • k25 are you saying to add those to the API startup? Or the MVC

              – A. Hasemeyer
              Nov 15 '18 at 16:37











            • To the API project, you don't need the AddOpenIdConnect(..) part if its a purely API only project, but you would still need AddAuthentication(...). The stackoverflow link comment will offer some insight perhaps.

              – k25
              Nov 15 '18 at 16:39















            1














            I set up my API authentication using AddJwtBearer as shown below. And I see you use AddIdentityServerAuthentication. May be that's the reason?



            services.AddJwtBearer(o =>
             
             o.Authority = "<id-server>";
             o.Audience = "<api-audience>";
             o.RequireHttpsMetadata = true;
             );


            And the API controllers have the AuthenticationSchemes specified as shown below:



            [Route("api/rates")]
            [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
            public class RatesController : Controller







            share|improve this answer























            • When I update to that code I get the error An unhandled exception has occurred while executing the request. System.InvalidOperationException: No authentication handler is registered for the scheme 'Bearer'. The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("Bearer",...)?

              – A. Hasemeyer
              Nov 15 '18 at 16:09











            • In my case the projects are not just pure API projects. So I do the following - services.AddAuthentication(...) .AddCookie() .AddOpenIdConnect(...) .AddJwtBearer(...); I guess you probably removed AddAuthentication? I would suggest adding that back and following the pattern above.

              – k25
              Nov 15 '18 at 16:32












            • Check out this too - stackoverflow.com/a/46372426/312219

              – k25
              Nov 15 '18 at 16:35











            • k25 are you saying to add those to the API startup? Or the MVC

              – A. Hasemeyer
              Nov 15 '18 at 16:37











            • To the API project, you don't need the AddOpenIdConnect(..) part if its a purely API only project, but you would still need AddAuthentication(...). The stackoverflow link comment will offer some insight perhaps.

              – k25
              Nov 15 '18 at 16:39













            1












            1








            1







            I set up my API authentication using AddJwtBearer as shown below. And I see you use AddIdentityServerAuthentication. May be that's the reason?



            services.AddJwtBearer(o =>
             
             o.Authority = "<id-server>";
             o.Audience = "<api-audience>";
             o.RequireHttpsMetadata = true;
             );


            And the API controllers have the AuthenticationSchemes specified as shown below:



            [Route("api/rates")]
            [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
            public class RatesController : Controller







            share|improve this answer













            I set up my API authentication using AddJwtBearer as shown below. And I see you use AddIdentityServerAuthentication. May be that's the reason?



            services.AddJwtBearer(o =>
             
             o.Authority = "<id-server>";
             o.Audience = "<api-audience>";
             o.RequireHttpsMetadata = true;
             );


            And the API controllers have the AuthenticationSchemes specified as shown below:



            [Route("api/rates")]
            [Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
            public class RatesController : Controller








            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Nov 15 '18 at 15:53









            k25k25

            242523




            242523












            • When I update to that code I get the error An unhandled exception has occurred while executing the request. System.InvalidOperationException: No authentication handler is registered for the scheme 'Bearer'. The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("Bearer",...)?

              – A. Hasemeyer
              Nov 15 '18 at 16:09











            • In my case the projects are not just pure API projects. So I do the following - services.AddAuthentication(...) .AddCookie() .AddOpenIdConnect(...) .AddJwtBearer(...); I guess you probably removed AddAuthentication? I would suggest adding that back and following the pattern above.

              – k25
              Nov 15 '18 at 16:32












            • Check out this too - stackoverflow.com/a/46372426/312219

              – k25
              Nov 15 '18 at 16:35











            • k25 are you saying to add those to the API startup? Or the MVC

              – A. Hasemeyer
              Nov 15 '18 at 16:37











            • To the API project, you don't need the AddOpenIdConnect(..) part if its a purely API only project, but you would still need AddAuthentication(...). The stackoverflow link comment will offer some insight perhaps.

