Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenID /connect/userinfo endpoint always returns 401 error #2630

Closed
petedavis opened this issue Nov 6, 2018 · 3 comments
Closed

OpenID /connect/userinfo endpoint always returns 401 error #2630

petedavis opened this issue Nov 6, 2018 · 3 comments
Labels

Comments

@petedavis
Copy link
Contributor

Have enabled OpenID server on the default tenant, and enabled all the options. I have client credentials flow setup to enable login with the default tenant credentials. However if I was to go to the default tenant userinfo endpoint https://localhost:44300/connect/userinfo , the UserInfoController fails to authenticate and retrieve the user principal and returns 401.

var result = await HttpContext.AuthenticateAsync(OpenIdConstants.Schemes.Userinfo);
if (result?.Principal == null)
{
    return Challenge(OpenIdConstants.Schemes.Userinfo);
}

I am expecting to see claims from the logged in admin user.

@kevinchalet
Copy link
Member

The userinfo endpoint can only be used with access tokens representing users (hence the name). When you use the client credentials flow, the access token doesn't represent any user (not even the tenant's administrator): it represents the client application, that acts on its own behalf.

It's very likely that the 401 is returned by the next call:

var user = await _userManager.GetUserAsync(result.Principal);
if (user == null)
{
    return Challenge(OpenIdConstants.Schemes.Userinfo);
}

As part of #1786, I introduced a new claim type that allows determining whether the access token represents a user or an application. When the access token doesn't represent a user, an error will be returned indicating why the userinfo endpoint cannot be used. It should make this requirement clearer.

@sebastienros
Copy link
Member

close or documentation?

@kevinchalet
Copy link
Member

#1786 will make that clearer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants