Kévin Chalet

icon indicating a website link https://kevinchalet.com/ icon indicating an email [email protected]

icon location France icon location .NET-holic developer and OpenID-addict Microsoft MVP. Windows Media Center lover. @openiddict maintainer.

Results 162 comments of Kévin Chalet

Resource server requests result in 403 (insufficient_access)

Hey, > Hello, first off thanks for making this amazing library. Thanks for your kind words 😄 > I don't know where this error comes from but it seems to...

Resource server requests result in 403 (insufficient_access)

> My base controller does have `[Authorize(AuthenticationSchemes = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme)]` could that have anything to do with it? It's unlikely: 403 responses indicate an authorization issue that can't be resolved by...

Resource server requests result in 403 (insufficient_access)

```csharp at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.AuthenticationHttpContextExtensions.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties) at Microsoft.AspNetCore.Authentication.AuthenticationHttpContextExtensions.ChallengeAsync(HttpContext context, String scheme) ``` It's super weird, the authorization middleware triggers a challenge...

Resource server requests result in 403 (insufficient_access)

Ah, I see you edited your message, so my first remark no longer applies (did you forget to attach the token? 😄)

Resource server requests result in 403 (insufficient_access)

> My tokens do get attached to the requests yes I meant before you edited your message. Your updated logs include the following lines: ```csharp at Microsoft.AspNetCore.Authentication.AuthenticationService.ForbidAsync(HttpContext context, String scheme,...

Resource server requests result in 403 (insufficient_access)

> The IsInRole check claims I'm not part of the given role even though the claims do include the role claim, shouldn't the identity have this role set? If this...

Resource server requests result in 403 (insufficient_access)

It's not the correct value, it should be `role`. Can you share your transformer?

Resource server requests result in 403 (insufficient_access)

Ahhhhhhh, that's because you use the opt-in ASP.NET Core Data Protection integration (there's an issue in 3.x where the OpenIddict validation handler will allow the DP integration to validate tokens...

Resource server requests result in 403 (insufficient_access)

BTW, you can remove `options.AddEncryptionCredentials(encryptionKey);` and `options.UseDataProtection();` as they should have no effect when using introspection.

Resource server requests result in 403 (insufficient_access)

> introspection asks the authorization server if the token they received is valid Yes, that's exactly what it does (by sending a backchannel HTTP request)