6

I am using Identity server 4 in my Asp.net core API Application , i am getting successful token on local server https://localhost:[port]/connect/token and it gives access token and when i use the bearer token to access authorize method then it working fine
but on server https://example.com/connect/token it also give successful token but when i use this token to access authorize method then it give 401 unauthorized error

  "Authority": "https://example.com",
  "Audience": "https://example.com/resources",
  "RequireHttpsMetadata": "true"


 services.AddIdentityServer(options =>
        {
            options.Events.RaiseErrorEvents = true;
            options.Events.RaiseInformationEvents = true;
            options.Events.RaiseFailureEvents = true;
            options.Events.RaiseSuccessEvents = true;
        })
            .AddDeveloperSigningCredential()
            .AddInMemoryPersistedGrants()
            .AddInMemoryIdentityResources(GetIdentityResources())
            .AddInMemoryApiResources(GetApiResources())
            .AddInMemoryClients(GetClients())
            .AddAspNetIdentity<User>();

        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })
        .AddJwtBearer(options =>
          {
              options.Authority = configuration["AppSettings:Authority"];
              options.Audience = configuration["AppSettings:Audience"];
              options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AppSettings:RequireHttpsMetadata"]);
          });
        services.AddTransient<IProfileService, IdentityClaimsProfileService>();



    public static IEnumerable<IdentityResource> GetIdentityResources()
    {
        return new List<IdentityResource>
        {
            new IdentityResources.OpenId(),
            new IdentityResources.Email(),
            new IdentityResources.Profile(),
        };
    }
    public static IEnumerable<ApiResource> GetApiResources()
    {
        return new List<ApiResource>
        {
            new ApiResource("api1", "My API")
        };
    }
    public static IEnumerable<Client> GetClients()
    {
        // client credentials client
        return new List<Client>
        {

            // resource owner password grant client
            new Client
            {
                ClientId = "ro.angular",
                AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,

                ClientSecrets =
                {
                    new Secret("secret".Sha256())
                },
                AllowedScopes = {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    IdentityServerConstants.StandardScopes.Address,
                    "api1"
                },
                AllowOfflineAccess = true,
                RefreshTokenUsage = TokenUsage.ReUse,
                RefreshTokenExpiration = TokenExpiration.Sliding

            }
        };
    }
Improve this question
5
  • Here is my identity server setting in "AppSettings": { "Authority": "example.com", "Audience": "example.com/resources", "RequireHttpsMetadata": "true", Commented Nov 25, 2019 at 5:30
  • only one, that is tested on local then deployed on server (example.com) Commented Nov 25, 2019 at 9:57
  • There may be a configuration error. Can you verify the value of Authority in your api, possibly from your settings, something like: options.Authority = configuration["AppSettings:Authority"];. Commented Nov 26, 2019 at 14:51
  • In authority the value is identity server domain link eg. example.com Commented Nov 28, 2019 at 11:45
  • 1
    It's working , need to send correct scope in which user is registered eg. scope : api1 to generate token prnt.sc/q3cqao Commented Nov 28, 2019 at 13:41

1 Answer 1

Reset to default
3

This might be because of scope variable.

You have to follow these steps to check scope

  1. Copy your token
  2. Paste this on Jwt.io
  3. After decoding your token find the scope and then generate the token with right scope.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.