I'm trying to get IdentityServer4 working with appsettings.json specifying a client secret for hybrid grant type.
The end of this article says that I need to sha256 hash and then base64 encode the secret if I want to put it in appsettings.json. So take the secret "secret" and put it through https://emn178.github.io/online-tools/sha256.html gets "2bb80d537b1da3e38bd30361aa855686bde0eacd7162fef6a25fe97bf527a25b" which base64 encoded is "MmJiODBkNTM3YjFkYTNlMzhiZDMwMzYxYWE4NTU2ODZiZGUwZWFjZDcxNjJmZWY2YTI1ZmU5N2JmNTI3YTI1Yg==". That makes my appsettings.json for the mvc client look like this
{
...
"ClientSecrets": [ {
"Value": "MkJCODBENTM3QjFEQTNFMzhCRDMwMzYxQUE4NTU2ODZCREUwRUFDRDcxNjJGRUY2QTI1RkU5N0JGNTI3QTI1Qg=="
} ],
...
}
On the MVC client, the config looks like this
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
options.Authority = Configuration["OpenIdConnectAuthority"];
options.ClientId = "xxx-mvc";
options.ClientSecret = "secret";
options.RemoteAuthenticationTimeout = TimeSpan.FromHours(2);
options.ResponseType = "code id_token";
options.RequireHttpsMetadata = !Environment.IsDevelopment();
options.Scope.Clear();
options.Scope.Add("openid profile");
options.CallbackPath = new PathString("/signin-callback-oidc");
options.SignedOutCallbackPath = new PathString("/signout-callback-oidc");
options.SignedOutRedirectUri = new PathString("/");
options.ClaimsIssuer = OpenIdConnectDefaults.AuthenticationScheme;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = JwtClaimTypes.Name
};
})
Despite this seemingly being correct, the identity server logs have
fail: IdentityServer4.Validation.ClientSecretValidator[0]
Client secret validation failed for client: xxx-mvc.
If I remove a portion of the base64 secret, identity server logs
Secret: no description uses invalid hashing algorithm.
So I know that the appsettings.json client secret is being picked up. If I comment out options.ClientSecret = "secret"; on the mvc side, identity server logs Hashed shared secret validator cannot process NoSecret so I know that config is being picked up.
How do I specify the correct two strings to get the secret "secret" to work in this situation?
Full logs from identity server are:
dbug: IdentityServer4.Hosting.EndpointRouter[0]
Request path /.well-known/openid-configuration matched to endpoint type Discovery
dbug: IdentityServer4.Hosting.EndpointRouter[0]
Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
trce: IdentityServer4.Endpoints.DiscoveryEndpoint[0]
Processing discovery request.
dbug: IdentityServer4.Endpoints.DiscoveryEndpoint[0]
Start discovery request
trce: IdentityServer4.Endpoints.DiscoveryEndpoint[0]
Calling into discovery response generator: IdentityServer4.ResponseHandling.DiscoveryResponseGenerator
trce: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking result: IdentityServer4.Endpoints.Results.DiscoveryDocumentResult
dbug: IdentityServer4.Hosting.EndpointRouter[0]
Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
dbug: IdentityServer4.Hosting.EndpointRouter[0]
Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryKeyEndpoint
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
trce: IdentityServer4.Endpoints.DiscoveryKeyEndpoint[0]
Processing discovery request.
dbug: IdentityServer4.Endpoints.DiscoveryKeyEndpoint[0]
Start key discovery request
trce: IdentityServer4.Endpoints.DiscoveryKeyEndpoint[0]
Calling into discovery response generator: IdentityServer4.ResponseHandling.DiscoveryResponseGenerator
trce: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking result: IdentityServer4.Endpoints.Results.JsonWebKeysResult
dbug: IdentityServer4.Hosting.EndpointRouter[0]
Request path /connect/authorize matched to endpoint type Authorize
dbug: IdentityServer4.Hosting.EndpointRouter[0]
Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
dbug: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
Start authorize request
dbug: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
User in authorize request: 3a28f734-5d49-49e0-a28c-c851adfb4bf6
dbug: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Start authorize request protocol validation
trce: IdentityServer4.Stores.ValidatingClientStore[0]
Calling into client configuration validator: IdentityServer4.Validation.DefaultClientConfigurationValidator
dbug: IdentityServer4.Stores.ValidatingClientStore[0]
client configuration validation for client xxx-mvc succeeded.
dbug: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Checking for PKCE parameters
dbug: IdentityServer4.Validation.AuthorizeRequestValidator[0]
No PKCE used.
dbug: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
trce: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Authorize request protocol validation successful
dbug: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
ValidatedAuthorizeRequest
{
"ClientId": "xxx-mvc",
"ClientName": "xxx MVC Client",
"RedirectUri": "http://localhost:4500/signin-callback-oidc",
"AllowedRedirectUris": [
"http://localhost:4500/signin-callback-oidc"
],
"SubjectId": "3a28f734-5d49-49e0-a28c-c851adfb4bf6",
"ResponseType": "code id_token",
"ResponseMode": "form_post",
"GrantType": "hybrid",
"RequestedScopes": "openid profile",
"State": "CfDJ8BvOOrOwFENEmcvniNGXxvPnb1gKLB_qQdpSkS5FI88I3vvopAgk9v23GYrBOce_S5PeDsBUzYEj28zpC__y1Q8ZcU2LE9vf7x9pBvmqltXBBdp4zRbhV52iiTEtfpj-MyvDrMTUWR1jCx_b4CmdObvZdVdqf3KvUKO6dCJvPVP5G0OBG6jkuWUvsQnm8uUTE28XBrhwMIn_3D1ns2BgShqtV6j9G7HzatthP-yg9tDV198xILScflYHAgNPWGiJUZcZoar1_FSi9ynxlJSonnkuAw6epwPYk1lvIKZrK5ofTHizmOBUHI_b-xyVXIzoQw",
"Nonce": "637027688717360370.ODBiYTgwZGMtNjRhYy00NmE4LWI3MDAtYWY4MTcxMmNkMmNjYmYwYjY1ZDUtMTUyYy00YjFlLWE2ZmMtNTdkM2YzMDY3NTAy",
"SessionId": "3b0abfecf91a43a58e3f24ccb6ff1351",
"Raw": {
"client_id": "xxx-mvc",
"redirect_uri": "http://localhost:4500/signin-callback-oidc",
"response_type": "code id_token",
"scope": "openid profile",
"response_mode": "form_post",
"nonce": "637027688717360370.ODBiYTgwZGMtNjRhYy00NmE4LWI3MDAtYWY4MTcxMmNkMmNjYmYwYjY1ZDUtMTUyYy00YjFlLWE2ZmMtNTdkM2YzMDY3NTAy",
"state": "CfDJ8BvOOrOwFENEmcvniNGXxvPnb1gKLB_qQdpSkS5FI88I3vvopAgk9v23GYrBOce_S5PeDsBUzYEj28zpC__y1Q8ZcU2LE9vf7x9pBvmqltXBBdp4zRbhV52iiTEtfpj-MyvDrMTUWR1jCx_b4CmdObvZdVdqf3KvUKO6dCJvPVP5G0OBG6jkuWUvsQnm8uUTE28XBrhwMIn_3D1ns2BgShqtV6j9G7HzatthP-yg9tDV198xILScflYHAgNPWGiJUZcZoar1_FSi9ynxlJSonnkuAw6epwPYk1lvIKZrK5ofTHizmOBUHI_b-xyVXIzoQw",
"x-client-SKU": "ID_NETSTANDARD2_0",
"x-client-ver": "5.3.0.0"
}
}
trce: IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator[0]
ProcessInteractionAsync
dbug: IdentityServer4.Services.DefaultConsentService[0]
Client is configured to not require consent, no consent is required
dbug: IdentityServer4.ResponseHandling.AuthorizeResponseGenerator[0]
Creating Hybrid Flow response.
dbug: IdentityServer4.EntityFramework.Stores.PersistedGrantStore[0]
GpVcH5oK1O8xEaWazwBmHumW8moTQsBnVATxPiUxIfs= not found in database
dbug: IdentityServer4.ResponseHandling.AuthorizeResponseGenerator[0]
Creating Implicit Flow response.
trce: IdentityServer4.Services.DefaultTokenService[0]
Creating identity token
dbug: IdentityServer4.Services.DefaultClaimsService[0]
Getting claims for identity token for subject: 3a28f734-5d49-49e0-a28c-c851adfb4bf6 and client: xxx-mvc
dbug: IdentityServer4.Services.DefaultClaimsService[0]
In addition to an id_token, an access_token was requested. No claims other than sub are included in the id_token. To obtain more user claims, either use the user info endpoint or set AlwaysIncludeUserClaimsInIdToken on the client configuration.
