Search code examples
.netasp.net-coreasp.net-identityidentityserver4

IdentityServer AccessToken one server to another server

I have on web API and IdentityServer4 app running on windows server "Server 1" and we are using "access_token " to authorize API call. Now client want to deploy the IdentityServer4 app in one more another windows server "Server 2". I followed the following steps to do this.

1.Created the certificate using openssll.

2.Converted the certificate to .pfx with password.

3.Added below code to Load the certificate from windows store

X509Certificate2 cert = null;
            using (X509Store certStore = new X509Store(StoreName.My, StoreLocation.LocalMachine))
            {
                certStore.Open(OpenFlags.ReadOnly);
                X509Certificate2Collection certCollection = certStore.Certificates.Find(
                    X509FindType.FindByThumbprint,
                    // for dev only
                    "57041fcc9086da18419999fbb9276bd59bd8d14a",false);

                    cert = certCollection[0];
            }          
            return cert;
  1. Copied the .pfx file in to both server 1 and 2 and installed the same.

5.Now I generate the access_token from Server 2 and passing this token to web API(running on Server 1) and "Authority" pointing to IdentityServer running on Server 1.

But this is not working and i'm getting "Unauthorized" error.

Its clearly shows that something im doing wrong here.

Please guide me , Thanks in Advance

Access Token Request:enter image description here

Token Response: enter image description here

Token compare from 2 server :enter image description here

Solution

  • If you have multiple identity servers, then they must share the same signing key.

    See is page about key material.

    If you use AddDeveloperSigningCredential, then each machine will have a different set of private/public keys.

    The HTTPS certificate is not the same as the token signing certificate. If this is not the problem, it might be that the audience does not match the expected audience when the client receives the token. Do check out the ValidateAudience parameter. For simplicity, the audience (aud claim) in the token should be the same from both IdentityServers.

    If the from the authentication classes does not help you, then you can always I disable all the token validation features in this class and then enable them one by one to figure what is causing you problems.

    If could also be the issuer issue, as the two tokens have different issues, perhaps the clients expects a specific issuer in the tokens. Perhaps you should put a load-balancer in front of the two IdentityServers so that they will have the same issuer?