I'm trying to create an Angular2 SPA consuming a .NET Core Web API protected using OpenIdDict, with credentials flow. In creating a repro solution for this issue, I have also detailed all my steps in a readme, so hope this post can be useful to newbies like me. Please find the full repro solutions in these repositories:
server-side (.NET Core + OpenIdDict), with detailed instructions to build your own: https://github.com/Myrmex/repro-oidang
client-side (Angular2): https://github.com/Myrmex/repro-angoid
As for the server side, I followed the sample provided by OpenIdDict about this flow (https://github.com/openiddict/openiddict-samples/blob/master/samples/PasswordFlow). Here are the most relevant bits in Startup
public void ConfigureServices(IServiceCollection services)
.AddDbContext<CatalogContext>(options =>
.AddDbContext<ApplicationDbContext>(options =>
services.AddIdentity<ApplicationUser, ApplicationRole>()
.AddJsonOptions(options =>
options.SerializerSettings.ContractResolver =
new Newtonsoft.Json.Serialization.CamelCasePropertyNamesContractResolver();
// add my services
// ...
services.AddTransient<IDatabaseInitializer, DatabaseInitializer>();
public void Configure(IApplicationBuilder app, IHostingEnvironment env,
ILoggerFactory loggerFactory,
IDatabaseInitializer databaseInitializer)
app.UseCors(builder =>
If I test it with Fiddler, it works fine: the token request gets the token, and I can then include it in the Authorization
header to access any protected API, which returns JSON data as expected.
Sample token request:
POST http://localhost:51346/connect/token
Content-Type: application/x-www-form-urlencoded
grant_type=password&scope=offline_access profile email roles&resource=http://localhost:4200&username=...&password=...
Sample resource request:
GET http://localhost:51346/api/values
Content-Type: application/json
Authorization: Bearer ...received token here...
Yet, on the client side, whenever I try the same request I get a 401 error; looking at the log, it seems that Angular2 Http service is not sending the required header at all, as I get the error Authentication was skipped because no bearer token was received
(see more log entries below).
A service retrieving some resources is like this:
import { Injectable } from '@angular/core';
import { Http, Response } from '@angular/http';
import { Observable } from 'rxjs/Observable';
import { SettingsService } from './settings.service';
import { AuthenticationService } from './authentication.service';
export interface ICategory {
id: string;
name: string;
export class CategoryService {
private _http: Http,
private _settings: SettingsService,
private _authService: AuthenticationService) { }
public getCategories(): Observable<ICategory[]> {
let url = this._settings.apiBaseUrl + 'categories';
let options = {
headers: this._authService.createAuthHeaders({
'Content-Type': 'application/json'
return this._http.get(url, options).map((res: Response) => res.json())
.catch((error: any) => Observable.throw(error.json().error || 'server error'));
Where the helper createAuthHeaders
just gets some properties representing the Header
(https://angular.io/docs/ts/latest/api/http/index/Headers-class.html) entries, retrieves the stored token, appends the Authentication
entry to the header, and returns it:
public createAuthHeaders(headers?: { [name: string]: any }): Headers {
let auth = new Headers();
if (headers) {
for (let key in headers) {
if (headers.hasOwnProperty(key)) {
auth.append(key, headers[key]);
let tokenResult = this._localStorage.retrieve(this._settings.tokenStorageKey, true);
if (tokenResult) {
auth.append('Authentication', 'Bearer ' + tokenResult.access_token);
return auth;
Yet, this request gets a 401 response and then Angular throws when trying to mapping the response to a JSON object (Unexpected end of JSON input
I must add that as soon as the client gets the token, it makes another request with it, to retrieve user info, and this works fine; here is it (see the code after get user info
public login(name: string, password: string) {
let body = 'grant_type=password&scope=offline_access profile email roles' +
this._settings.authBaseUrl + `token`,
headers: new Headers({
'Content-Type': 'application/x-www-form-urlencoded'
}).map(res => res.json())
(token: ITokenResult) => {
if (token.expires_in) {
token.expires_on = this.calculateExpirationDate(+token.expires_in);
this._localStorage.store(this._settings.tokenStorageKey, token, true);
// get user info
this._http.get(this._settings.authBaseUrl + 'userinfo', {
headers: new Headers({
'Content-Type': 'application/json',
'Authorization': 'Bearer ' + token.access_token
}).map(res => res.json())
.subscribe((info: IUserInfoResult) => {
let user: IUser = {
id: info.name,
email: info.email,
name: info.name,
firstName: info.given_name,
lastName: info.family_name,
role: info.role,
verified: info.email_verified
this._localStorage.store(this._settings.userStorageKey, user, true);
}, error => {
error => {
Yet, any other request, built using the service above, fails. What's wrong with the headers built with the quoted function?
Here are some log entries on the server side:
2016-11-18 20:41:31.9815|0|AspNet.Security.OAuth.Validation.OAuthValidationMiddleware|DEBUG| Authentication was skipped because no bearer token was received.
2016-11-18 20:41:31.9815|0|OpenIddict.Infrastructure.OpenIddictProvider|INFO| The token request validation process was skipped because the client_id parameter was missing or empty.
2016-11-18 20:41:32.0715|0|AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware|INFO| No explicit audience was associated with the access token.
2016-11-18 20:41:32.1165|10|AspNet.Security.OpenIdConnect.Server.OpenIdConnectServerMiddleware|INFO| AuthenticationScheme: ASOS signed in.
2016-11-18 20:41:32.1635|3|AspNet.Security.OAuth.Validation.OAuthValidationMiddleware|INFO| HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Bearer.
2016-11-18 20:41:57.7430|0|AspNet.Security.OAuth.Validation.OAuthValidationMiddleware|DEBUG| Authentication was skipped because no bearer token was received.
2016-11-18 20:41:57.7430|0|AspNet.Security.OAuth.Validation.OAuthValidationMiddleware|DEBUG| Authentication was skipped because no bearer token was received.
2016-11-18 20:41:57.8820|12|AspNet.Security.OAuth.Validation.OAuthValidationMiddleware|INFO| AuthenticationScheme: Bearer was challenged.
2016-11-18 20:41:57.9305|12|AspNet.Security.OAuth.Validation.OAuthValidationMiddleware|INFO| AuthenticationScheme: Bearer was challenged.
2016-11-18 20:41:57.9465|0|AspNet.Security.OAuth.Validation.OAuthValidationMiddleware|DEBUG| Authentication was skipped because no bearer token was received.
2016-11-18 20:41:57.9925|12|AspNet.Security.OAuth.Validation.OAuthValidationMiddleware|INFO| AuthenticationScheme: Bearer was challenged.
Your bearer token usage is incorrect.
auth.append('Authentication', 'Bearer ' + tokenResult.access_token) // wrong
auth.append('Authorization', 'Bearer ' + tokenResult.access_token) // right
The header needs to be Authorization
. See https://www.rfc-editor.org/rfc/rfc6750#section-2.1