IdentityServer
Generating Reference Token Instead of JWT
Please find below the steps I applied in order to generate Reference Token instead of JWT:
- In the [Clients] table, I updated property [AccessTokenType] = 1. Please note that this is the client configured to be used from Angular Frontend app.
[Client] Table
[ClientScopes] Table
"IdentityGuardsConfig": {
"oidcSettings": {
"authority": "http://localhost:5000",
"client_id": "local_spa",
"redirect_uri": "http://localhost:4200/#/identity-guards/auth-callback#",
"post_logout_redirect_uri": "http://localhost:4200",
"response_type": "id_token token",
"scope": "openid profile inspection_profile",
"filterProtocolClaims": true,
"loadUserInfo": true,
"automaticSilentRenew": true,
"silent_redirect_uri": "http://localhost:4200/#/identity-guards/silent-refresh#"
},
"enableConsoleLogging": true,
"postLoginRedirectUrl": "/portal"
}
OIDC client configuration (Angular App)
- Since API (/connect/introspect) is secure, I had to create API Resource and API Secret (as per this thread). Also as per the thread, I had to assign the exact scopes requested from Frontend client (3 scopes ==> opened, profile, inspection_profile)
[ApiResources] Table
[ApiSecrets] Table
[ApiScopes] Table
After applying the above configuration, IdentityServer service is returning reference token, also the reference token is being persisted in [PersistedGrants] table.
To validate the reference token, I was able to do that by hitting (/connect/introspect) API from Postman (below is the converted cURL request)
curl --location --request POST 'http://localhost:5000/connect/introspect' \
--header 'Authorization: Basic bG9jYWxfc3BhOlBAc3N3MHJk' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=f007eff8fc2a3d8d9af7cb605b93b78d7004880d24356acebf928dae5a48dd8e'
Response:
{
"iss": "http://localhost:5000",
"nbf": 1640694748,
"exp": 1640698348,
"aud": "http://localhost:5000/resources",
"client_id": "local_spa",
"sub": "f6a5ccec-9d70-4c7c-ab50-7a932f685cac",
"auth_time": 1640694748,
"idp": "local",
"amr": "pwd",
"email": "[email protected]",
"name": "[email protected]",
"given_name": "admin",
"phone_number": "0506198339",
"role": "SystemAdmin",
"preferred_username": "[email protected]",
"active": true,
"scope": "openid profile inspection_profile"
}
Issue: When I tried to access (/.well-known/openid-configuration) I’m getting the below exception:
An unhandled exception occurred while processing the request. Exception: Found identity scopes and API scopes that use the same names. This is an invalid configuration. Use different names for identity scopes and API scopes. Scopes found: openid, profile, inspection_profile IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable<IdentityResource> identity, IEnumerable<ApiResource> apiResources) in IResourceStoreExtensions.cs, line 60
Complete Stack trace:
Exception: Found identity scopes and API scopes that use the same names. This is an invalid configuration. Use different names for identity scopes and API scopes. Scopes found: openid, profile, inspection_profile IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable<IdentityResource> identity, IEnumerable<ApiResource> apiResources) in IResourceStoreExtensions.cs IdentityServer4.Stores.IResourceStoreExtensions.GetAllEnabledResourcesAsync(IResourceStore store) in IResourceStoreExtensions.cs IdentityServer4.ResponseHandling.DiscoveryResponseGenerator.CreateDiscoveryDocumentAsync(string baseUrl, string issuerUri) in DiscoveryResponseGenerator.cs IdentityServer4.Endpoints.DiscoveryEndpoint.ProcessAsync(HttpContext context) in DiscoveryEndpoint.cs IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) in IdentityServerMiddleware.cs IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events) in IdentityServerMiddleware.cs IdentityServer4.Hosting.MutualTlsTokenEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in MtlsTokenEndpointMiddleware.cs Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context) IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in BaseUrlMiddleware.cs Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.MigrationsEndPointMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext) Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore.DatabaseErrorPageMiddleware.Invoke(HttpContext httpContext) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
Important update
This organization is not maintained anymore besides critical security bugfixes (if feasible). This organization will be archived when .NET Core 3.1 end of support is reached (3rd Dec 2022). All new development is happening in the new Duende Software organization.
The new Duende IdentityServer comes with a commercial license but is free for dev/testing/personal projects and companies or individuals making less than 1M USD gross annnual revenue. Please get in touch with us if you have any question.
