I have configured the MVC client by adding the following lines.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer();
The error message was, as (kind of) expected, 401 Unauthorized. So I added config for the bearer as suggested by Microsoft.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(_ =>
{
_.Authority = "http://localhost:5000";
_.Audience = "http://localhost:5002";
});
In my solution, port 5000 hosts the IDS4 provider and port 5002 hosts the MVC application. At that point I got an error because I'm running strictly HTTP for the moment. The suggestion was to take the security down a notch by setting RequireHttpsMetadata to false, which I did as shown below.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(_ =>
{
_.Authority = "http://localhost:5000";
_.Audience = "http://localhost:5002";
_.RequireHttpsMetadata = false;
})
To my disappointment, I'm back on getting 401 Unauthorized in my browser when requesting the page under action decorated by [Authorize].
I'm not sure how to diagnoze it further. I'm trying to compare my code to gazillion of examples but fail to see any significant difference. Also, many exmaples regard other version of Core, IDS or scheme. I need advise on where the smell might be coming from.