Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token audience problem #392

Closed
toddtsic opened this issue Feb 15, 2019 · 3 comments

Comments

@toddtsic
Copy link

commented Feb 15, 2019

I'm getting the following error from my Asp.Net Core 2.2 Api project:

[18:04:24 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

[18:04:24 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
BearerIdentityServerAuthenticationJwt was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

[18:04:24 Information] IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler
Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

Examining the jwt returned by my Asp.Net Core 2.2 STS project with IdentityServer 4 components at versions:

image

shows an aud of "angularclient" (not https://localhost:44340/resources)

Any suggestions?

@toddtsic

This comment has been minimized.

Copy link
Author

commented Feb 15, 2019

Got it, hope this helps others:

The angular client after logging in is returned:

id token:

{
  "nbf": 1550240640,
  "exp": 1550273640,
  "iss": "https://localhost:44340",
  "aud": "https://localhost:44340/resources",
  "client_id": "angularclient",
  "sub": "71765055-647D-432E-AFB6-0F84218D0247",
  "auth_time": 1550240638,
  "idp": "local",
  "regid": "xxxx",
  "jseg": "xxxxx",
  "jobid": "b0984a87-172a-436e-a382-e95de3e1059f",
  "role": "xxxx",
  "given_name": "xxxxx",
  "family_name": "xxxx",
  "email": "xxxx",
  "scope": [
    "openid",
    "profile",
    "email"
  ],
  "amr": [
    "pwd"
  ]
}

and access token:

{
  "nbf": 1550240640,
  "exp": 1550243640,
  "iss": "https://localhost:44340",
  "aud": "angularclient",
  "nonce": "N0.55036966062308791550240634889",
  "iat": 1550240640,
  "at_hash": "yNVxDVHkmEmUvurl7XlzuA",
  "sid": "f54dee03793e7cc202b57f1d6de7622e",
  "sub": "71765055-647D-432E-AFB6-0F84218D0247",
  "auth_time": 1550240638,
  "idp": "local",
  "preferred_username": "TSICSuperUser",
  "name": "xxxx",
  "email": "xxxxx",
  "email_verified": true,
  "regid": "xxxxx",
  "jseg": "xxxxx",
  "jobid": "xxxxxxf",
  "role": "xxxxx",
  "given_name": "xxxx",
  "family_name": "xxxxx",
  "amr": [
    "pwd"
  ]
}

NOTE THE DIFFERENT AUDIENCES (aud:)

The Asp.Net Core 2.2 Api Project startup.cs configured IdentityServer4:

                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = Configuration.GetValue<string>("IdentityServer4Strings:Authority");
                    options.RequireHttpsMetadata = Configuration.GetValue<bool>("IdentityServer4Strings:RequireHttpsMetadata");
                    options.ApiName = "api1";

                    options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt;
                    options.ApiSecret = Configuration.GetValue<string>("IdentityServer4Strings:STSTSICApisSecuredSecret");
                    options.EnableCaching = true;
                    options.CacheDuration = TimeSpan.FromMinutes(10); // that's the default
                });

and the Bearer authentication error was:

2019-02-14 18:03:15.188 -07:00 [DBG] AuthenticationScheme: Bearer was not authenticated.
2019-02-14 18:04:04.360 -07:00 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
2019-02-14 18:04:04.430 -07:00 [INF] BearerIdentityServerAuthenticationJwt was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.
2019-02-14 18:04:04.433 -07:00 [INF] Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'https://localhost:44340/resources'. Did not match: validationParameters.ValidAudience: 'api1' or validationParameters.ValidAudiences: 'null'.

The "api1" in error:
Did not match: validationParameters.ValidAudience: 'api1'

references startup.cs

.AddIdentityServerAuthentication
options.ApiName = "api1";

Changing the Asp.Net Core 2.2 Api project startup.cs to:

            // critical for bearer authentication, the audience of the id token (set by Options.ApiName) is equal to this value
            var idTokenAudience = $"{Configuration.GetValue<string>("IdentityServer4Strings:Authority")}/resources";

            services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = Configuration.GetValue<string>("IdentityServer4Strings:Authority");
                    options.RequireHttpsMetadata = Configuration.GetValue<bool>("IdentityServer4Strings:RequireHttpsMetadata");
                    options.ApiName = idTokenAudience;

                    options.SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt;
                    options.ApiSecret = Configuration.GetValue<string>("IdentityServer4Strings:STSTSICApisSecuredSecret");
                    options.EnableCaching = true;
                    options.CacheDuration = TimeSpan.FromMinutes(10); // that's the default
                });

resolved the issue.

2019-02-15 07:45:12.414 -07:00 [INF] Successfully validated the token.
2019-02-15 07:45:12.414 -07:00 [DBG] AuthenticationScheme: Bearer was successfully authenticated.

@damienbod damienbod closed this Feb 16, 2019
@weitzhandler

This comment has been minimized.

Copy link

commented Jul 25, 2019

I have a similar issue, posted here.

@damienbod

This comment has been minimized.

Copy link
Owner

commented Jul 30, 2019

@toddtsic thanks for the feedback

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.