Search code examples
thinktecture-ident-serverthinktecture

thinktecture identity server 3 authentication works correctly in iis express, but keeps on throwing 401 unatuhorized when hosted in iis

Ok so i tried hosting the simplest oauth sample and the identity server both on iis, i have enable cors on the simplest oauth sample. So when i test the api using the javascript implicit client, on iis express it works flawlessly, it gets the token then when the token is sent the web api checks the token and authorizes the javascript client. the problem happens when i move the javascript imlicit client, the identity server, and the simple oath web api is hosted on iis, the javascript brings back the token correctly but when the token is sent to the web api it always return 401 unauthorized. So is there any configuration i have to add in order to run it on iis. i have made sure that anonymous authentication is the only enab;ed authentication mode. Any help or pointer is deeply appreciate.

I am trying to implement the samples given on iis. thanks for the help

Solution

  • I had the same issue. It was coming from my self signed certificate.

    Try adding to your IdentityServerOptions

    RequireSsl = false

    and switch the WebApi Authority to use http.

    Edit

    Server Side Configuration

       public void ConfigureIdentityServer(IAppBuilder app)
        {
            //Configure logging
            LogProvider.SetCurrentLogProvider(new DiagnosticsTraceLogProvider());
            //This is using a Factory Class that generates the client, user & scopes. Can be seen using the exmaples
            var IdentityFactory = Factory.Configure("DefaultConnection");

            app.Map("/identity", idsrvApp =>
            {
                idsrvApp.UseIdentityServer(new IdentityServerOptions
                {
                    SiteName = "Security Proof of Concept",
                    SigningCertificate = LoadCertificate(),
                    Factory = IdentityFactory,
                    CorsPolicy = CorsPolicy.AllowAll,
                    RequireSsl = false
                });
            });
        }

    JavaScript

    After receiving the token make sure it's inserted in the Authorization Header..

    JQuery Example

        $.ajax({
    url: 'http://your.url',
    type: GET,     
    beforeSend: function (xhr) {
                  xhr.withCredentials = true;
                  xhr.setRequestHeader("Authorization", " Bearer " + apiToken);
              }
});

    WebApi Resource

      app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            //Location of identity server make full url & port
            Authority = "http://localhost/identity",
            RequiredScopes = new[] { "WebApiResource" }
            //Determines if the Api Pings the Identity Server for validation or will decrypt token by it's self 
            //ValidationMode = ValidationMode.Local
        });

    Best way to determine what is happening is enable logging.