trce: IdentityServer4.Services.DefaultTokenService[0]
Creating JWT identity token
trce: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
Identity token issued for xxx-mvc (xxx MVC Client) / 3a28f734-5d49-49e0-a28c-c851adfb4bf6: eyJhbGciOiJSUzI1NiIsImtpZCI6Ijc3ODc1NWJmMmZkMWRiZWVmNjZkZDdmZjY2YmM5NjBlIiwidHlwIjoiSldUIn0.eyJuYmYiOjE1NjcxNzIwNzEsImV4cCI6MTU2NzE3MjM3MSwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo0NDAwIiwiYXVkIjoibW9uZXRlZXItbXZjIiwibm9uY2UiOiI2MzcwMjc2ODg3MTczNjAzNzAuT0RCaVlUZ3daR010TmpSaFl5MDBObUU0TFdJM01EQXRZV1k0TVRjeE1tTmtNbU5qWW1Zd1lqWTFaRFV0TVRVeVl5MDBZakZsTFdFMlptTXROVGRrTTJZek1EWTNOVEF5IiwiaWF0IjoxNTY3MTcyMDcxLCJjX2hhc2giOiJNR3A5SzlLSm5KRTFaZW83YndoNG5BIiwic2lkIjoiM2IwYWJmZWNmOTFhNDNhNThlM2YyNGNjYjZmZjEzNTEiLCJzdWIiOiIzYTI4ZjczNC01ZDQ5LTQ5ZTAtYTI4Yy1jODUxYWRmYjRiZjYiLCJhdXRoX3RpbWUiOjE1NjcxNjk2NTAsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.p9LKUCqmK8fjlznJtU5NGgtKE2fsSnxx8EW2ngu2pw-eSJXsuvI7t6FkxlHw6joVG178JXGfMY4BXt83binl9li3NLjzjJC7k8_07QUL_fknYB05rwhfAH995mxqXTV1A5n8ppjXzXcixAkVaA1Cxgb7mvqqfVHqRY2ra-MeIa7Esew5CiTeerlMT87wdWbIMmbK84TGSM26jLN1Uav6YYB-8Lonu2hcS3s4LXLS42bvy04Uc-UUOXcxK0LDgQu-stWfFjr9tYeoIefsgZIOJaEDtgwulExhNWTrPlFF5k9qYyYv4keKM_1dckP47-B4TR5m_1PEzGNeSJb48RwrXQ
trce: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
Code issued for xxx-mvc (xxx MVC Client) / 3a28f734-5d49-49e0-a28c-c851adfb4bf6: 05331f140cb9626a391f6033d1ab6396711b614cdab5f224024336aa94f996f4
dbug: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
Authorize endpoint response
{
"SubjectId": "3a28f734-5d49-49e0-a28c-c851adfb4bf6",
"ClientId": "xxx-mvc",
"RedirectUri": "http://localhost:4500/signin-callback-oidc",
"State": "CfDJ8BvOOrOwFENEmcvniNGXxvPnb1gKLB_qQdpSkS5FI88I3vvopAgk9v23GYrBOce_S5PeDsBUzYEj28zpC__y1Q8ZcU2LE9vf7x9pBvmqltXBBdp4zRbhV52iiTEtfpj-MyvDrMTUWR1jCx_b4CmdObvZdVdqf3KvUKO6dCJvPVP5G0OBG6jkuWUvsQnm8uUTE28XBrhwMIn_3D1ns2BgShqtV6j9G7HzatthP-yg9tDV198xILScflYHAgNPWGiJUZcZoar1_FSi9ynxlJSonnkuAw6epwPYk1lvIKZrK5ofTHizmOBUHI_b-xyVXIzoQw",
"Scope": "openid profile"
}
trce: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
End authorize request. result type: IdentityServer4.Endpoints.Results.AuthorizeResult
trce: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking result: IdentityServer4.Endpoints.Results.AuthorizeResult
dbug: IdentityServer4.Hosting.EndpointRouter[0]
Request path /connect/token matched to endpoint type Token
dbug: IdentityServer4.Hosting.EndpointRouter[0]
Endpoint enabled: Token, successfully created handler: IdentityServer4.Endpoints.TokenEndpoint
info: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
trce: IdentityServer4.Endpoints.TokenEndpoint[0]
Processing token request.
dbug: IdentityServer4.Endpoints.TokenEndpoint[0]
Start token request.
dbug: IdentityServer4.Validation.ClientSecretValidator[0]
Start client validation
dbug: IdentityServer4.Validation.BasicAuthenticationSecretParser[0]
Start parsing Basic Authentication secret
dbug: IdentityServer4.Validation.PostBodySecretParser[0]
Start parsing for secret in post body
dbug: IdentityServer4.Validation.SecretParser[0]
Parser found secret: PostBodySecretParser
dbug: IdentityServer4.Validation.SecretParser[0]
Secret id found: xxx-mvc
trce: IdentityServer4.Stores.ValidatingClientStore[0]
Calling into client configuration validator: IdentityServer4.Validation.DefaultClientConfigurationValidator
dbug: IdentityServer4.Stores.ValidatingClientStore[0]
client configuration validation for client xxx-mvc succeeded.
dbug: IdentityServer4.Validation.HashedSharedSecretValidator[0]
No matching hashed secret found.
dbug: IdentityServer4.Validation.SecretValidator[0]
Secret validators could not validate secret
fail: IdentityServer4.Validation.ClientSecretValidator[0]
Client secret validation failed for client: xxx-mvc.
trce: IdentityServer4.Hosting.IdentityServerMiddleware[0]
Invoking result: IdentityServer4.Endpoints.Results.TokenErrorResult
You can use Identity Server 4's algorithm in IdentityServer4.Models.HashExtensions .
In one application run below method :
public string Sha256(string input)
{
using (var sha = SHA256.Create())
{
var bytes = Encoding.UTF8.GetBytes(input);
var hash = sha.ComputeHash(bytes);
return Convert.ToBase64String(hash);
}
}
The result will be K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols= if password is secret. Put that value to application.json should work :
"ClientSecrets": [ { "Value": "K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=" } ],