I am new at this. Can someone please help me, since I am going crazy over my problem for nearly a month now :( In short: I have identity server project, an webapi project and angular client. Client request to authenticate and gets id_token and access_token (all good), access_token send to webapi project where I have:
var idServerBearerTokenAuthOptions = new IdentityServerBearerTokenAuthenticationOptions {
Authority = "https://localhost:11066/IdentityServer/identity",
ValidationMode = ValidationMode.ValidationEndpoint,
AuthenticationType = "Bearer",
RequiredScopes = new[] { "permissions", "openid" },
DelayLoadMetadata = true
};
app.UseIdentityServerBearerTokenAuthentication(idServerBearerTokenAuthOptions);
and I have Autofac which should get me the current logedin user
builder.RegisterApiControllers(Assembly.GetExecutingAssembly()).InstancePerRequest();
builder.Register(c => new ClaimsIdentityApiUser((ClaimsIdentity)Thread.CurrentPrincipal.Identity)).As<IApiUser>().InstancePerRequest();
BUT Thread.CurrentPrincipal.Identity has nothing, and also ClaimsPrincipal.Current.Identity has nothing. What am I missing??
p.s. Similar problem to this question Protecting webapi with IdentityServer and Autofac - can't get claims but obviously not same solution nor set up.
a) user should always be retrieved from ApiController.User (or the RequestContext) b) token validation might fail for some reason use this resource to enable logging for the token validation middleware:
https://identityserver.github.io/Documentation/docsv2/consuming/diagnostics.html
c) are you using JWTs or reference tokens? For JWTs you can set the ValidationMode to Local