I have an identity server implementation that works perfectively with jwt tokens and two different clients that access it.
Mr Console authenticates using client_credentials
Ms Website authenticates using pkce
In both cases when using jwt tokens I can get the claims with only one issue. The size of the token is getting out of hand and we'd like to use reference tokens instead.
I changed the token type from Jwt to Reference and can now get the claims for Ms Website by calling the user info endpoint and passing in the reference token. Great!
The problem I have is that I cannot seem to get the claims for Mr Console.
I cannot call the user info endpoint because it expects a user and throws an error "Token contains no sub claim" - which it wouldn't as I'm using client credentials.
I cannot call the introspective endpoint as it appears to only be available to internal apis and fails with the error "API unauthorized to call introspection endpoint".
How can I get the claims from within my client console application when provided with a reference token and not a jwt? Is there a way?
Thanks
Because you are using the client credentials flow you have no user claims available.
However you have Client claims that you can use instead, have you considered to use those instead of userclaims?
Related
While expanding our WPF Apps emailing functions to include larger attachments, we went from using the MS GRAPH API endpoint me/sendMail to send emails:
https://graph.microsoft.com/v1.0/me/sendMail
to using the me/messages endpoint to create a draft so that we could create an upload session to that draft so that we could upload larger attachments (pdf reports)
https://graph.microsoft.com/v1.0/me/messages
We are acquiring tokens via MSAL for both. However, when using the second method, we receive the following response:
"ErrorAccessDenied"
"Access is denied. Check credentials and try again."
Our expectation was that those two endpoints wouldn't have different credentialing requirements. Our organization's AzureAD accounts are federated delegate, so the only flow we can use is interactive Authorization Code -- so we are calling into MSAL to get the AzureAD token for both endpoints.
The endpoint for creating a draft message
POST /me/messages
requires Mail.ReadWrite permission. While endpoints for sending mail
POST /me/messages/{id}/send
POST /me/sendMail
require Mail.Send.
Adding Mail.ReadWrite permission should resolve the error.
I have a code that authenticate using Azure AD
I'm using openIdConnect Lib to authenticate with azure AD.
The scenario as below:
user open the URL of the app.
the app redirect user to Azure AD to authenticate
get the id token & access token
then AzureActiveDirectoryAuthMiddleware get the context and continue the scenario
this scenario is happenning from the UI, i need to know if i need to pass step number 3 (id token & access token) from postman and the middleware will continue the flow, how i can do this flow?
because my app will be used from UI and from postman
Using c# owin
if you want to check/test the middleware(some REST endpoint) functionality using the tokens through Postman, then copy the AccessToken and open Postman, set the Authorization type as Bearer and add the AccessToken as BearerToken and test the REST call.
Please make sure that the token added should start with Bearer (example - Bearer xyzabc)
In the documentation of IdentityServer4 it says:
[...] Consent is used to allow an end user to grant a client access to
resources (identity or API). This is typically only necessary for
third-party clients [...]
Does this mean an api can get access to claims the user did not consent to for the client the user logged into?
TL;DR
If I login to my mvc-client giving consent to permit Your email address, I get what I expect:
Secure-View of the mvc-client lists all claims from the identity token including the email address
Calling API using user token also shows email address as expected
But if I login and on consent screen tick off the permission for Your email address:
Secure-View of the mvc-client lists all claims from the identity token but not the email address (as expected)
But calling API using user token now also shows email address which I did not expect, or is this normal behavior?
Example-Configuration
I have this example (derived from the QuickStart Example 5):
mvc-client is from the sample
email-Scope is listed in Scope-definition of that client's OpenIdConnectOptions
AllowedScopes of that client include IdentityServerConstants.StandardScopes.Email
and the api api1 accessible by the mvc-client has IdentityServerConstants.StandardScopes.Email added to it inside UserClaims
I am using a custom profile service, but this should not be relevant to the question (just checked, the mentioned QuickStart example behaves the same way if configured like the steps described above)
I am answering this myself, but not yet accepting, since I am not 100% sure.
Yes, this is expected behavior, I think I just mixed up the different token types.
The api in my case is called using user token which effectively means access token.
From my understanding identity resources mentioned in the quoted documentation part does not apply to the access token (user identity is modeled by the identity token), so the behavior should be expected.
I am using Identity Server4 for a proof of concept project.I have implemented the identity server and I can receive an access token when I authenticate successfully.
For authentication I use, the following endpoint:
http://identity-vm-01/connect/token
and the details I post are:
Now, I would like to check if the token that I receive is valid. For that I am using the following endpoint.
http://identity-vm-01/connect/introspect
with a basic auth header using the client_id and client_secret as shown above, and pass token in the body.
But I receive an Unauthorized error. 401 . It will be great if someone could tell me what is that I am doing wrong.
Thank you
You need to define a scope secret for api1 (on the Scope class) and use the scope name and secret as client_id/secret.
Clients for the introspection endpoint are not really clients in the OAuth 2 sense - they are APIs.
I am using dotnetopenauth and working with google api. My problem is to get authorization code from my saved refresh token. If i can get that code then i can get accesstoken. i want to get that code not accesstoken directly. I was unable to find any method or url of end point which can return me authorization code from my refresh token. Thanx in advance
I think you have the OAuth 2 flow confused. Authorization codes do not come from refresh tokens. It's the other way around: you get refresh tokens in exchange for a one-time-use of your authorization code. Access tokens are obtained in any of three ways
In exchange for a refresh token.
In the initial exchange for the authorization code that returns both a refresh token and an access token.
OR, if you're using the implicit grant type instead of the authorization code flow, you get the access token in the url #fragment in response to the user's authorization redirect, but this only applies to JavaScript executing on the browser since fragments are not sent to web servers.