Getting 401 accessing secured page with JwtToken u

2019-05-25 01:43发布

站内问答 / C#
426 1 4

I have configured the MVC client by adding the following lines.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddJwtBearer();

The error message was, as (kind of) expected, 401 Unauthorized. So I added config for the bearer as suggested by Microsoft.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddJwtBearer(_ =>
  {
    _.Authority = "http://localhost:5000";
    _.Audience = "http://localhost:5002";
  });

In my solution, port 5000 hosts the IDS4 provider and port 5002 hosts the MVC application. At that point I got an error because I'm running strictly HTTP for the moment. The suggestion was to take the security down a notch by setting RequireHttpsMetadata to false, which I did as shown below.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddJwtBearer(_ =>
  {
    _.Authority = "http://localhost:5000";
    _.Audience = "http://localhost:5002";
    _.RequireHttpsMetadata = false;
  })

To my disappointment, I'm back on getting 401 Unauthorized in my browser when requesting the page under action decorated by [Authorize].

I'm not sure how to diagnoze it further. I'm trying to compare my code to gazillion of examples but fail to see any significant difference. Also, many exmaples regard other version of Core, IDS or scheme. I need advise on where the smell might be coming from.

1条回答
兄弟一词,经得起流年.
2楼-- · 2019-05-25 02:44

From IdentityServer4 samples you can see that they are using AddOpenIdConnect and not AddJwtBearer for the MVC Client sample. Your MVC client service registration should then look like below:

        services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";

                options.Authority = "http://localhost:5000";
                options.RequireHttpsMetadata = false;

                options.ClientId = "mvc";
                options.SaveTokens = true;
            });

Lastly, make sure you have a client which has allowed scope to access your api resource and an appropriate grant type:

            // OpenID Connect implicit flow client (MVC)
            new Client
            {
                ClientId = "mvc",
                ClientName = "MVC Client",
                AllowedGrantTypes = GrantTypes.Implicit,

                RedirectUris = { "http://localhost:5002/signin-oidc" },
                PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile
                }
            }

AddOpenIdConnect basically preconfigures you the handler endpoints for callbacks from IDS4 to sign the user in and out as well as creates the appropriate ClaimsPrincipal.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)