Separating Auth and Resource Servers with AspNet.Security.OpenIdConnect - the Audience?

Question

The example on the AspNet.Security.OpenIdConnect.Server looks to me like both an auth and resource server. I would like to separate those. I have done so.

At the auth server's Startup.Config, I have the following settings:

app.UseOpenIdConnectServer(options => {

    options.AllowInsecureHttp = true;
    options.ApplicationCanDisplayErrors = true;
    options.AuthenticationScheme = OpenIdConnectDefaults.AuthenticationScheme;
    options.Issuer = new System.Uri("http://localhost:61854"); // This auth server
    options.Provider = new AuthorizationProvider();
    options.TokenEndpointPath = new PathString("/token");              
    options.UseCertificate(new X509Certificate2(env.ApplicationBasePath + "\\mycertificate.pfx","mycertificate"));

});

I have an AuthorizationProvider written, but I don't think it's relevant to my current issue (but possibly relevant). At its GrantResourceOwnerCredentials override, I hard-code a claims principal so that it validates for every token request:

public override Task GrantResourceOwnerCredentials(GrantResourceOwnerCredentialsNotification context)
{
    var identity = new ClaimsIdentity(OpenIdConnectDefaults.AuthenticationScheme);

    identity.AddClaim(ClaimTypes.Name, "me");
    identity.AddClaim(ClaimTypes.Email, "[email protected]");
    var claimsPrincipal = new ClaimsPrincipal(identity);

    context.Validated(claimsPrincipal);
    return Task.FromResult<object>(null);
}

At the resource server, I have the following in its Startup.config:

app.UseWhen(context => context.Request.Path.StartsWithSegments(new PathString("/api")), branch =>
{
    branch.UseOAuthBearerAuthentication(options => {
        options.Audience = "http://localhost:54408"; // This resource server, I believe.
        options.Authority = "http://localhost:61854"; // The auth server
        options.AutomaticAuthentication = true;               
    });
});

On Fiddler, I ask for a token, and I get one:

POST /token HTTP/1.1
Host: localhost:61854
Content-Type: application/x-www-form-urlencoded

username=admin&password=aaa000&grant_type=password

So now I use that access token to access a protected resource from the resource server:

GET /api/values HTTP/1.1
Host: localhost:54408
Content-Type: application/json;charset=utf-8
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI.....

I now get this error - Audience validation failed. Audiences: 'empty'. Did not match validationParameters.ValidAudience: 'http://localhost:54408' or validationParameters.ValidAudiences: 'null'.

I think the reason why is because I never set an audience at the auth server (at app.UseOpenIdConnectServer(...)), so I don't think it wrote audience info to the token. So I need to set an audience at the auth server (as what is done in IdentityServer3), but I can't find a property on the options object that would let me do that.

Does AspNet.Security.OpenIdConnect.Server require the auth and resource to be in the same server?

Is setting the audience done when putting together the ClaimsPrincipal, and if so, how?

Would I need to write a custom Audience validator and hook it up to the system? (I sure hope the answer to this is no.)

Answer 1

Does AspNet.Security.OpenIdConnect.Server require the auth and resource to be in the same server?

No, you can of course separate the two roles.

As you've already figured out, if you don't explicitly specify it, the authorization server has no way to determine the destination/audience of an access token, which is issued without the aud claim required by default by the OAuth2 bearer middleware.

Solving this issue is easy: just call ticket.SetResources(resources) when creating the authentication ticket and the authorization server will know exactly which value(s) (i.e resource servers/API) it should add in the aud claim(s).

app.UseOpenIdConnectServer(options =>
{
    // Force the OpenID Connect server middleware to use JWT tokens
    // instead of the default opaque/encrypted token format used by default.
    options.AccessTokenHandler = new JwtSecurityTokenHandler();
});

public override Task HandleTokenRequest(HandleTokenRequestContext context)
{
    if (context.Request.IsPasswordGrantType())
    {
        var identity = new ClaimsIdentity(context.Options.AuthenticationScheme);
        identity.AddClaim(OpenIdConnectConstants.Claims.Subject, "unique identifier");

        var ticket = new AuthenticationTicket(
            new ClaimsPrincipal(identity),
            new AuthenticationProperties(),
            context.Options.AuthenticationScheme);

        // Call SetResources with the list of resource servers
        // the access token should be issued for.
        ticket.SetResources("resource_server_1");

        // Call SetScopes with the list of scopes you want to grant.
        ticket.SetScopes("profile", "offline_access");

        context.Validate(ticket);
    }

    return Task.FromResult(0);
}     

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    Audience = "resource_server_1",
    Authority = "http://localhost:61854"
});