Getting 401 accessing secured page with JwtToken under IDS4 and ASP.NET Core 2.2

Question

I have configured the MVC client by adding the following lines.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddJwtBearer();

The error message was, as (kind of) expected, 401 Unauthorized. So I added config for the bearer as suggested by Microsoft.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddJwtBearer(_ =>
  {
    _.Authority = "http://localhost:5000";
    _.Audience = "http://localhost:5002";
  });

In my solution, port 5000 hosts the IDS4 provider and port 5002 hosts the MVC application. At that point I got an error because I'm running strictly HTTP for the moment. The suggestion was to take the security down a notch by setting RequireHttpsMetadata to false, which I did as shown below.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddJwtBearer(_ =>
  {
    _.Authority = "http://localhost:5000";
    _.Audience = "http://localhost:5002";
    _.RequireHttpsMetadata = false;
  })

To my disappointment, I'm back on getting 401 Unauthorized in my browser when requesting the page under action decorated by [Authorize].

I'm not sure how to diagnoze it further. I'm trying to compare my code to gazillion of examples but fail to see any significant difference. Also, many exmaples regard other version of Core, IDS or scheme. I need advise on where the smell might be coming from.

Answer 1

From IdentityServer4 samples you can see that they are using AddOpenIdConnect and not AddJwtBearer for the MVC Client sample. Your MVC client service registration should then look like below:

        services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("Cookies")
            .AddOpenIdConnect("oidc", options =>
            {
                options.SignInScheme = "Cookies";

                options.Authority = "http://localhost:5000";
                options.RequireHttpsMetadata = false;

                options.ClientId = "mvc";
                options.SaveTokens = true;
            });

Lastly, make sure you have a client which has allowed scope to access your api resource and an appropriate grant type:

            // OpenID Connect implicit flow client (MVC)
            new Client
            {
                ClientId = "mvc",
                ClientName = "MVC Client",
                AllowedGrantTypes = GrantTypes.Implicit,

                RedirectUris = { "http://localhost:5002/signin-oidc" },
                PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile
                }
            }

AddOpenIdConnect basically preconfigures you the handler endpoints for callbacks from IDS4 to sign the user in and out as well as creates the appropriate ClaimsPrincipal.