Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add sample where resource server is separate from auth server #180
Looks good. I'll follow it.
However, it doesn't seem to be far enough along for me to use. Do you mind having a look at my project and letting me know where I'm going wrong with this please:
I enabled the introspection endpoint:
The auth server seems to work fine when i interact directly with the auth server (I can get a token, refresh token, introspect etc...).
However, when I make a request to the resource server through postman, I am getting a 404 for all protected endpoints. I am expecting to get a 401 here.
e.g: GET http://localhost:5001/api/users
Microsoft.AspNetCore.Hosting.Internal.WebHost:Information: Request starting HTTP/1.1 GET http://localhost:5001/api/users
It seems I don't get how this actually works.
So my auth server is http://localhost:5000
My resource server is http://localhost:5001
In the startup.cs file on my resource server, I have:
I used postman to request a token using grant type = password with the client id and secret of my resource server.
I then tried to access a protected endpoint on the resource servr with the token I got using postman:
Is it because I used postman to get the token why it is being rejected?
Also since the token is rejected, I am getting 404 and not 401. If I am unauthorized, should I not be getting a 401 instead?
To be able to configure an audience in the introspection options, your access tokens must contain this specific audience. And for that, you must use the
The 401 response is likely caught by
I actually do get a 401.
I overlooked adding the error controller back to the resource server when i separated it from the auth server. I was getting a 404 because the error endpoint could not be found.
This commit fixes that: jayrulez/Etherkeep@5c99f05
Making progress but I'm still having a bit of trouble.
I interpret your answer above as adding say:
resource=resource_server to the token request right?
Also, why do all the messages seem to be logged twice?
Is that because of: app.UseStatusCodePagesWithReExecute("/error");?
"The thread 0x74c has exited with code 0 (0x0).
I finally understand this now. I need to add the resource server as an audience in the introspection config. I need to pass the resource server to the token request endpoint.
For my use case, I do not need to limit the audience of a token so I don't need to do any of this.
Thank you for your assistance @PinpointTownes
Come some one help me? I have a similar issue; my auth server and resource server are in different projects.
I configured my resource server startup in this way:
My config look like this:
I already share data protection key with redis.
But when i call my resource server with postman i receive this message from Auth Server:
the step to repro are:
It works, thanks. (i did the opposite but it is the same) :)
I'd like to leave here an explanation for next coming.
The introspection endpoint enter in game when a user (grant_type:password + username + password) want to access to a Resource API, and if your api is under authorization check with
Once the Auth Server receive the call on
So is very very important that the
The best example that reply exactly the same situation described here is implicit flow, even if i didn't used that flow in my implementation because my security is entirely managed on server side, so is possible to implement it also with password credential flow and client credential flow.