I attempting to use Identity Server 4 to authenticate users before granting access to a API. I am using a Implicit configuration as the front end is a Ember JS app. I have been able to Login, display the consent screen and then navigate to the redirectUri. However as soon as the Bearer Token is sent to the API I get back a 403.
I was able to find in the logs right before the 403 is returned it states there are not any scopes specified for the current principle. However I have yet to find anyone else reporting the same issue so I am not sure what I am doing wrong.
Any help would be appreciated.
API LOG
2017-03-27 15:24:35.358 -05:00 [Information] Request starting HTTP/1.1 GET http://localhost:55026/incentives/api/categories application/json
2017-03-27 15:24:36.035 -05:00 [Information] Successfully validated the token.
2017-03-27 15:24:36.046 -05:00 [Information] HttpContext.User merged via AutomaticAuthentication from authenticationScheme: "Bearer".
2017-03-27 15:24:36.048 -05:00 [Information] AuthenticationScheme: "Bearer" was successfully authenticated.
2017-03-27 15:24:36.051 -05:00 [Information] Scopes found on current principal: ""
2017-03-27 15:24:36.053 -05:00 [Warning] Scope validation failed. Return 403
2017-03-27 15:24:36.059 -05:00 [Debug] Connection id ""0HL3L9SNQEILQ"" completed keep alive response.
2017-03-27 15:24:36.060 -05:00 [Information] Request finished in 702.0523ms 403
new Client
{
ClientName = "IncentivesClient",
ClientId = "IncentivesClient",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RedirectUris = new List<string>
{
"http://localhost:4200/authorized"
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:4200/unauthorized"
},
AllowedCorsOrigins = new List<string>
{
"http://localhost:4200"
},
AllowedScopes = new List<string>
{
StandardScopes.OpenId,
StandardScopes.Email,
StandardScopes.Profile,
"incentiveRecords",
"incentiverecordsscope",
}
}
This is the API settings
IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions
{
Authority = "https://localhost:44357",
RequireHttpsMetadata = true,
AllowedScopes = new List<string> { "incentiveRecords" },
ApiSecret = "incentiveRecordsSecret",
ApiName = "incentiveRecords",
AutomaticAuthenticate = true,
SupportedTokens = SupportedTokens.Both,
AuthenticationScheme = "Bearer",
SaveToken = true,
ValidateScope = true,
// TokenRetriever = _tokenRetriever,
// required if you want to return a 403 and not a 401 for forbidden responses
AutomaticChallenge = true,
};
The example that I had found for implementing your own torii provider for OATH2 had instructed to include 'id_token' and 'token' in the response params which made sense considering they are the response type being utilized in my Implicit configuration. To add to the confusion both the id_token and token were obtaining values successfully after the promise. It did bother me that they were identical and when I decoded them the audience was set to the client instead of including the resource server. So the super simple answer was to change the 'token' response param to 'access_token'. Now I am able to obtain the correct token from the promise and move on to utilizing it within the Auth header. Hope this helps someone else out there.