Detailed 401 errors SPA bearer token
I created a minimal example to replicate an issue I'm having with a SPA OIDC and a bearer token
I keep getting 401 from the following setup:
Very simple setup. I don't know what the issue is. I just need some debugging information.
I changed my appsettings.json
Nothing prints in the console, though, when I get a 401 from WeatherForecast. Any help would be greatly appreciated.
425 Replies
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I actually was just working on that. I have a minimal example. I'm just finishing up a readme.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
The readme is not finessed and some parts may be inaccurate
GitHub
GitHub - bluebaroncanada/oidc-issue
Contribute to bluebaroncanada/oidc-issue development by creating an account on GitHub.
Readme is much better now.
Oh, right. This minimal example isn't complete, yet. It doesn't have the bearer header.
Shiza. Sorry. I was working on that before I left for lunch.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
manipulation?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
it's all ready just to run
and I fixed the issue
I just updated.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I just made the readme so that you know what WAS done
node example/koa.js
I'll put that in the readme
After you login, you have to refresh the page to get the token to add properly.
But go get some sleep. I remember working with you before
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Interesting
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I only need one, I think.
I'm sending a bearer token
but it's oidc
I thought I would need both.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
This can wait until tomorrow. Go get your sleep
yeah
good
night. Thanks for the help
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I don't think it's a jwt
I think it's just a regular bearer token
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
options.GetClaimsFromUserInfoEndpoint = true;
Bearer PNRyP1xEKHwvYOUwjNdgzkC-ZOi6xIIfoIXLkEYtpci
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
i tried that
oh in the dev
maybe that's the reason I'm not getting debug infor
k that's giving me some good info. That might help. Thank you so much.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
You're right about the Angular thing. I just tried to slap it together as fast as I could. The interceptor isn't working for some reason in this example project but I just wanted to get it out to you. I was actually going to fix that so every WeatherForecast call subscribed to the token over and over again. We have the interceptor working properly in our actual project, and we have IdentityServer4 working very well with it for years. Sorry, I was just under the gun coding.
I did see that unprotected thing. I actually posted it to gist.
But I didn't know what it meant and I did some research, but tonight was a big deploy, so I got pulled away.
My real problem is between the API and the oidc-provider.
It's 7am here. I'm going to try to catch this last hour of sleep and then see you when I get in at 9am. I don't know why the token is protected.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
It's only consumed by the Angular app, but the Angular app predates SSR, so it's just a standalone static site. I actually fooled around with the possibility of using an nginx plugin to do my SSO which would allow me to just use a cookie.
I don't know what KeyCloak is
We do have several tenants using our SSO, though.
The SSO is IS4 so it needs to be replaced.
Yeah. I looked into it and spoke with the team. At this point we just want to figure out how to get the app working through this OIDC provider. We have several other apps and we'd have to retrofit them, and tbh, we don't understand this well enough.
I'm going to try to remove the double auth.
You're right; I don't understand what AddOpenIdConnect is actually doing.
If you could point me to some documentation because reading through the manual doesn't provide me more understanding.
I also don't know what protect is.
I'm not intentionally using protect so if you can tell me how to stop using that ...
I fixed the lifecycle issue
I fixed the double authentication. What I don't understand is how the authentication method I've chosen will automatgicially know that it should get the claims from the remote server. I guess because I've chosen BearerToken and not JwtBearerToken?
The only problem, as I see it, is that protected key?
It's probably the only problem I ever had; right?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
damnit. Why u no ring me, Discord. I'm looking hard at KeyCloak now.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
They can all share a single client configuration
That's what we do now. It's the same thing. The thing is, it uses ASP Identity 1 password hashes.
Right now we're just doing an httpclient login to an old Identity server and if it's 200, we grab what we need from the DB manually.
But our company wants to go to B2C eventually so if I'm doing this, they're gonna be like, "Well then we should just do B2C," and we really don't want to have to do a whole new DB setup for this.
Also we have other apps that login through identity. Like .Net 4.5 projects.
They don't use the SSO.
