Issue with setting up a stand alone Resource Server #1359
Comments
|
Hey @mcalasa, Thanks for sponsoring the project! 👍🏻 I suspect the issue you're seeing is caused by the fact the request is handled by the Web API web host instead of the OWIN integration, which seems to be confirmed by the missing
|
|
No problem, glad to sponsor such a awesome project. For line item 1, not sure if this is the correct way to remove the reference to the Web API web host but in the global.asax I commented out GlobalConfiguration.Configure(WebApiConfig.Register) as shown below: public class WebApiApplication : System.Web.HttpApplication
{
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
//GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
}
}For line item 2, I modified the startup.cs file in my Resource Server based on the Kalarba sample that you provided. using System.Reflection;
using System.Web.Http;
using Autofac;
using Autofac.Extensions.DependencyInjection;
using Autofac.Integration.WebApi;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Owin;
using OpenIddict.Server.Owin;
using OpenIddict.Validation.Owin;
using Owin;
[assembly: OwinStartup(typeof(Sample.OpenIddict.ResourceServer.Example.Startup))]
namespace Sample.OpenIddict.ResourceServer.Example
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888
var container = CreateContainer();
// Register the Autofac scope injector middleware.
app.UseAutofacLifetimeScopeInjector(container);
// Register the two OpenIddict server/validation middleware.
app.UseMiddlewareFromContainer<OpenIddictServerOwinMiddleware>();
app.UseMiddlewareFromContainer<OpenIddictValidationOwinMiddleware>();
var configuration = new HttpConfiguration
{
DependencyResolver = new AutofacWebApiDependencyResolver(container)
};
configuration.MapHttpAttributeRoutes();
// Configure ASP.NET Web API to use token authentication.
configuration.Filters.Add(new HostAuthenticationFilter(OpenIddictValidationOwinDefaults.AuthenticationType));
// Register the Web API/Autofac integration middleware.
app.UseAutofacWebApi(configuration);
app.UseWebApi(configuration);
}
private static IContainer CreateContainer()
{
var services = new ServiceCollection();
services.AddLogging(logging =>
{
logging.AddDebug();
logging.SetMinimumLevel(LogLevel.Trace);
});
// Register the OpenIddict validation components.
services.AddOpenIddict()
.AddValidation(options =>
{
// Note: the validation handler uses OpenID Connect discovery
// to retrieve the address of the introspection endpoint.
options.SetIssuer("https://localhost:44300/");
options.AddAudiences("TestAPI");
// Configure the validation handler to use introspection and register the client
// credentials used when communicating with the remote introspection endpoint.
options.UseIntrospection()
.SetClientId("TestAPI")
.SetClientSecret("1cf0d681bc3c4e31a273b0203496983e");
// Register the System.Net.Http integration.
options.UseSystemNetHttp();
// Register the Owin host.
options.UseOwin();
});
var builder = new ContainerBuilder();
builder.Populate(services);
builder.RegisterApiControllers(Assembly.GetExecutingAssembly());
return builder.Build();
}
}
}When I try to start the Resource Server I get this error. I'm beginning to think if there is something with this project template from Visual Studio that is causing this issue. Should this be a self-hosting Owin application instead? Do apologize in advance if I'm missing something in registering the OpenIddict middleware, I'm just wrapping my head around how OWIN works due to an existing ASP.NET 4.8 project that I will have to convert to OWIN. |
It's correct. You'll probably want to go one step further and ensure this NuGet package is not referenced by your project: https://www.nuget.org/packages/Microsoft.AspNet.WebApi.WebHost/
I think the issue is way more trivial. Since your API doesn't have the authorization server in the same project, |
|
Awesome, the site is up and running now once I commented out: I think this is close to working. When I make a request to the resource server to access the protected resource I get this error in Postman: I am passing the authorization header with the token in the request. This is what I get in the logs after the request is made: This is the latest update code for the protected resource: using OpenIddict.Validation.Owin;
using System.Collections.Generic;
using System.Web.Http;
namespace Sample.OpenIddict.ResourceServer.Example.Controllers
{
//[HostAuthentication(OpenIddictValidationOwinDefaults.AuthenticationType)]
[RoutePrefix("api")]
public class ValuesController : ApiController
{
