The audience is invalid error

前端 未结 2 599
半阙折子戏
半阙折子戏 2021-02-05 08:09

I have 3 projects 1- Javascript SPA 2- Web API Project, 3- IdentityServer with EF Core

I started debugging API and Identity Server and successfully get the jwt token but

2条回答
  •  情歌与酒
    2021-02-05 08:35

    To avoid the error, audience should be consistently added in 4 places

    1.In My (e.g. MVC) client as custom Scope.
    2. In API application as ApiName
    3.In IdentityServer Clients configuration as AllowedScope
    4.In API Resourcesconfiguration as ApiResource

    See details ( previously available in IdentityServer4 wiki):

    When configuring a new API connection in identityServer4, you can get an error:

    WWW-Authenticate: Bearer error="invalid_token", 
    error_description="The audience is invalid"
    

    To avoid the error, Audience should be consistently added in 4 places

    1.In My (e.g. MVC) client as custom Scope :

    app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
    {
        Authority = Configuration["IdpAuthorityAddress"],
        ClientId = "my_web_ui_id",
      Scope = { "openid", "profile", "offline_access", "MyApi" },               
    
    //other properties removed for brevity...
    });
    

    2.In API application as ApiName

      var identityServerAuthenticationOptions = new IdentityServerAuthenticationOptions()//Microsoft.AspNetCore.Builder.IdentityServerAuthenticationOptions
            {
                Authority = Configuration["Authentication:IdentityServer:Authority"],
                RequireHttpsMetadata = false,
    
                EnableCaching = false,
    
                ApiName = "MyApi",
                ApiSecret = "MyApiSecret"
            };
    
    1. In IdentityServer \IdentityServerHost\Configuration\Clients.cs (or corresponding Clients entry in the database)

      var client = new Client
      {
          ClientId = clientId,  
          //other properties removed for brevity...   
          AllowedScopes =
          {
              IdentityServerConstants.StandardScopes.OpenId,
              IdentityServerConstants.StandardScopes.Profile,
              //IdentityServerConstants.StandardScopes.Email,
              IdentityServerConstants.StandardScopes.OfflineAccess,
              "MyApi",
            },
      };
      

    4.In IdentityServer \IdentityServerHost\Configuration\Resources.cs (or corresponding ApiResource entry in the database) as apiResource.Scopes

     var apiResource = new ApiResource
            {
                Name = "MyApi",
                ApiSecrets =
                { 
                    new Secret("MyApiSecret".Sha256())
                },
                UserClaims =
                {
                    JwtClaimTypes.Name,
                    JwtClaimTypes.Profile,
    
                },
            };
    

提交回复
热议问题