OpenIddict: Authentication flow whit an SSO microservice, another microservice and an Angular App

[MarGraz]

Hi,

We are having a problem getting the authentication token with OpenIddict. Here is how our Orchard Core 1.8.3 microservices are configured:

Our Environment:

• Angular App
• Orchard Core 1.8.3 microservice called SSO
• Orchard Core 1.8.3 microservice called Books (custom API)

Our Flow:

1. Our Angular App is authenticated by calling the SSO (using Authorization Code Flow).
2. The Angular App then calls the Books microservice's custom controller with the token provided by the SSO.
3. The Books microservice must validate the received token by calling the SSO microservice. If the user is authorized, they can access the action, otherwise, they can't.

This is what we have on top of our Book API controller:

    [Route("api/books")]
    [Authorize(AuthenticationSchemes = "Api"), IgnoreAntiforgeryToken]
    [ApiController]
    public class BookApiController : Controller
    {
     ...
    }

Questions:

How can we configure the Books microservice to achieve this?

Thank you 😊

[Piedone]

I won't be able to help, but @kevinchalet perhaps you have some pointers?

[MarGraz]

@kevinchalet yes, SSO and Books are both two separate Orchard Core apps, version 1.8.3. We will try to follow your suggestion and I will let you know.

Thank you

[MarGraz]

@kevinchalet We set up the SSO and the Books endpoint as you suggested. Please see the picture below:

We are able to obtain the bearer token with the specified scope on the server side, but when we attempt to call the Books endpoint, we either receive a 401 Unauthorized error (if we configure the ApiController with Authorize like this):

    [Route("api/books")]
    [Authorize(AuthenticationSchemes = "Api"), IgnoreAntiforgeryToken]
    [ApiController]
    public class BookApiController : Controller
    {
        private readonly IBookHandler _bookHandler;

        public BookApiController(IBookHandler bookHandler)
        {
            _bookHandler = bookHandler;
        }
        
        ...
    }

Or we get the HTML login page if we configure the controller like this:

    [Route("api/books")]
    [Authorize, IgnoreAntiforgeryToken]
    [ApiController]
    public class BookApiController : Controller
    {
        private readonly IBookHandler _bookHandler;

        public BookApiController(IBookHandler bookHandler)
        {
            _bookHandler = bookHandler;
        }
        
        ...
    }

Do you know what might be causing this?

UPDATE

We tried from Postman with Authorization Code flow, calling Books API, of course first obtaining the bearer token. But in the header response, in the WWW-Authenticate we get this error: Bearer error="invalid_token", error_description="The specified token cannot be used with this resource server.", error_uri="https://documentation.openiddict.com/errors/ID2094"

Postman config:

App configuration SSO side:

Thank you

[kevinchalet]

You'll need to create at least one scope in the server app with the Bookstore.SSO resource attached. Then, allow the client app to use that scope in the UI and add it to the list of requested scopes: that error should go away.

[Piedone]

You should demo your bookstore app @MarGraz on our Tuesday meeting when you're ready :).

[MarGraz]

@kevinchalet now it works 🥳🍾

We followed your instructions, and in the SSO microservice (OpenId Server side), we created a new Scope and added Bookstore.SSO as an Additional resource, as shown in the image below:

Then, in the Books OpenId Application (the one dedicated to the Books microservice), we selected the new scope from the list. See the picture below:

On the client side (OpenId client side), specifically in the Books microservice, we added the Audience value Bookstore.SSO. See the picture below:

Finally, in Postman, we added Test_SSO as the Scope value and obtained the access token in the Authorization blade.

Question:

We noticed a strange behavior. Previously, we did the same with the "login_sso" scope by just editing it, but it didn’t work. Is it possible that when we edit a scope, the Additional resources are bugged and not updated correctly?

Thank you