[Authorize, HttpGet]
[Route("values")]
// GET api/values
public IEnumerable<string> Get()
{
return new string[] { "value1", "value2" };
}
}
}Not sure if its a configuration issue on the Authorization Server which is Orchard Core with OpenId enabled. |
|
After doing a bit of research I think I figured out my issue with the error 'This resource server is currently unavailable.' and it may be that my Authorization Server (Orchard Core) does not have an introspection endpoint. I don't see any option to enable to enable that endpoint as well. |
|
Your understanding is 100% correct: it's not a feature currently offered by the OrchardCore OpenID module, so the introspection endpoint is not enabled and OpenIddict returns a generic error when it detects there's no endpoint in the discovery document it can use when validating tokens. You have 3 options, depending on what you want to do:
public void ConfigureServices(IServiceCollection services)
{
services.AddOrchardCms()
.ConfigureServices(services =>
{
services.AddOpenIddict()
.AddServer()
.SetIntrospectionEndpointUris("/connect/introspect");
}, order: 10000);
} |
|
I opened OrchardCMS/OrchardCore#10803 to track potential improvements in OC. |
|
Oh man that is pretty cool how you can plug that into Orchard Core. Thank you for submitting the improvement issue to Orchard Core, I'm going to keep my eye on it :-) Ok, I went with option 3 since this would be perfect for my scenario. Adding the inline plugin I now get a different error message and this one caught my attention: "This client application is not allowed to use the introspection endpoint." Here is the full log after the request was made to the resource server from Postman. |
|
My bad, I forgot to mention that you'll also need to update the client entry in the database to allow it to use the introspection endpoint. For that, you can either access the SQL database manually and add |
|
Woo hoo! I added the permission using SQL and its working now!!! Man OpenIddict implementation is just missing a few pieces on the GUI side in OC but it's there. Thank you again! |
|
Glad you like it! It's indeed still a bit rough but I hope either the OC folks or I will be able to give it more love at some point 😄 |
|
I would be willing to do some work on this since I may have other use cases in implementing other flows besides client credentials. |
This comment was marked as off-topic.
This comment was marked as off-topic.
|
@kevinchalet I finally had the time to add the introspection permission endpoint into my orchard core using IOpenIdApplicationManager that you commented on here: #1359 (comment) and it was very straight forward. I think I'm going to add the revocation endpoint permission and give that a test drive as well. So cool! I'm going to submit a PR to Orchard Core for this when I'm done with everything. I'll be sure to discuss with the OC team beforehand of course :-) OrchardCMS/OrchardCore#10803 (comment) Thank you again for your guidance on this. |
|
@mcalasa awesome! ❤️ Let me know if you need help for the OC PR 😃 |
|
@kevinchalet Will do. If I have any question I'll ask it here: OrchardCMS/OrchardCore#10803 (comment) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I'm trying to set up a standalone resource server that is exactly what is described here: #1340.
My resource server is an OWIN/ASP.NET 4.8 Web API 2 application that has a simple controller that will be the protected resource and will be using the Client Credentials flow. The project was created in Visual Studio using the ASP.NET Web Application (.NET Framework) template.
The issue I'm experiencing is when I make a request to the API using Postman I get the following error:
In this request I'm passing the Authorization header with the bearer token.
This is what I get from the logging after I made that request:
Here is the startup.cs code for the resource server:
This is the protected resource decorated with the HostAuthentication attribute
In regards to the error "No OWIN authentication manager is associated with the request." I made sure that the Microsoft.Owin.Host.SystemWeb is installed.
Also made sure and that these two lines are not in the WebApiConfig.cs file:
I've also read the article of adding openiddict to an OWIN application (https://kevinchalet.com/2020/03/03/adding-openiddict-3-0-to-an-owin-application/) and I think I have it set up correctly. It seems that I'm missing something else and if I can be pointed to the right direction that would be much appreciated.
Thank you
The text was updated successfully, but these errors were encountered: