asp.net-mvcidentityserver3openid-connectkatanaowin-middleware
IdentityServer3: OWIN Katana middleware is throwing "invalid_client" error as it cannot get a token
We are using IdentityServer3 as the identity provider and OWIN Katana middleware to do the handshake based on OpenId Connect. The authentication works fine as we were redirected to identity server and back to the originating website. But the issue of invalid_client appears when I try to retrieve the tokens and get claims in the "OpenIdConnectAuthenticationNotifications".
Please check the code (startup class) below and the attached screenshot.
public sealed class Startup
{
public void Configuration(IAppBuilder app)
{
string ClientUri = @"https://client.local";
string IdServBaseUri = @"https://idm.website.com/core";l
string TokenEndpoint = @"https://idm.website.com/core/connect/token";
string UserInfoEndpoint = @"https://idm.website.com/core/connect/userinfo";
string ClientId = @"WebPortalDemo";
string ClientSecret = @"aG90apW2+DbX1wVnwwLD+eu17g3vPRIg7p1OnzT14TE=";
//AntiForgeryConfig.UniqueClaimTypeIdentifier = "sub";
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = ClientId,
Authority = IdServBaseUri,
RedirectUri = ClientUri,
PostLogoutRedirectUri = ClientUri,
ResponseType = "code id_token token",
Scope = "openid profile roles",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
TokenEndpoint,
ClientId,
ClientSecret);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient(UserInfoEndpoint);
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
//id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims);
id.AddClaims(userInfoResponse.Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));
n.AuthenticationTicket = new AuthenticationTicket(
new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
n.AuthenticationTicket.Properties);
},
RedirectToIdentityProvider = n =>
{
// if signing out, add the id_token_hint
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});
}
}
The client configuration at the IdSvr3 has been specified to use Hybrid Flow and I have checked that the client Id and client secret many times to verify that they are correct.
Here is the client configuration at the server side:
Solution
I was able to resolve the issue by looking at the logs generated by identity server. The logs said the client secret is incorrect, when I have checked several times that the secret was exact to what was showing on the identity server. But then I realised that the secret should be the actual text and NOT the hashed one. The modified code that worked is below:
string ClientId = @"WebPortalDemo";
//string ClientSecret = @"aG90apW2+DbX1wVnwwLD+eu17g3vPRIg7p1OnzT14TE="; // Incorrect secret, didn't work
string ClientSecret = @"love"; // Actual text entered as secret, worked
Credit: @rawel
- Select Box Not Populated On View After Model State Is Invalid
- Get null in controller when implementing IEnumerable in ASP NET model
- I get status code 500 while there is no error in my code when I try running in debug mode
- How to remove this straight line in ASP.NET MVC?
- How can I change IIS Express port for a site
- using IEnumerable<> as List<> when dynamic
- IIS server error .Server Error in '/' Application
- The named 'CommandType' does not exist in the current context
- Overriding an existing extension method
- JSON and UTC datetime
- How would I format a string value from a custom list into money format?
- Avoid SQL injection in Devexpress Grid where\filter condidtion
- .Net Framework You must add a reference to assembly mscorlib, Version=4.0.0.0
- Is there a better way to get Non-friends to appear in "People you may know" Section?
- Remove checkbox from parent node in TreeView from
- string.Format with variable names instead of numbers
- RouteValueDictionary ignores empty values
- Where should be the validation in a ASP.Net MVC scenario having Repository, Service Layer and using Model Binder?
- How and where to define an environment variable on Azure
- Setting Base Path using ConfigurationBuilder
- ArgumentException: An item with the same key has already been added
- Application_Start not firing?
- ASP Versioning, UrlSegmentApiVersionReader, routes match nonsense version numbers
- The model item passed into the dictionary is of type .. but this dictionary requires a model item of type
- The default XML namespace of the project must be the MSBuild XML namespace
- MVC with Bootstrap Navbar - Set Selected Item to Active
- Fluent Validation vs. Data Annotations
- kendo scrollview as clientTemplate doesnt work when providing it a template
- How to cache data in a MVC application
- Pass data to controller with fetch in ASP NET