Comments (22)
If both idsrv and the access token val MW is in the same app - there might be a race condition. Since the discovery endpoint might not be up yet when.
In 2.2 we allow configuring the val MW statically (released today)
from identityserver3.accesstokenvalidation.
in the docs - of course ;)
from identityserver3.accesstokenvalidation.
@FullyCSharped Glad to hear that it's working! It was a nice to have for me, so I ended up using basic auth + encryption on my scenario.
Can you please share your Startup.cs file? Might help others in the future.
from identityserver3.accesstokenvalidation.
Found it: https://identityserver.github.io/Documentation/docsv2/consuming/options.html
Its working when IssuerName and SigningCertificate is added to the API config. But somehow the API config needs to be above the Identity manager mapping. If its below app.Map("/admin", adminApp => ...) then it still fails.
from identityserver3.accesstokenvalidation.
Try:
RequiredScopes = new string[] { "idmgr" }
from identityserver3.accesstokenvalidation.
Unfortunately its not the issue. The configuration is from the MVC Authorization example ("string" not there).
The exception happens directly at: app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
from identityserver3.accesstokenvalidation.
Are you're sure Authority is not null?
from identityserver3.accesstokenvalidation.
Yes, its same result if I hard-code it as string. Here are my complete startup config if that can help:
public void Configuration(IAppBuilder app)
{
Log.Logger = new LoggerConfiguration()
.WriteTo.ExceptionLess(b => b.AddTags("IdentityServer").AddRequestInfo())
.CreateLogger();
var defaultExceptionlessClient = ExceptionlessClient.Default;
defaultExceptionlessClient.Configuration.UseInMemoryStorage();
defaultExceptionlessClient.Register();
new Exception("System Startup").ToExceptionless().Submit();
AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.Map("/core", core =>
{
var idSvrFactory = Factory.ConfigureClientsAndScopes(Settings.Default.ConnectionStringName);
idSvrFactory.ConfigureUserService(Settings.Default.ConnectionStringName);
var viewOptions = new DefaultViewServiceOptions();
viewOptions.Stylesheets.Add("/Content/New/Site.css");
viewOptions.CacheViews = false;
idSvrFactory.ConfigureDefaultViewService(viewOptions);
var options = new IdentityServerOptions
{
SiteName = "Identity Server",
SigningCertificate = Certificate.Get(),
Factory = idSvrFactory,
EnableWelcomePage = false,
AuthenticationOptions = new AuthenticationOptions
{
IdentityProviders = ConfigureIdentityProviders,
EnablePostSignOutAutoRedirect = true,
LoginPageLinks = new LoginPageLink[] {
new LoginPageLink{
Text = "Register",
Href = "~/registration"
},
new LoginPageLink{
Text = "Forgot Password?",
Href = "~/forgotpassword"
}
}
}
};
core.UseIdentityServer(options);
});
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
Authority = Settings.Default.Authority,
ClientId = "idmgr",
RedirectUri = Settings.Default.IdMgrRedirectUri,
ResponseType = "id_token",
Scope = "openid idmgr",
SignInAsAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
});
app.Map("/admin", adminApp =>
{
var factory = new IdentityManagerServiceFactory();
factory.ConfigureSimpleIdentityManagerService(Settings.Default.ConnectionStringName);
adminApp.UseIdentityManager(new IdentityManagerOptions()
{
Factory = factory,
SecurityConfiguration = new HostSecurityConfiguration()
{
HostAuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
NameClaimType = Constants.ClaimTypes.Subject,
RoleClaimType = Constants.ClaimTypes.Role,
AdminRoleName = "SystemAdministrator",
},
});
});
// API Config
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = Settings.Default.Authority,
RequiredScopes = new string[] { "idmgr" }
});
// web api configuration
var config = new HttpConfiguration();
config.Formatters.Remove(config.Formatters.XmlFormatter);
config.MapHttpAttributeRoutes();
app.UseWebApi(config);
}
from identityserver3.accesstokenvalidation.
That sounds like a solution. Where should I look?
Thanks mate.
from identityserver3.accesstokenvalidation.
yeah order matters.
from identityserver3.accesstokenvalidation.
@leastprivilege I know this is closed, but we are seeing a similar issue (same error when enabling the feature). When you mention that order matters, can you expand on that? Why does it fail if executed after the mapping? Also, we are not using Identity Manager, just IdSrv 2.3 with EF.
In our case, much as above, we have the IdSrv and MVC client app running in the same application. There are 3 OWIN middlewares that are loaded separately in this order:
- ID Server (Mapped to /identity)
- MVC with API (Orchard CMS mapped to root)
- app.UseIdentityServerBearerTokenAuthentication
It doesn't matter if we initialize UseIdentityServerBearerTokenAuthentication in the same MVC startup, we still get the exact same error.
