Using AccessTokenValidation 2.2 in ASP.NET5 about identityserver3.accesstokenvalidation HOT 5 CLOSED

you need to debug I guess. Maybe because the Katana logger factory is not set up.

— 
cheers
Dominick Baier

On 23 Sep 2015 at 00:24:08, jraadt ([email protected]) wrote:

I have everything working with AccessTokenValidation 1.2.2, but when I upgrade the library to 2.2.0 I get the following NullReferenceException. I don't have this running on the same server as the IdentityServer.

at IdentityServer3.AccessTokenValidation.ValidationEndpointTokenProvider..ctor(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) in c:\etc\Dropbox\identity\IdentityServer3\AccessTokenValidation\source\AccessTokenValidation\Plumbing\ValidationEndpointTokenProvider.cs:line 39
at Owin.IdentityServerBearerTokenValidationAppBuilderExtensions.ConfigureEndpointValidation(IdentityServerBearerTokenAuthenticationOptions options, ILoggerFactory loggerFactory) in c:\etc\Dropbox\identity\IdentityServer3\AccessTokenValidation\source\AccessTokenValidation\IdentityServerBearerTokenValidationAppBuilderExtensions.cs:line 92
at Owin.IdentityServerBearerTokenValidationAppBuilderExtensions.UseIdentityServerBearerTokenAuthentication(IAppBuilder app, IdentityServerBearerTokenAuthenticationOptions options) in c:\etc\Dropbox\identity\IdentityServer3\AccessTokenValidation\source\AccessTokenValidation\IdentityServerBearerTokenValidationAppBuilderExtensions.cs:line 55
at MyProject.Startup.<>c__DisplayClass1_0.<Configure>b__2(IAppBuilder builder) in C:\MyApp\src\MyProject\Startup.cs:line 55
at MyProject.IApplicationBuilderExtensions.<>c__DisplayClass0_0.<UseAppBuilder>b__1(Func`2 next) in C:\MyApp\src\MyProject\IApplicationBuilderExtensions.cs:line 21
at Microsoft.AspNet.Builder.OwinExtensions.<>c__DisplayClass0_1.<UseOwin>b__1(RequestDelegate next1)
at Microsoft.AspNet.Builder.Internal.ApplicationBuilder.Build()
at Microsoft.AspNet.Hosting.Internal.HostingEngine.BuildApplication()
at Microsoft.AspNet.Hosting.Internal.HostingEngine.Start()
at Microsoft.AspNet.Loader.IIS.RuntimeHttpApplication.ApplicationStart(IHttpApplication application)
at Microsoft.AspNet.Loader.IIS.HttpApplicationBase.InvokeApplicationStart(IHttpApplication application)

It's erroring on the builder.UseIdentityServerBearerTokenAuthentication(options); part of my Startup.cs file:

public void Configure(IApplicationBuilder app, ILoggerFactory loggerfactory)
{
    ...
    var options = new IdentityServerBearerTokenAuthenticationOptions
    {
        Authority = "http://my-identity-server/oauth",
        RequiredScopes = new string[] { "my_api" }
    };
    app.UseAppBuilder(builder => { builder.UseIdentityServerBearerTokenAuthentication(options); }, "WebApi");

    app.UseMvc();
}

And here is the IApplicationBuilderExtensions class:

public static class IApplicationBuilderExtensions
{
public static IApplicationBuilder UseAppBuilder(this IApplicationBuilder app, Action configure, string owinHostAppName)
{
app.UseOwin(addToPipeline =>
{
addToPipeline(next =>
{
var builder = new Microsoft.Owin.Builder.AppBuilder();
builder.Properties["builder.DefaultApp"] = next;
builder.Properties["host.AppName"] = owinHostAppName;
configure(builder);

            var appFunc = builder.Build(typeof(Func<IDictionary<string, object>, Task>)) as Func<IDictionary<string, object>, Task>;
            return appFunc;
        });
    });
    return app;
}

}

—
Reply to this email directly or view it on GitHub.

from identityserver3.accesstokenvalidation.

Thanks for the quick response. I ended trying the ASP.NET 5 OAuth 2.0 middleware that supports JWTs out of the box (app.UseOAuthBearerAuthentication) and it seemed to work fine.

from identityserver3.accesstokenvalidation.

But it does not do scope verification. See my asp5 sample.

from identityserver3.accesstokenvalidation.

It was your asp5 sample that lead me down the path to the "out of the box" solution so I also included your RequiredScopesMiddleware. The big difference I'm having between these solutions is the AccessTokenValidation returned nice 401s when validation failed, such as token expiration. The "out of the box" throws an SecurityTokenExpiredException which returns a 500. I tried to catch that exception, but it seems that same class with the same classpath also exists in your IdentityModel package, which I also need in this project. So I couldn't figure out a way to use SecurityTokenExpiredException since it exists in both Microsoft and your libraries with the same classpath.

from identityserver3.accesstokenvalidation.

Open an issue at github/aspnet in the security repo. Sounds like a bug to me

Sent from my iPad

On 24 Sep 2015, at 20:59, jraadt [email protected] wrote:

It was your asp5 sample that lead me down the path to the "out of the box" solution so I also included your RequiredScopesMiddleware. The big difference I'm having between these solutions is the AccessTokenValidation returned nice 401s when validation failed, such as token expiration. The "out of the box" throws an SecurityTokenExpiredException which returns a 500. I tried to catch that exception, but it seems that same class with the same classpath also exists in your IdentityModel package, which I also need in this project. So I couldn't figure out a way to use SecurityTokenExpiredException since it exists in both Microsoft and your libraries with the same classpath.

—
Reply to this email directly or view it on GitHub.

from identityserver3.accesstokenvalidation.