javascript - Identity Server 4, API unauthorized to call introspection endpoint - Stack Overflow

admin管理员组

文章数量:1328985

I hope someone can point me in the right direction.

I am trying to let an javascript client municate with an api with the help of reference tokens. I am using Identity Server 4.

What is going OK:

On login the javascript client/webapplicatoin gets routed to Identity server for user and password validation On success the user gets routed back to the javascript/webapplication and has a valid IdentityToken

What is NOT going OK:

When the javascript client/webapplication makes a call to my Api, the request gets received by the api. Then the api wants to check the received identity Token with Identity Server to get an access token, but fails to contact the server with te following error in the console:

fail: IdentityServer4.Validation.ApiSecretValidator[0]
      API validation failed.
fail: IdentityServer4.Endpoints.IntrospectionEndpoint[0]
      API unauthorized to call introspection endpoint. aborting.

Pretty clear the Api is not allowed to municate with te server...

I think I have a configuration error somewhere but I just cant see where. Tried all kind of different set-ups, I am out of ideas to try or to change...

This is what I have untill now:

For the javascript client:

I use the oidc-redux package, the config I use:

var userManagerConfig = {
   authority: "http://localhost:50289",
   redirect_uri: "http://localhost:3000/callback",
   client_id : "js",
   response_type : "id_token",
   scope :"openid",
};

Identity Server 4 Configs

Client definition:

public static IEnumerable<Client> GetClients()
{
    return new List<Client>
    {
        new Client
        {
            ClientId = "js",
            ClientName = "my js client",
            AllowedGrantTypes = GrantTypes.Implicit,
            RequireClientSecret = false,
            RequireConsent = false,
            RedirectUris           = { "http://localhost:3000/callback" },
            PostLogoutRedirectUris = { "http://localhost:3000" },
            AllowAccessTokensViaBrowser = false,
            AllowedCorsOrigins =     { "http://localhost:3000" },
            AllowedScopes =
            {
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile,
                "myApi"
            }
        }
    };
}

Api resources definition:

public static IEnumerable<ApiResource> GetApiResources()
{
    return new List<ApiResource>
    {
        new ApiResource("myApi")
        {
            ApiSecrets =
            {
                new Secret("superweaksecret")
            }
        }
    };
}

in Configure service I add it all together in the container:

// configure identity server with in-memory stores, keys, clients and scopes
services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddInMemoryPersistedGrants()
    .AddProfileService<CustomClaimService>()
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryApiResources(Config.GetApiResources())
    .AddInMemoryClients(Config.GetClients())
    .AddAspNetIdentity<ApplicationUser>();

The Api setup

Based on Core, in the ConfigureService method I have the following:

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
    {
       options.Authority = "http://localhost:50289";
       options.RequireHttpsMetadata = false;
       options.ApiSecret = "superweaksecret";
       options.ApiName = "myApi";
       options.EnableCaching = false;

    });

Hope someone sees my error.

If I missed information or code needed for a proper awnser, please let me know.

Kind regards, Roel

I hope someone can point me in the right direction.

I am trying to let an javascript client municate with an api with the help of reference tokens. I am using Identity Server 4.

What is going OK:

On login the javascript client/webapplicatoin gets routed to Identity server for user and password validation On success the user gets routed back to the javascript/webapplication and has a valid IdentityToken

What is NOT going OK:

When the javascript client/webapplication makes a call to my Api, the request gets received by the api. Then the api wants to check the received identity Token with Identity Server to get an access token, but fails to contact the server with te following error in the console:

fail: IdentityServer4.Validation.ApiSecretValidator[0]
      API validation failed.
fail: IdentityServer4.Endpoints.IntrospectionEndpoint[0]
      API unauthorized to call introspection endpoint. aborting.

Pretty clear the Api is not allowed to municate with te server...

I think I have a configuration error somewhere but I just cant see where. Tried all kind of different set-ups, I am out of ideas to try or to change...

