Open Closed

Identity Server client_credentials Grant Type #3834


User avatar
0
jopperman@waltons.co.za created
  • ABP Framework version: v5.3.3
  • UI type: Blazor Server
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace: [23:06:20 INF] Request starting HTTP/2 GET https://localhost:44308/api/app/invoices?AccountCode=GPXYZ824&CreatedDateTimeMin=2022-09-01&CreatedDateTimeMax=2022-12-31 - - [23:06:21 DBG] PermissionStore.GetCacheItemAsync: pn:C,pk:ClientDemo,n:Titan.Invoices [23:06:21 DBG] Found in the cache: pn:C,pk:ClientDemo,n:Titan.Invoices [23:06:21 INF] Authorization failed. These requirements were not met: PermissionRequirement: Titan.Invoices [23:06:21 INF] AuthenticationScheme: Bearer was forbidden. [23:06:21 INF] Request finished HTTP/2 GET https://localhost:44308/api/app/invoices?AccountCode=GPXYZ824&CreatedDateTimeMin=2022-09-01&CreatedDateTimeMax=2022-12-31 - - - 403 - - 4.2358ms

Hi, we are attempting to authenticate an external system using the client_credentials grant type.

We have setup the client through the Identity Server UI and granted permission. We are able to retrieve a token from /connect/token that includes a scope and the audience however when we use the token to access any API we receive the above error stating that permissions are not granted.

If we create a regular user and authenticate through the password grant type we are able to access the API however this is not what we want as the credentials could be used to access the frontend.

I have aligned the settings (incl permissions) for the new client with the default ProjectName_App client. If I use ProjectName_App as the client_id the API calls complete successfully. if I use the test client it fails due to permissions.

The tokens received back are near identical, only difference is the client_id

What am I missing?


2 Answer(s)
  • User Avatar
    0
    jopperman@waltons.co.za created

    According to log Audience is invalid, below is JWT and Module code:

    022-10-12 00:44:56.852 +02:00 [INF] Request starting HTTP/1.1 GET https://REDACTED/api/app/orders application/json - 2022-10-12 00:44:56.854 +02:00 [INF] Failed to validate the token. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'. at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() 2022-10-12 00:44:56.854 +02:00 [INF] Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'. 2022-10-12 00:44:56.855 +02:00 [INF] Executing endpoint 'Waltons.Switch.Controllers.Orders.OrderController.GetListAsync (Waltons.Switch.HttpApi)' 2022-10-12 00:44:56.855 +02:00 [INF] Route matched with {area = "app", controller = "Order", action = "GetList", page = ""}. Executing controller action with signature System.Threading.Tasks.Task1[Volo.Abp.Application.Dtos.PagedResultDto`1[Waltons.Switch.Orders.OrderWithNavigationPropertiesDto]] GetListAsync(Waltons.Switch.Orders.GetOrdersInput) on controller Waltons.Switch.Controllers.Orders.OrderController (Waltons.Switch.HttpApi). 2022-10-12 00:44:56.866 +02:00 [INF] Authorization failed. These requirements were not met: PermissionRequirement: Switch.Orders 2022-10-12 00:44:56.868 +02:00 [WRN] ---------- RemoteServiceErrorInfo ---------- { "code": "Volo.Authorization:010001", "message": "Authorization failed! Given policy has not granted.", "details": null, "data": {}, "validationErrors": null }

  • User Avatar
    0
    maliming created
    Support Team

    hi

    //You can disable this setting in production to avoid any potential security risks.
    Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
    
Made with ❤️ on ABP v9.2.0-preview. Updated on January 21, 2025, 12:34