UseIdentityServerBearerTokenAuthentication is not working for IdentityServer3

Question

I have used the IdentityServer v3, now I want one website to be both the identity host and the web api host.

The authority option is not used to validate the token. I have verified the token endpoint and the token validation endpoint is working as expected (I can get and validate a token using postman). I used the [Authorize] attribute to decorate my controller method. Full logging is enabled on IdentityServer, nothing is logged when making an api request with a header name 'Authorization' with the value like 'Bearer mytokenhere'.

This is a vNext website on ASP.NET 5 using the Visual Studio 2015 CTP6.

        app.UseMvc();

        var certFile = AppDomain.CurrentDomain.BaseDirectory + "\\myawesomesite.pfx";

        app.Map("/core", core =>
        {
            var factory = InMemoryFactory.Create(
                            users: Users.Get(),
                            clients: Clients.Get(),
                            scopes: Scopes.Get());

            var idsrvOptions = new IdentityServerOptions
            {
                SiteName = "Lektieplan",
                Factory = factory,
                RequireSsl = false,
                SigningCertificate = new X509Certificate2(certFile, "lektieplan"),
                CorsPolicy = CorsPolicy.AllowAll,
                LoggingOptions = new LoggingOptions { EnableWebApiDiagnostics = true,EnableHttpLogging = true, IncludeSensitiveDataInLogs = true, WebApiDiagnosticsIsVerbose = true }
            };

            core.UseIdentityServer(idsrvOptions);
        });

        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "http://localhost:57540/core",
            RequiredScopes = new[] { "api1" },
        });

And my project.json

My dependencies:

    "Microsoft.AspNet.Server.IIS": "1.0.0-beta3",
    "Microsoft.AspNet.Mvc": "6.0.0-beta3",
    "Microsoft.AspNet.StaticFiles": "1.0.0-beta3",
    "Microsoft.AspNet.Server.WebListener": "1.0.0-beta3",
    "Thinktecture.IdentityServer3": "1.3.0.0",
    "Microsoft.AspNet.Owin": "1.0.0.0-beta3",
    "Microsoft.AspNet.Security.DataProtection": "1.0.0.0-beta3",
    "Thinktecture.IdentityServer3.AccessTokenValidation": "1.2.2",
    "Autofac": "4.0.0-alpha1",
    "log4net": "2.0.3"

I seems to me that some of the provided samples works because of a cookie based option. I don't want to use the cookies.

Answer 1

Is UseIdentityServerBearerTokenAuthentication your only auth type? Do you have any filters defined for MVC?

I would try to split the apps into separate katana pipelines, so they don't conflict at all.

Pseudo:

app.Map("/core", a => a.UseIdsrv());
app.Map("/somethingweb", a => a.UseMvc());
app.Map("/api", a => {
   a.UseBearerTokenAuth();
   a.UseWebApi(); //or Mvc from now on, with v5
});

Guessing you would need to add cookieauth to that mvc pipeline as well, depending on what you want to achieve.