              – k25
              Nov 15 '18 at 16:39

















            • When I update to that code I get the error An unhandled exception has occurred while executing the request. System.InvalidOperationException: No authentication handler is registered for the scheme 'Bearer'. The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("Bearer",...)?

              – A. Hasemeyer
              Nov 15 '18 at 16:09











            • In my case the projects are not just pure API projects. So I do the following - services.AddAuthentication(...) .AddCookie() .AddOpenIdConnect(...) .AddJwtBearer(...); I guess you probably removed AddAuthentication? I would suggest adding that back and following the pattern above.

              – k25
              Nov 15 '18 at 16:32












            • Check out this too - stackoverflow.com/a/46372426/312219

              – k25
              Nov 15 '18 at 16:35











            • k25 are you saying to add those to the API startup? Or the MVC

              – A. Hasemeyer
              Nov 15 '18 at 16:37











            • To the API project, you don't need the AddOpenIdConnect(..) part if its a purely API only project, but you would still need AddAuthentication(...). The stackoverflow link comment will offer some insight perhaps.

              – k25
              Nov 15 '18 at 16:39
















            When I update to that code I get the error An unhandled exception has occurred while executing the request. System.InvalidOperationException: No authentication handler is registered for the scheme 'Bearer'. The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("Bearer",...)?

            – A. Hasemeyer
            Nov 15 '18 at 16:09





            When I update to that code I get the error An unhandled exception has occurred while executing the request. System.InvalidOperationException: No authentication handler is registered for the scheme 'Bearer'. The registered schemes are: Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Cookies, oidc. Did you forget to call AddAuthentication().Add[SomeAuthHandler]("Bearer",...)?

            – A. Hasemeyer
            Nov 15 '18 at 16:09













            In my case the projects are not just pure API projects. So I do the following - services.AddAuthentication(...) .AddCookie() .AddOpenIdConnect(...) .AddJwtBearer(...); I guess you probably removed AddAuthentication? I would suggest adding that back and following the pattern above.

            – k25
            Nov 15 '18 at 16:32






            In my case the projects are not just pure API projects. So I do the following - services.AddAuthentication(...) .AddCookie() .AddOpenIdConnect(...) .AddJwtBearer(...); I guess you probably removed AddAuthentication? I would suggest adding that back and following the pattern above.

            – k25
            Nov 15 '18 at 16:32














            Check out this too - stackoverflow.com/a/46372426/312219

            – k25
            Nov 15 '18 at 16:35





            Check out this too - stackoverflow.com/a/46372426/312219

            – k25
            Nov 15 '18 at 16:35













            k25 are you saying to add those to the API startup? Or the MVC

            – A. Hasemeyer
            Nov 15 '18 at 16:37





            k25 are you saying to add those to the API startup? Or the MVC

            – A. Hasemeyer
            Nov 15 '18 at 16:37













            To the API project, you don't need the AddOpenIdConnect(..) part if its a purely API only project, but you would still need AddAuthentication(...). The stackoverflow link comment will offer some insight perhaps.

            – k25
            Nov 15 '18 at 16:39





            To the API project, you don't need the AddOpenIdConnect(..) part if its a purely API only project, but you would still need AddAuthentication(...). The stackoverflow link comment will offer some insight perhaps.

            – k25
            Nov 15 '18 at 16:39













            1














            You typically only get Invalid redirect_uri when the Client - i.e. your MVC app - is redirecting to the Identity Server so that a user can authenticate, not when calling the API, nor caused by the API itself, so you should remove the challenge from the API's config and leave that to the UI only. Your API also needs its secret for some back-channel calls to the Identity Server, so change your API's Startup.cs to this:



             services.AddAuthorization();
             services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
             .AddIdentityServerAuthentication(
             options =>
             
             options.Authority = "http://localhost:5000";
             options.ApiName = "api1";
             options.ApiSecret = "scopeSecret";
             options.RequireHttpsMetadata = false;

