I have a web API designed in Asp.Net core 2.1 and I am using self-signed tokens using the multi-tenant tokens.
The token is successfully authenticated and by the [Authorize] attribute on the controller. Now I am trying to access the subject inside the same using User.FindFirst("sub")?.Value.
The value of User is null even after the token is authenticated. I am expecting the claims from the validated token.
I could not find the reason for the User value being null. I could not find the reason for the User value being null.
What could be wrong?
Related
In my application, we have four different user roles. When I tried to generate the JWT token using postman, though the token is retrieved, it is not providing the user role so that I cannot inject the retrieved token in the respective endpoints.
So how can I retrieve the right token using postman
get : https://login.microsoftonline.com/tenantid/oauth2/token
Normally in the current authentication we’re using, after the user name and password is entered from login UI, the credentials are checked at server side and if the user is authorized then a JWT token is sent back to client and this JWT token is saved in localstorage. The [Authorize] tag is doing the authorization in the middleware.
I want to use Blazor’s CascadingAuthenticationState, AuthorizeView and JWT authentication without using Identity library, is this possible? Now I used Blazored.LocalStorage.IlocalStorageService and saved the token to localstorage. How can I add token to each requests. Most of examples are blazor webassembly. I could not find similar scenario like mine. Is Using Identity the only way to authentication blazor server app. I have to use my own server and middleware so I wont use Identity? Or maybe I should create hybrit way to use both of them. What is your suggestion?
I have an AuthorizationHandler that evaluates some authorization requirements for policy-based authorization. Some part of ASP.NET Core calls HandleRequirementAsync with an instance of AuthorizationHandlerContext.
Where does AuthorizationHandlerContext.User get populated?
For context, I look up some properties in AuthorizationContext.User that correspond to OAuth2 claims in a JWT access token that is included in the HTTP request. This is working fine when the JWT token was issued by IdentityServer4, but now I am adding support for access tokens to come from a secondary Identity Provider.
When the token is from this other provider, AuthorizationContext.User is a null object containing all-blank fields (i.e. it has none of the claims that are in the access token). This secondary identity provider (and its public key) are included in the JWT Bearer authentication scheme in TokenValidationParameters.ValidIssuers and TokenValidationParameters.IssuerSigningKeys, respectively.
This leads to the following log messages:
AuthenticationScheme: "Bearer" was successfully authenticated.
Authorization failed for user: <sub from the access token used in the request>
I'm using IdentityServer4 in ASP.NET Core 2.2. The client application (RP) is an API, also an ASP.NET Core 2.2 application. The user logs in using the authorization code flow and gets a cookie from IdentityServer (idsrv). They then get an authorization code and and access token for the API (RP).
I want to be able to revoke a user's existing login session and access tokens in some cases, e.g. if their password has been reset. In IdentityServer I've implemented added my own authentication scheme:
.AddCookie("MyAuthenticationScheme", options =>
{
options.SessionStore = new MyTicketStore();
options.EventsType = typeof(MyCookieAuthenticationEvents);
})
This allows me to invalidate the user's IdentityServer session on the server before the authentication ticket expires. For example, when the user is signed in I add a claim that stores the date their password was last changed and in MyCookieAuthenticationEvents.ValidatePrincipal() I check that it has not been changed since, as suggested on https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-2.2#react-to-back-end-changes
I want to do the same with the access token they use the access the RP. If the user's password has changed (and in some other cases) I want the access token to be invalidated immediately, rather than waiting for it to expire. I'm using reference tokens and have implemented IProfileService and ICustomTokenValidator. In IProfileService.GetProfileDataAsync I copy the password change date claim to the access token claims collection and in ICustomTokenValidator.ValidateAccessTokenAsync I again check that claim against the real user.
This works, but it seems quite convoluted and complicated and I wonder if there is a simpler way to accomplish this - it seems like this should be a common requirement.
If you are using reference tokens, all you need to in order to invalidate the token is to remove it from whatever implementation of IPersistedGrantStore you have and the next time reference token is attempted to be validated through introspection, it will be invalid since it will no longer exist.
I have followed a few guides on adding authentication to my vue application (which has a net core api backend).
https://medium.com/dev-bits/a-guide-for-adding-jwt-token-based-authentication-to-your-single-page-nodejs-applications-c403f7cf04f4
and
http://jasonwatmore.com/post/2018/08/14/aspnet-core-21-jwt-authentication-tutorial-with-example-api
I'm a junior programmer with authentication so forgive me if my questions seem dumb.
These involve sending a username and password to my api login method and getting back a jwt token (is this an id_token or an access token?). I then send this token with every api request using the Bearer authorization. Some guides (eg microsoft net core docs) have this jwt token include role information.
Is this just a basic form of jwt authentication. Some things i have read about token authentication indicate that when i login i should get an id token which i then exchange for an api access token. These tutorials don't appear to do that - it looks like there is only one token and that it's used for api access and authentication.
Ideally i would like to implement oidc into my vue application but the many guides out there dont seem to address this.
The tutorials are talking about the JWT token based authentication , it will issue a JWT token to declare a user and their access permissions in the application.
When a user tries to log in to the application with their username and password, the server/api side will authenticate the user ,generate the token and send token back to client . Next time client could use token to access the server/API which eliminates the need for the app or system to remember or store the user’s credentials. You can involve user's basic profile information(not sensitive) and some custom claim in that token such as claim related to roles . Both client side and server side should check the specific role if you want to check the authorize part .
Id_token was added to the OIDC specification(OpenID Connect) as an optimization so the application can know the identity of the user, without having to make an additional network requests. It contains user profile information (like the user's name, email, and so forth) , and So if you are using OpenID Connect (Implicit Flow is suitable for SPA) to do the authentication and authorization , you will get id token which identity of the user , and access token which could be used to access the protected resource/API .
You are not using OpenID Connect , so no id token is involved in the scenario .