Menu
For unknown reason to me the "aud" claim is not present in access token (it is present in id token though).
Once access token is being sent to the API i get the following error:
Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'empty'. Did not match: validationParameters.ValidAudience: 'productconfigurationapi' or validationParameters.ValidAudiences: 'null'.
I know i can turn off audience validation and everything works then but i don't get why "aud" is not part of the access token.
Here's my IS4 configuration:
the client:
new Client
{
ClientId = "Spa",
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
AlwaysSendClientClaims = true,
AlwaysIncludeUserClaimsInIdToken = true,
AccessTokenType = AccessTokenType.Jwt,
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"productconfigurationapi"
},
RequireConsent = false
}
the api resource:
new ApiResource("productconfigurationapi")
{
UserClaims =
{
JwtClaimTypes.Audience
}
}
the API Scope:
return new List<ApiScope>
{
new ApiScope("productconfigurationapi")
};
and here's how IS4 is configured within its host application:
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddConfigurationStore(options =>
{
})
.AddOperationalStore(options =>
{
})
.AddAspNetIdentity<IdentityUser>()
.AddJwtBearerClientAuthentication();
268
You should tie the ApiScope to the ApiResource by setting the Scopes property:
var api = new ApiResource("productconfigurationapi")
{
UserClaims =
{
JwtClaimTypes.Audience
},
Scopes = new List<string>
{
"productconfigurationapi"
},
};
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