             // You will almost certainly want these at some point too,
             // to prevent the API talking to the IS for every
             // API call. Adjust the duration as desired.
             options.EnableCaching = true;
             options.CacheDuration = TimeSpan.FromMinutes(10);
             );


            You don't show the Configure() part of your API's Startup.cs, but ensure it has 



            .UseAuthentication();


            before the call to



            .AddMvc()


            Now you should just need to decorate the protected API methods with [Authorize] and ensure you pass through the user's bearer token to calls to those API methods.






            share|improve this answer





























              1














              You typically only get Invalid redirect_uri when the Client - i.e. your MVC app - is redirecting to the Identity Server so that a user can authenticate, not when calling the API, nor caused by the API itself, so you should remove the challenge from the API's config and leave that to the UI only. Your API also needs its secret for some back-channel calls to the Identity Server, so change your API's Startup.cs to this:



               services.AddAuthorization();
               services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
               .AddIdentityServerAuthentication(
               options =>
               
               options.Authority = "http://localhost:5000";
               options.ApiName = "api1";
               options.ApiSecret = "scopeSecret";
               options.RequireHttpsMetadata = false;

               // You will almost certainly want these at some point too,
               // to prevent the API talking to the IS for every
               // API call. Adjust the duration as desired.
               options.EnableCaching = true;
               options.CacheDuration = TimeSpan.FromMinutes(10);
               );


              You don't show the Configure() part of your API's Startup.cs, but ensure it has 



              .UseAuthentication();


              before the call to



              .AddMvc()


              Now you should just need to decorate the protected API methods with [Authorize] and ensure you pass through the user's bearer token to calls to those API methods.






              share|improve this answer



























                1












                1








                1







                You typically only get Invalid redirect_uri when the Client - i.e. your MVC app - is redirecting to the Identity Server so that a user can authenticate, not when calling the API, nor caused by the API itself, so you should remove the challenge from the API's config and leave that to the UI only. Your API also needs its secret for some back-channel calls to the Identity Server, so change your API's Startup.cs to this:



                 services.AddAuthorization();
                 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                 .AddIdentityServerAuthentication(
                 options =>
                 
                 options.Authority = "http://localhost:5000";
                 options.ApiName = "api1";
                 options.ApiSecret = "scopeSecret";
                 options.RequireHttpsMetadata = false;

                 // You will almost certainly want these at some point too,
                 // to prevent the API talking to the IS for every
                 // API call. Adjust the duration as desired.
                 options.EnableCaching = true;
                 options.CacheDuration = TimeSpan.FromMinutes(10);
                 );


                You don't show the Configure() part of your API's Startup.cs, but ensure it has 



                .UseAuthentication();


                before the call to



                .AddMvc()


                Now you should just need to decorate the protected API methods with [Authorize] and ensure you pass through the user's bearer token to calls to those API methods.






                share|improve this answer















                You typically only get Invalid redirect_uri when the Client - i.e. your MVC app - is redirecting to the Identity Server so that a user can authenticate, not when calling the API, nor caused by the API itself, so you should remove the challenge from the API's config and leave that to the UI only. Your API also needs its secret for some back-channel calls to the Identity Server, so change your API's Startup.cs to this:



                 services.AddAuthorization();
                 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                 .AddIdentityServerAuthentication(
                 options =>
                 
                 options.Authority = "http://localhost:5000";
                 options.ApiName = "api1";
                 options.ApiSecret = "scopeSecret";
                 options.RequireHttpsMetadata = false;

                 // You will almost certainly want these at some point too,
                 // to prevent the API talking to the IS for every
                 // API call. Adjust the duration as desired.
                 options.EnableCaching = true;
                 options.CacheDuration = TimeSpan.FromMinutes(10);
                 );


                You don't show the Configure() part of your API's Startup.cs, but ensure it has 



                .UseAuthentication();


                before the call to



                .AddMvc()


                Now you should just need to decorate the protected API methods with [Authorize] and ensure you pass through the user's bearer token to calls to those API methods.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 15 '18 at 18:40

























                answered Nov 15 '18 at 18:33









                sellotapesellotape

                5,77821721




                5,77821721



























                    draft saved

                    draft discarded
















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid


                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.

