OrchardCore.Contents API: Admin user is not able to GET a content, an error 401 unauthorized is returned, but if I grant all privileges to the "anonymous" user role, it works #15381
Comments
|
If you want to reproduce this in a new Orchard Core installation, you need to install and configure the "OpenID Connect" Applications:
Authorization Server:
Scopes:
Admin role permissions:
|
|
@kevinchalet any idea before I try to reproduce the issue, coz you our OpenID guru :) |
|
A 401 HTTP response returned by the OpenIddict validation stack typically indicates a missing or invalid token (a permission issue should always result in a 403 response instead) but in this case, there's no trace of a
@MarGraz have you enabled the OpenID validation feature? It's required if you want to use bearer token authentication in the same tenant as the authorization server. |
|
@hishamco @kevinchalet, activating the "OpenId Token Validation" feature works 😊 I was thinking that, because the "OpenId Authorization Server" doesn't activate the "OpenId Token Validation" automatically, it was not necessary for the OpenId server to have the "OpenId Token Validation" feature. I thought it was implicit for the server to validate tokens. I expected to activate and use the "OpenId Token Validation" feature for the "OpenId Client", and not for the authorization server. Maybe it's necessary to clarify in the description of the "OpenId Authorization Server" feature, or in the "OpenId Token Validation" feature, that activating the "OpenId Token Validation" is necessary to get tokens validated in this case. What do you think? Thank you so much. Current descriptions:
|
Actually, the OpenID server feature only validates tokens for endpoints it controls (e.g the userinfo endpoint). For any other endpoint, it's the OpenID token validation feature that takes care of that (there's no relationship between the token validation feature and the client feature, which is completely separate).
Sure, feel free to send a PR to clarify the descriptions 👍🏻 |
According to this discussion OrchardCMS#15381 (comment) I have added a "Note" in the description of "OpenID Authorization Server" feature. I'm not sure if it's the right place to add a note, but it's the only place available.
|
The description has been fixed in #15407. Closing. |
Describe the bug
According to what discussed here with @hishamco, I'm opening this issue to verify it.
The module
OrchardCore.Contentsexposes anApiController.cswith endpoints to create, update, and delete content items created in the "Admin" backoffice. Using Postman, it's possible to call theApiController.csendpoints after configuring the "OpenID Connect"OpenID Authorization Servermodule.I tested this using the "Try Orchard" website. The authentication process is successful, and I receive a valid OAuth 2 token. But, when attempting to use the "Admin" user, which is supposed to have the highest privileges, I cannot perform GET, UPDATE, or DELETE operations, I receive a 401 unauthorized error. Instead, if I grant all privileges to the "anonymous" user role to call the API, and remove the OAuth token, it works.
To Reproduce
Steps to reproduce the behavior:
NOTE: As mentioned, I'm using a temporary "try.orchardcore" website, which is why I'm sharing the credentials here. They will expire along with the temporary website.
Expected behavior
The "Admin" user**, which is supposed to have the highest privileges, must be able to retrieve a content from the GET endpoint.
Screenshots
Postman Authorization blade configuration
The text was updated successfully, but these errors were encountered: