openiddict-core icon indicating copy to clipboard operation
openiddict-core copied to clipboard

Published 20 hours ago verified publisher icon openiddict

404 when requesting /connect/introspect

Open hakonn opened this issue 2 years ago • 3 comments

Hello, I have set up a website using the ASP.Net Identity Core. I've added OpenIddict to the web site for generating tokens for a Xamarin App which shall request an API (to get some website data). It works fine, I get a token using the PasswordFlow.

I want the API to use introspection for validation of the token. So I have added .SetIntrospectionEndpointUris("connect/introspect") I'm testing it using Postman, but I only get 404 Not Found.

If I add a controller with an introspect method, I get 200. But as far as I can see from the examples (Zirku) I should not do that? I guess there is some build-in controller method for introspect? Or am I wrong?

My setup looks like this:

`

    public void ConfigureServices(IServiceCollection services)
    {
        services.AddDbContext<ApplicationDbContext>(options =>
        {
            options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"));
            options.UseOpenIddict();
        });
        
        services.AddDatabaseDeveloperPageExceptionFilter();

        services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = false)
            .AddEntityFrameworkStores<ApplicationDbContext>();
        services.AddControllersWithViews();

        services.AddOpenIddict(options =>
        {
            options.AddCore(coreOpts =>
            {
                coreOpts.UseEntityFrameworkCore().UseDbContext<ApplicationDbContext>();
            });

            options.AddServer(server =>
            {
                server.SetTokenEndpointUris("/connect/token");
                server.SetIntrospectionEndpointUris("connect/introspect");

                server.AllowPasswordFlow();

                server.AddDevelopmentSigningCertificate();
                server.AddDevelopmentEncryptionCertificate();

                server.DisableAccessTokenEncryption();

                server.RegisterScopes("api");
                
                server.UseAspNetCore().EnableTokenEndpointPassthrough();
            });

            options.AddValidation(val =>
            {
                val.UseAspNetCore();
                val.UseLocalServer();
            });
        });

        services.AddHostedService<HostedApiClientService>();
    }

`

The log says this:

Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request starting HTTP/1.1 POST https://localhost:44383/connect/introspect application/x-www-form-urlencoded 781 Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware: Trace: All hosts are allowed. Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware: Debug: POST requests are not supported Microsoft.AspNetCore.Routing.Matching.DfaMatcher: Debug: No candidates found for the request path '/connect/introspect' Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware: Debug: Request did not match any endpoints OpenIddict.Server.OpenIddictServerDispatcher: Debug: The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+InferEndpointType. OpenIddict.Server.OpenIddictServerDispatcher: Debug: The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. OpenIddict.Server.OpenIddictServerDispatcher: Debug: The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+InferIssuerFromHost. OpenIddict.Validation.OpenIddictValidationDispatcher: Debug: The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+InferIssuerFromHost. Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler: Debug: AuthenticationScheme: Identity.Application was not authenticated. Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request finished HTTP/1.1 POST https://localhost:44383/connect/introspect application/x-www-form-urlencoded 781 - 404 - - 27.1984ms

hakonn avatar Dec 20 '21 09:12 hakonn

Hey,

Thanks for sponsoring the project, much appreciated!

Can you please try with /connect/introspect instead of connect/introspect to see if it makes any difference?

kevinchalet avatar Dec 20 '21 14:12 kevinchalet

A small bug I should have seen myself. You saved my day. Thank you!

hakonn avatar Dec 20 '21 14:12 hakonn

Glad it helped! I'll reopen this ticket and convert it to a bug report to track potential improvements to make the UX better (because well, it's quite hard to figure out what's going on).

Potential options:

  • Throwing an exception when calling Set*EndpointUris() with a relative path that doesn't start with /. This is the behavior we had before the OpenIddict server stack was decoupled from ASP.NET Core as PathString always throws an exception in this case.
  • Fix the underlying code to ensure even connect/introspect works flawlessly.

kevinchalet avatar Dec 20 '21 14:12 kevinchalet