Navigation Menu

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token audience problem #392

Closed
toddtsic opened this issue Feb 15, 2019 · 4 comments
Closed

Token audience problem #392

toddtsic opened this issue Feb 15, 2019 · 4 comments

Comments

@toddtsic
Copy link

I'm getting the following error from my Asp.Net Core 2.2 Api project:

[18:04:24 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

[18:04:24 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
BearerIdentityServerAuthenticationJwt was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

[18:04:24 Information] IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler
Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

Examining the jwt returned by my Asp.Net Core 2.2 STS project with IdentityServer 4 components at versions:

image

shows an aud of "angularclient" (not https://localhost:44340/resources)

Any suggestions?
@toddtsic
Copy link
Author

toddtsic commented Feb 15, 2019
edited

Got it, hope this helps others:

The angular client after logging in is returned:

id token:

{
  "nbf": 1550240640,
  "exp": 1550273640,
  "iss": "https://localhost:44340",
  "aud": "https://localhost:44340/resources",
  "client_id": "angularclient",
  "sub": "71765055-647D-432E-AFB6-0F84218D0247",
  "auth_time": 1550240638,
  "idp": "local",
  "regid": "xxxx",
  "jseg": "xxxxx",
  "jobid": "b0984a87-172a-436e-a382-e95de3e1059f",
  "role": "xxxx",
  "given_name": "xxxxx",
  "family_name": "xxxx",
  "email": "xxxx",
  "scope": [
    "openid",
    "profile",
    "email"
  ],
  "amr": [
    "pwd"
  ]
}

and access token:

{
  "nbf": 1550240640,
  "exp": 1550243640,
  "iss": "https://localhost:44340",
  "aud": "angularclient",
  "nonce": "N0.55036966062308791550240634889",
  "iat": 1550240640,
  "at_hash": "yNVxDVHkmEmUvurl7XlzuA",
  "sid": "f54dee03793e7cc202b57f1d6de7622e",
  "sub": "71765055-647D-432E-AFB6-0F84218D0247",
  "auth_time": 1550240638,
  "idp": "local",
  "preferred_username": "TSICSuperUser",
  "name": "xxxx",
  "email": "xxxxx",
  "email_verified": true,
  "regid": "xxxxx",
  "jseg": "xxxxx",
  "jobid": "xxxxxxf",
  "role": "xxxxx",
  "given_name": "xxxx",
  "family_name": "xxxxx",
  "amr": [
    "pwd"
  ]
}

NOTE THE DIFFERENT AUDIENCES (aud:)

The Asp.Net Core 2.2 Api Project startup.cs configured IdentityServer4:

                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = Configuration.GetValue<string>("IdentityServer4Strings:Authority");
                    options.RequireHttpsMetadata = Configuration.GetValue<bool>("IdentityServer4Strings:RequireHttpsMetadata");
                    options.ApiName = "api1";

                    options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt;
                    options.ApiSecret = Configuration.GetValue<string>("IdentityServer4Strings:STSTSICApisSecuredSecret");
                    options.EnableCaching = true;
                    options.CacheDuration = TimeSpan.FromMinutes(10); // that's the default
                });

and the Bearer authentication error was:

2019-02-14 18:03:15.188 -07:00 [DBG] AuthenticationScheme: Bearer was not authenticated.
2019-02-14 18:04:04.360 -07:00 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
2019-02-14 18:04:04.430 -07:00 [INF] BearerIdentityServerAuthenticationJwt was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
2019-02-14 18:04:04.433 -07:00 [INF] Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

The "api1" in error:
Did not match: validationParameters.ValidAudience: 'api1'

references startup.cs

.AddIdentityServerAuthentication
options.ApiName = "api1";

Changing the Asp.Net Core 2.2 Api project startup.cs to:

            // critical for bearer authentication, the audience of the id token (set by Options.ApiName) is equal to this value
            var idTokenAudience = $"{Configuration.GetValue<string>("IdentityServer4Strings:Authority")}/resources";

            services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = Configuration.GetValue<string>("IdentityServer4Strings:Authority");
                    options.RequireHttpsMetadata = Configuration.GetValue<bool>("IdentityServer4Strings:RequireHttpsMetadata");
                    options.ApiName = idTokenAudience;

                    options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt;
                    options.ApiSecret = Configuration.GetValue<string>("IdentityServer4Strings:STSTSICApisSecuredSecret");
                    options.EnableCaching = true;
                    options.CacheDuration = TimeSpan.FromMinutes(10); // that's the default
                });

resolved the issue.

2019-02-15 07:45:12.414 -07:00 [INF] Successfully validated the token.
2019-02-15 07:45:12.414 -07:00 [DBG] AuthenticationScheme: Bearer was successfully authenticated.

@weitzhandler
Copy link

weitzhandler commented Jul 25, 2019
edited

I have a similar issue, posted here.

@damienbod
Copy link
Owner

@toddtsic thanks for the feedback

@giangbnguyen
Copy link

@toddtsic : That helped me for my ocelot server, I don't know why in the world the options.ApiName is mean to be resource url.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@weitzhandler @damienbod @toddtsic @giangbnguyen