This is what I have untill now:

For the javascript client:

I use the oidc-redux package, the config I use:

var userManagerConfig = {
   authority: "http://localhost:50289",
   redirect_uri: "http://localhost:3000/callback",
   client_id : "js",
   response_type : "id_token",
   scope :"openid",
};

Identity Server 4 Configs

Client definition:

public static IEnumerable<Client> GetClients()
{
    return new List<Client>
    {
        new Client
        {
            ClientId = "js",
            ClientName = "my js client",
            AllowedGrantTypes = GrantTypes.Implicit,
            RequireClientSecret = false,
            RequireConsent = false,
            RedirectUris           = { "http://localhost:3000/callback" },
            PostLogoutRedirectUris = { "http://localhost:3000" },
            AllowAccessTokensViaBrowser = false,
            AllowedCorsOrigins =     { "http://localhost:3000" },
            AllowedScopes =
            {
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile,
                "myApi"
            }
        }
    };
}

Api resources definition:

public static IEnumerable<ApiResource> GetApiResources()
{
    return new List<ApiResource>
    {
        new ApiResource("myApi")
        {
            ApiSecrets =
            {
                new Secret("superweaksecret")
            }
        }
    };
}

in Configure service I add it all together in the container:

// configure identity server with in-memory stores, keys, clients and scopes
services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddInMemoryPersistedGrants()
    .AddProfileService<CustomClaimService>()
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryApiResources(Config.GetApiResources())
    .AddInMemoryClients(Config.GetClients())
    .AddAspNetIdentity<ApplicationUser>();

The Api setup

Based on Core, in the ConfigureService method I have the following:

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
    {
       options.Authority = "http://localhost:50289";
       options.RequireHttpsMetadata = false;
       options.ApiSecret = "superweaksecret";
       options.ApiName = "myApi";
       options.EnableCaching = false;

    });

Hope someone sees my error.

If I missed information or code needed for a proper awnser, please let me know.

Kind regards, Roel

• javascript
• api
• jwt
• identityserver4
• openid-connect

Share Follow edited Feb 8, 2018 at 21:22 Roel asked Feb 8, 2018 at 20:31 RoelRoel 11311 silver badge77 bronze badges 19

• I don't understand the question. From your description (and code) your api should act as a protected resource and not as a client. In this case it is not supposed to retrieve the tokens. It is supposed to require them. Correct me if I have misunderstood something. – m3n7alsnak3 Commented Feb 8, 2018 at 21:02
• The setup is posed out of three parts, the javascript client, the Identity Server, and the Api. The javascript client and the Identity server municate as should. That means, from my webapplication I get routed to Identity Server to login and after succesfull login I have a IdentityToken. The javascript/webapp client then requests an endpoint on the api. And then the error occurs, it happens when the api tries to validate/retrieve the necessary information for authentication of the client at the Identity Server. The Api itself is not allowed to municate with the Identity Server – Roel Commented Feb 8, 2018 at 21:09
• OK so when are you getting this error? – m3n7alsnak3 Commented Feb 8, 2018 at 21:10
• I also updated the original question trying to be a bit more clear... – Roel Commented Feb 8, 2018 at 21:23
• Do you intentionally want to do it like this? Because I see that you are requesting only the id_token from IDS (response_type : "id_token",). Why don't you request the access_token too (response_type : "id_token token")? Then you just need to send the access_token, when calling the api and you will be ok. Or if you have something else in mind.. ? – m3n7alsnak3 Commented Feb 8, 2018 at 21:31

 |  Show 14 more ments

1 Answer 1

Sorted by: Reset to default 5

IdentityServer expects shared secrets to be hashed.

new ApiResource("myApi") {
    ApiSecrets = {
            new Secret("superweaksecret".Sha512())
    }
}

本文标签： javascriptIdentity Server 4API unauthorized to call introspection endpointStack Overflow