Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Missing "aud" claim in access token

For unknown reason to me the "aud" claim is not present in access token (it is present in id token though).

Once access token is being sent to the API i get the following error:

Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'empty'. Did not match: validationParameters.ValidAudience: 'productconfigurationapi' or validationParameters.ValidAudiences: 'null'.

I know i can turn off audience validation and everything works then but i don't get why "aud" is not part of the access token.

Here's my IS4 configuration:

the client:

            new Client
            {
                ClientId = "Spa",
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,
                AlwaysSendClientClaims = true,
                AlwaysIncludeUserClaimsInIdToken = true,
                AccessTokenType = AccessTokenType.Jwt,
                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    "productconfigurationapi"
                },
                RequireConsent = false
            }

the api resource:

            new ApiResource("productconfigurationapi")
            {
                UserClaims =
                {
                    JwtClaimTypes.Audience
                }
            }

the API Scope:

    return new List<ApiScope>
    {
        new ApiScope("productconfigurationapi")
    };

and here's how IS4 is configured within its host application:

        services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddConfigurationStore(options =>
            {
            })
            .AddOperationalStore(options =>
            {
            })
            .AddAspNetIdentity<IdentityUser>()
            .AddJwtBearerClientAuthentication();
like image 268
skyrunner Avatar asked Jul 16 '20 08:07

skyrunner


1 Answers

You should tie the ApiScope to the ApiResource by setting the Scopes property:

var api = new ApiResource("productconfigurationapi")
{
    UserClaims =
    {
        JwtClaimTypes.Audience
    },
    Scopes = new List<string>
    {
        "productconfigurationapi"
    },
};
like image 164
Tore Nestenius Avatar answered Nov 12 '22 18:11

Tore Nestenius