Upgrading IdentityServer4 to Core 3.1 - tokens are suddenly not signed correctly?
We encountered an error while upgrading IdentityServer4 (2.5.3 - 3.1.0) to Core 3.1 (from 2.2). Suddenly tokens that are issued doesn\'t have the correct signature. We haven
-
Thanks to @Ruard van Elburg in the comments for linking to explicit typed tokens.
Changing the default "at+jwt" to just "jwt" solved the issue:
var idSrvBuilder = services.AddIdentityServer(opts => { opts.Events.RaiseErrorEvents = true; opts.Events.RaiseFailureEvents = true; opts.Events.RaiseInformationEvents = true; opts.Events.RaiseSuccessEvents = true; opts.AccessTokenJwtType = "jwt"; if (_env.IsProduction()) { opts.PublicOrigin = Configuration["Globals:IdentityURL"]; } });I'm guessing the underlying issue is with the package
IdentityServer3.AccessTokenValidationwe're using in that API not being able to recognize at+jwt. We're using that so that we can potentielly support reference tokens.We also can't upgrade this API to ASP Core and use the newer
IdentityServerAuthenticationExtensionsfrom Microsoft due to some depedencies from third parties we need to support. That package does seem to be able to handleat+jwtjust fine.EDIT:
Still didn't work. Had a look at the Github issue that Ruard linked to.
Turns out I also had to turn on EmitLegacyResourceAudienceClaim so not it looks like this:
var idSrvBuilder = services.AddIdentityServer(opts => { opts.Events.RaiseErrorEvents = true; opts.Events.RaiseFailureEvents = true; opts.Events.RaiseInformationEvents = true; opts.Events.RaiseSuccessEvents = true; opts.AccessTokenJwtType = "JWT"; opts.EmitLegacyResourceAudienceClaim = true; if (_env.IsProduction()) { opts.PublicOrigin = Configuration["Globals:IdentityURL"]; } })讨论(0)
加载中...
- 热议问题