                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function ()
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53323063%2fidentity-server-4-api-authentication-failure%23new-answer', 'question_page');

                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    -

                    這個網誌中的熱門文章

                    Barbados

                    圖片
                    For other uses, see Barbados (disambiguation). Not to be confused with Barbuda. Coordinates: 13°10′N 59°33′W  /  13.167°N 59.550°W  / 13.167; -59.550 Barbados Flag Coat of arms Motto:  "Pride and Industry" Anthem:  In Plenty and In Time of Need Capital and largest city Bridgetown 13°06′N 59°37′W  /  13.100°N 59.617°W  / 13.100; -59.617 Official languages English Recognised regional languages Bajan Creole Ethnic groups (est. 2010 [1] ) 92.4% black 3.1% multiracial 2.7% white 1.3% East Indian 0.5% other/unspecified Religion 75.6% Christian 2.5% other 20.6% none 1.2% unspecified [1] Demonym(s) Barbadian Bajan (colloquial) Government Unitary parliamentary constitutional monarchy • Monarch Elizabeth II •  Governor-General Dame Sandra Mason • Prime Minister Mia Mottley Legislature Parliament • Upper house Senate • Lower house House of Assembly Independence • From the United Kingdom 30 November 1966 Area • Total 439 km 2 (169 sq mi) (183rd) • Water (%) Negligib
                    閱讀完整內容

                    How to read a connectionString WITH PROVIDER in .NET Core?

                    圖片
                    6 I added .AddJsonFile("Connections.json", optional: true, reloadOnChange: true) in public Startup(IHostingEnvironment env) Connections.json contains: "ConnectionStrings": "DefaultConnection": "Server=(localdb)\mssqllocaldb;Database=DATABASE;Trusted_Connection=True;MultipleActiveResultSets=true", "COR-W81-101": "Data Source=DATASOURCE;Initial Catalog=P61_CAFM_Basic;User Id=USERID;Password=PASSWORD;Persist Security Info=False;MultipleActiveResultSets=False;Packet Size=4096;", "COR-W81-100": "Data Source=DATASOURCE;Initial Catalog=Post_PS;User Id=USERID;Password=PASSWORD;Persist Security Info=False;MultipleActiveResultSets=False;Packet Size=4096;", "MSEDGEWIN10": "Data Source=DATASOURCE; Initial Catalog=COR_Basic; Persist Security Info=False;Integrated Security=true;MultipleActiveResultSets=False;Packet Size=4096;Application Name="COR_Basic"", "server&qu
                    閱讀完整內容

                    Node.js Script on GitHub Pages or Amazon S3

                    圖片
                    0 I'm wondering if I can run a Node.js script in my Jekyll page from GitHub Pages or Amazon S3? I think it can't run on GitHub Pages since it doesn't support server side code. Not too sure. The code is below: var Airtable = require('airtable'); var base = new Airtable(apiKey: 'YOUR_API_KEY').base('appAnZVyYqusNPV5Q'); base('Invitee list').select( // Selecting the first 3 records in Complete list: maxRecords: 3, view: "Complete list" ).eachPage(function page(records, fetchNextPage) // This function (`page`) will get called for each page of records. records.forEach(function(record) console.log('Retrieved', record.get('Email')); ); // To fetch the next page of records, call `fetchNextPage`. // If there are more records, `page` will get called again. // If there are no more records, `done` will get called. fetchNextPage(); , function done(err) if (err) console.error(err); return; ); node.js
                    閱讀完整內容