UnauthorizedError: jwt audience invalid. expected:

Question

I'm trying to use IdentityServer4 to protect my nodeAPI.

export const jwtauth = jwt({
  secret: jwksClient.expressJwtSecret({
    cache: true,
    rateLimit: true,
    jwksRequestsPerMinute: 2,
    jwksUri: `${identity_authority}/.well-known/openid-configuration/jwks`
  }),

  // validate the audience & issuer from received token vs JWKS endpoint
  audience:'projectapi',
  issuer: `${identity_authority}`,
  algorithms: ['RS256']
})

I think I'm doing everything right, but when I call the API from the Web App, I get this error:

UnauthorizedError: jwt audience invalid. expected: projectapi

from all the research I have done, it was sugguested that audience should be changed to aud: 'projectapi', I tried that it didn't work.

public static IEnumerable<Client> Clients =>
    new Client[]
    {
        new Client
        {
            ClientId = "portal",
            ClientName = "portal",

            AllowedGrantTypes = GrantTypes.Implicit,
            AllowAccessTokensViaBrowser = true,

            RequireConsent = false,

            RedirectUris = new List<string> {
                "https://url/oidc-callback",
                "https://url/oidc-silent-renew.html"
            },
            PostLogoutRedirectUris = { "https://url/logout" },
            AllowedCorsOrigins = new List<string> { "https://url" },

            AllowedScopes = new List<string>
            {
                IdentityServerConstants.StandardScopes.OpenId,
                IdentityServerConstants.StandardScopes.Profile,
                IdentityServerConstants.StandardScopes.Email,
                "authenticationapi",
                "projectapi",
                "workflowapi"
            }
        }
    };
    }

public static IEnumerable<ApiScope> ApiScopes =>
            new List<ApiScope>
            {
                       new ApiScope("authenticationapi", "Authentication API"),
                       new ApiScope("projectapi", "Project API"),
                       new ApiScope("workflowapi", "Project Workflow API")
            };

access_token:

{
  "nbf": 1597959828,
  "exp": 1597960728,
  "iss": "https://url",
  "aud": "https://url/resources",
  "client_id": "portal",
  "sub": "183d2e05-3c19-44c0-a8c5-bfa29320b10b",
  "auth_time": 1597959828,
  "idp": "local",
  "email": "text@email.com",
  "name": "text@email.com",
  "family_name": "test",
  "given_name": "test",
  "role": "User",
  "jti": "5CD7A8058DAE31615529A0EBCC7334E2",
  "sid": "BA53399482221C789A1BB07F393C2806",
  "iat": 1597959828,
  "scope": [
    "openid",
    "profile",
    "email",
    "projectapi",
    "workflowapi",
    "authenticationapi"
  ],
  "amr": [
    "pwd"
  ]
}

Answer 1

You have created API scopes but I don't see any API resources in your code.

Please add an API resource with the name projectapi.

For identityserver4 implementation you can refer here

public static IEnumerable<APIResource> getApiResource(){
    return new []{
        new APIResource {
            Name = "projectapi",
            DisplayName = "Api",
            Description = "your description",
            Scopes = new List<string> {//add your scopes here},
            ApiSecrets = new List<Secret> {new Secret("secretpassword".Sha256())},
            UserClaims = new List<string> {//user claims}
        }
    }
}

Also add this resource in the memory in Startup.cs:

.AddInMemoryApiResources(//call the function created above);

Add this line where you have added all the in memory clients and Api scopes