Search code examples
c#oauth-2.0openid-connectopeniddict

OpenIddict 3 unavailable token validation from .NET 4.6

I have a Identity Server using OpenIddict 3.1. We have added a resource API with .NET 4.6. In the startup class, we are setting the token validation to use it on the [Authorize] attribute like this:

        var options = new JwtBearerAuthenticationOptions
        {
            Provider = new OAuthBearerAuthenticationProvider(),
            AuthenticationMode = AuthenticationMode.Active,
            AllowedAudiences = new[] { audience },
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = true,
                ValidateIssuer = false,
                IssuerSigningKey = key(SigningCertificate from OpenIddict),
                ValidateLifetime = true,
                ValidAudience = audience,
                RequireSignedTokens = true
            }
        };

        app.UseJwtBearerAuthentication(options);

We always get the unauthorized message.

We also have tried to use:

        var options = new JwtBearerAuthenticationOptions
        {
            Provider = new OAuthBearerAuthenticationProvider(),
            AuthenticationMode = AuthenticationMode.Active,
            AllowedAudiences = new[] { audience },
            TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = true,
                ValidateIssuer = false,
                IssuerSigningKeys = issuerSigningKeys,
                ValidateLifetime = true,
                ValidAudience = audience,
                RequireSignedTokens = true
            }
        };

On issuerSigningKeys, are the keys discovered from OpenIddict server JWT keys.

Our server configuration looks like this:

.AddValidation(options => {
                    options.UseLocalServer();
                    options.UseSystemNetHttp();
                    options.UseAspNetCore();
                });

and

services
    .AddAuthentication(OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme).AddJwtBearer(options =>
    {
        options.Authority = "http://localhost:49424/";
        options.MetadataAddress = "http://localhost:49424/";
        options.Audience = "resource1";
        options.RequireHttpsMetadata = false;

        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = false,
            ValidateIssuerSigningKey = true,
            ValidAudiences = new List<string>
                            {
                                "resource1"
                            },
            IssuerSigningKey = (new RsaSecurityKey(System.Security.Cryptography.X509Certificates.RSACertificateExtensions.GetRSAPublicKey(AuthenticationExtensionMethods.TokenSigningCertificate())))  // can still login with or without this key

        };
    })
    .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
    {
        options.LoginPath = "/Account/Logon";
    });

Any suggestions? Is it possible to validate the tokens this way between different frameworks—such as .NET Core and .NET Framework 4.6—using OpenIddict?

Solution

  • OpenIDDict supports two types of tokens: reference tokens (just a binary blogb) and JWT-tokens (contains user details and claims). The AddJwtBearer() method does not support the reference token format.

    What you need to do is to remove the following line from your setup:

    options.UseReferenceTokens();