System.NullReferenceException: Object reference not set to an instance of an object.
at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider..ctor(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
at Owin.IdentityServerBearerTokenValidationAppBuilderExtensions.ConfigureEndpointValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory)
at Owin.IdentityServerBearerTokenValidationAppBuilderExtensions.UseIdentityServerBearerTokenAuthentication(IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options)
at NFLPA.Web.Module.IdentityClient.StartupOAuthAPIFeature.<>c.<GetOwinMiddlewares>b__0_0(IAppBuilder app)
from identityserver3.accesstokenvalidation.
It looks like the issue may be with the logger actually. app.GetLoggerFactory() returns null and because of that, my guess is that it fails here:
from identityserver3.accesstokenvalidation.
I have the same problem... when updated from 2.0 to 2.5 IDS3 server.
Me too is a concurrency problem..
app.UseIdentityServerBearerTokenAuthentication(...);
try to request discovery document in time t0 where IDS server is not ready.
A unique project with IndentityServer and API resources in a single assembly, there is some workareound? SOrry but I dind't understood if was solved.
from identityserver3.accesstokenvalidation.
Did you set DelayLoadMetadata
? https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation/blob/master/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs#L190
from identityserver3.accesstokenvalidation.
It's even documented (now) ;)) https://identityserver.github.io/Documentation/docsv2/consuming/options.html
from identityserver3.accesstokenvalidation.
I can confirm this is still happening:
[NullReferenceException: Object reference not set to an instance of an object.]
IdentityServer3.AccessTokenValidation.IdentityServerBearerTokenValidationMiddleware..ctor(Func`2 next, IAppBuilder app, IdentityServerOAuthBearerAuthenticationOptions options, ILoggerFactory loggerFactory) in c:\local\identity\server3\AccessTokenValidation\source\AccessTokenValidation\IdentityServerBearerTokenValidationMiddleware.cs:52
lambda_method(Closure , Func`2 , IAppBuilder , IdentityServerOAuthBearerAuthenticationOptions , ILoggerFactory )
IdentityServer, Manager, and Admin in the same project. Tried DelayLoadMetadata
with no success.
It doesn't throw an exception when I move it before the Manager auth setup but then I can no longer access the Manager API.
I'm basically trying to expose a User API which will only be used from an application previously authenticated via IdentityServer3.
Any ideas?
from identityserver3.accesstokenvalidation.
@florindpreda , did you manage to find a solution for this? I am exactly at the same point as you are
from identityserver3.accesstokenvalidation.
It works for me now, the order matters really!!!! I put the api config before Identityserver settings
from identityserver3.accesstokenvalidation.
@FullyCSharped
Could you please share the startup file. I also have the issue.
from identityserver3.accesstokenvalidation.
@leastprivilege About the docs for static JWTs configuration, what am I expected to put in the IssuerName field? I'm trying to understand what I need to do to use a common name both in this IssuerName field and in my IdentityServer3 server, so that, when the authentication/authorization proccesses are executed, everything will work as expected. That is, my IdentityServer3 server will be properly found by my ASP.NET WebApi server.
from identityserver3.accesstokenvalidation.
I can confirm that the reported solution from @dcinzona resolved this issue for me. Simply place app.SetLoggerFactory(new DiagnosticsLoggerFactory());
on the line before app.UseIdentityServerBearerTokenAuthentication(....
from identityserver3.accesstokenvalidation.
We are using app.UseIdentityServerBearerTokenAuthentication(
New IdentityServerBearerTokenAuthenticationOptions() With {
.Authority = "https://first.com:443",
.ValidationMode = ValidationMode.ValidationEndpoint,
.ValidationResultCacheDuration = New TimeSpan(0, 0, 200),
.EnableValidationResultCache = True,
}) in our web API and on https://first.com:443 our identity server is running which validate the token. How could we know that identity server is down ?
from identityserver3.accesstokenvalidation.
Related Issues (20)
- Restrict issuer when using discovery document HOT 1
- Access token validation gives no indication when a token has failed HOT 1
- How to debug/trace if validation fails
- Unexpected file version of IdentityServer3.AccessTokenValidation involved in build warning HOT 2
- NotImplemented exception on Mono HOT 1
- Performance issues with ValidationMode.Local HOT 6
- Access token validation with legacy IIS hosted web API
- Customize Error Handling for HTTP Calls.
- Add UserInfo claims to User.Claims HOT 4
- 401 While using IdentityServer and the protected WebApi in the same app
- 2.15 causes deadlocks/hangs under heavy load HOT 10
- Adding option for configuring IntrospectionEndpoint
- Web Api with IS3 authenticate with IS4 Server HOT 2
- AccessTokenValidation - HTTPClient Socket connection timeouts HOT 1
- Set AccessToken Validation on a .net wepapi 2 with Identity server 4 HOT 1
- TypeLoadException when we use Microsoft.Owin 4 HOT 5
- Strict dependency on IdentityModel (>= 1.9.2 && < 2.0.0) makes upgrade to IdentityModel 2.12.0 not possible
- Define multiple issuers in TokenValidationParameters
- Sending JWT token to resource server - permission denied HOT 10
- How to know Identity server is down using app.UseIdentityServerBearerTokenAuthentication( New IdentityServerBearerTokenAuthenticationOptions() HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identityserver3.accesstokenvalidation.