So it has to be able to use our current DB. That's basically non-negotiable.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
me too
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
10 spa == 1 client id
š
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
it works
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Actually sorry. You're right. We do use different clients. But literally the only thing we use it for is showing different login pages.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
They all do the same on the back end.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
No. Each has its own API.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
They all make that http call to authenticate and grab the claims from the db
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
No, common DB. All different private APIs.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Each client has its own api
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
App A => public Api A \
App B => public Api B | ==> common DB
App C => public Api C /
We just started switching to each app has its own db.
but we still need the master db for lots.
like for user storage
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
As long as this keycloak lets me make a custom authentication and user and claims provider, I should be good.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
oh really because when I did that I was getting a ... 303 or 305 error
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
night, bro
thanks for your help
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
In an SPA app, that doesn't make sense to me.
The SPA app is hosted just files. No logic.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Well if that's what I need, I don't understand why node-oidc-provider can't do it, but I'll look into this.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
yeah
true
That's definitely the biggest selling point for me.
So we definitely aren't going to go for KeyCloak. If our enterprise were new, then we'd think about it. For now, it's node-oidc-provider or bust. I updated the Readme.md and I'm goint to post a new question tomorrow. More concise.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Having to learn Java and compile it.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
But we would have to write specific adapters.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Also, we're not sure about its ability to adapt to our current DB.
The authentication adapter.
And the DB adapter.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Just basically how would we get KeyCloak to use our user system without importing it into KeyCloak's DB.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
ntm, we're probably only a couple of lines away from making this solution work
yeah. It was created back in 2014. It's an ASP Identity v1 schema, too, which isn't compatible with the more recent Identity.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
yea
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
AspNetUsers AspNetUserClaims
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
The IdentityServer has a replacement authenticator that just calls an http login to the old ASP Identity v1 server.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Because we eventually want to get onto B2C but then we'd have to migrate our entire organization to AD and then also allow external users to use that, and the whole point of this is to migrate off a very expensive old server. That is the priority. Whatever bandaids we can use to get us to September.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
12000
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
yes
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
We have thousands of employees and subcontractors.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Yeah.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Right. So about 1000 employees. 11000 external
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
They can create an account, then they have to request ownership into a group, and the group admin has to approve it. But they'll have a real account, it just won't have any access to anything but our My Account portal.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Yeah. Gonna be very customized. But really that can be next year's problem for all we care. Right now the biggest thing is to get off this ancient Windows metal server and into the cloud.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Azure
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Oh right now it's called Entra. Is that different that B2C? Someone else mentioned that before but they got poached
Yeah
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Definitely the plan is to get rid of the entire Identity DB.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
okay
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I heard that.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
That's another thing about the method I've chosen here. It will give us maximum control over our login pages which we need SSO but each client has to look different. Which I see that KeyCloak can do as well.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I don't want to have to go back to update all our products, but that does sound reasonable.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Hey that's funny. We have a couple NextJs projects, too. We're split between Angular and NextJs. I really like Angular, but the team makes some convincing arguments. React certainly has a much bigger market share.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
It was just the default ootb.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
it wouldn't matter to me either way. But I'm not sure how to do that. I started to look into that today, but today was our revision day.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
That's what I have right now with IS4, and it works just fine.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
So, yeah. If that's all I have to do.
?
?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
is that a question?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Oh. Yeah. Our current applications all use JWT tokens.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
That's what we have right now that works
With IS4
Yeah. I thought it was interesting to try to use an opaque token but in reality: Any port in a storm.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I knew you would mention that
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I still don't understand why, but I thank you for waking me up.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Okay. That's actually where I thought you were going with that the first time you said so, but I don't understand how it even worked in the first place
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
How and where can I really learn this?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
okay
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Right
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I actually do get that. I know JWTs pretty well and how they're encoded and used to prove ID.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
right
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Right. Like an interface that takes passwords and you extend the interface authenticate method to accept finger prints
k
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
So you're saying that only one of these methods is doing anything at all?
So if I deleted one of them, ... the oidc one, then it would still work?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
why do you have to say schemName: "passport"
oh that's what I'm calling it locally
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
but it could be any arbitrary name
okay
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
driver licence
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
well we don't really have id cards here
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
you can get one but it's not mandatory
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
ok
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
okay
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
okay
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Right. I think I get it.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
ah
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Okay but then I'm really only using one of these methods in the first place.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
No. You only want to set it once. That makes total sense to me. And I'm overwriting the default schema. So the only schema that is actually doing any pulling here is the JWT schema, and I suspect that if I deleted the OIDC schema, that it would still work.
I have a question, though.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
ditto
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
This is a little bit off track, but ... how would the Cookie auth work in my scenario with a SPA.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
It validates the JWT, then exchanges a cookie?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
almost like a session token?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
right
I get that
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
then it consumes the JWT claims. That's what I thought the OIDC was doing.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Right.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
And the answer is probably not because if someone could inject JavaScript they could exfiltrate the token and use it for the duration of its validity.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
The current ones actually use the JWT token to get claims.
But .. It worked automagically when it switched to an opaque token. It called a well-known endpoint called /me and got all the same claims.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
right
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
That worked surprisingly well. Which is why I thought I probably wouldn't need to grabb a JWT.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
right
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Cool. I was actually already there.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
right
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
a bearer can be samesite right?
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
okay
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Okay. I think I intuitively understood that. I think you said before that I should use a cookie and I was wondering how that would work, but you were probably talking about something different.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I think another good solution is to use a plugin in the server to not even serve the JavaScript resources until authenticated.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
There is such a plugin for nginx.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Either way. I think I have all that in my head now. But I still don't have a solution to this. So I'm going to try JWT token tomorrow, (it's 1:18 here), but the opaque token really SHOULD work.
Now I understand why AddBearerToken doesn't have options.GetClaimsFromUserInfoEndpoint
because it's always going to be true
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
oof
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I just have to figure out how to get the server to emit JWTs
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
So you think that's faster than figuring out how to protect the opaque token?
Or figuring out the error that says it's unprotected
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
ok
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
ahhh
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
okay yeah I'd rather do JWTs.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
Okay. I have to turn in. I might not be up as early as I was yesterday. I've been burning both ends. Thank you so much. I will work on that tomorrow. I'll be the man if I get this solved. I'm kinda excited.
Thank you so much! I told them I'm talking with a real star. So all credit to you, really.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
I hope you realize that I'm not entirely a noob, but some of these concepts are really tough for me to process.
Talk to you tomorrow. Much love.
Unknown Userā¢5w ago
Message Not Public
Sign In & Join Server To View
There's one thing that I think I forgot to tell you. In the config for the server, it comes by default configured with a client_secret. But the oidc library for Angular doesn't support a client secret because that would be silly to put the client secret in your public javascript. So I had to add the line
Back to sleep for a little more than an hour
So close I can taste it.
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Thank you for the mention
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
switched to notification for all messages
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Will do.
pushed
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
This is just the test appsettings, but I wonder why that isn't showing in Rider.
Will update node, though.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
wtf
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
cool
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
?
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I'm using the IISExpress
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Still not working on my end. Can you send me your git diff?
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
oh!
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Can you send me your git diff?
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
done
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Works! I think I must've had stale browser data.
Incognito window works.
omg
slumps to the floor in the fetal position
thank you
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I think their example server it's okay to do that, but we will definitely be hand selecting every claims.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I still have to go back and modify the profile claims allowed, attach to the DB, consume the user Claims, make sure it's what we had before, and send it out
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
yup. We will. Definitely.
lol
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
cycles
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
btw, I got a good crack on putting all the pieces together today.
Likely will demo for the team tomorrow.
You're the programming version of Let Me Solo Her.
That's super high praise.
I'm guessing this has something to do with the oidc server, but when moving over to our actual application, the client is sending an opaque token. In my example that we've been working on, I'm fudging the functionality of the interceptor by explicitly sending the idtoken.
I need the oidc server to stop sending an opaque token at all.
I think I'm going to need to use opaque tokens all the way through anyways
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
There is no back end that I control that serves the JavaScript.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Yes. But it doesn't serve the JS
They're WebApi projects
So apparently the server doesn't even support implicit flow unless you are using https and a non-localhost address.
So I'm literally back to the beginning when I started this question.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
It says I must use implicit flow to use JWT
as an access token
Another thing: I don't think the API is in any way validating the JWT through the example I made.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
There's actually a bug in the code that works. The issuer and authority have https. It's actually http. So there's no way they are validating these tokens.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Also, you say setup a client for the api to use, but .AddBearerToken options does not have a client id field.
Right
I want to use PCKE
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I think that's the only way this is going to work
My problem is that unprotect error
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Proof Code for Key Exchange
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I added
and that's when it said I had to add implicit grant_type
but I don't want to do implicit
Just to let you know that I did that but am now undoing that.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Yeah. And I don't think that's the problem anyways.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Well I can't. PKCE couldn't possibly require a key because then you'd have to put the key in JavaScript.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I'm going to spend this weekend digging deep into manuals and standards and learning the real nitty-gritty of OIDC.
Deep diving Microsoft libraries.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
the API should introspect
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Maybe I should look at another node oidc provider and just see ... see the problem with this particular package is there's no community support.
They've taken all Issues of GitHub
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
they're probably tired of answering impossible questions like these from an infinite amount of people.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
That's what I want to happen anyways.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I want the API to introspect, it should know how to do so automatically, so I must be doing something fundamentally wrong.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
It should work. It just needs to engage the introspect.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Everything else seems to be working.
The fact that it can get the same JWT claims as are in /me means it can be introspected.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Because it should be simple and require the least amount of configuration.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
But I can't use JWTs as an access token. I'm using them as an access token in the example by using a hack, and as a consequence, the JWT that I'm serving is not being validated, which leads me to think I could provide a JWT token from any source and it would be authenticated.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I think I might not have my audience set up properly.
Is that a possibility?
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
We also have audience verification turned off in our current API.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Using IS4
I think that's my issue.
That would make the token not be able to unprotect.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I think I have the scope down right
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
scope: 'openid profile',
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
The introspect using a bearer token should automatically get the list of well-known endpoints, find the appropriate endpoint, which I think is /me, pass the key exchange, and get all the claims automagically. I shouldn't have to ever touch a JWT token again.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
The client already gets all the claims and they show up perfectly in angular-oidc-client, zero-config, zero-JWT, it made the call to /me, zero-config.
So why can't the API do the same?
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I never mentioned this before, but when I code this for just a bearer token, the client calls my /ListXXXX controller, the controller redirects to
http://localhost:3000/auth?client_id=xxxxx&redirect_uri=https%3A%2F%2Flocalhost%3A5003%2Fcallback&response_type=code&scope=openid%20profile&nonce=873a29d4674249cc133a8c3e5588l&state=c6f7e4b59cae75e85158d2be51d6bd5f9eBW10Igc&code_challenge=1h-X359pP7yCprKOfranFlnm_WI3Ff3-HiQ&code_challenge_method=S256
And it gets a 303 error
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
"The 303 status code is typically used for redirections in which the server wants the client to use a different URL to access the requested resource, usually because the original URL has become invalid or outdated."
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
The API
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I actually had that image in the original ticket and I deleted it.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Yeah. It's very wrong.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Right.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Because the header
Authorize: Bearer is not a JWT token.Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Because the oidc library sends the bearer token
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Yes. It also sends the JWT
but the field called 'access_token' coming from the server is a regular Bearer token.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
So the OIDC library is sending that to the API instead of the id_token.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
in the example on github, I'm sending the id_token by force
yes
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
okay well then when I make calls it says the ID token doesn't have dots.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I'm using the https one
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
like you said. I even thought of deleting that. Sorry.
Yup.
Consider it done.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
The issue is that I'm sending the JWT token, then to the API. Look at my app.component.ts
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Do you mind just forking?
Sorry.
or just sending me a patch
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Because I don't have .vscode
Should I have kept it? Sorry.
launchSettings.json updated
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
lol oikay
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
ng start I think
Ah
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
fiksed
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
oh wait I have to restore the file still
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I'm gonna stick with Chrome for now. I'll take it under advisement.
I'm also not happy with Chrome.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Yeah Chromium.
But I don't like some of the additions Microsoft has made, and Chrome is banning uBlock.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Do you have it able to call the GetWeather controller?
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
?
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I fixed that and some other things, but I have other changes that are related to the business that I can't share. I'll update what I can.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Show me the headers
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Yeah. It shouldn't be.
Checkout app.component.ts
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
line 41
change that to accesstoken and it wont work
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Right, but as you say, I should only send the accesstoken to the api
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Right. So change line 41 and it won't work, and that's the problem I had when I went to implement this in our live product.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Right! But look at the auth response
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
right
It gives the access_token as an opaque token
then the ID token
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
When I change it to access tokens as JWTs, which you just said I should never send to the API server, it makes me use the implicit flow.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
GitHub
node-oidc-provider/recipes/implicit_http_localhost.md at main Ā· pan...
OpenID Certifiedā¢ OAuth 2.0 Authorization Server implementation for Node.js - panva/node-oidc-provider
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Okay
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Right
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
And you want the access token to be a JWT; right?
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
right
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
right
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
right
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
right
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Right. And the access token is opaque.
in this case
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I tried! It says I need to use the implicit flow.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
ĀÆ\_(ć)_/ĀÆ
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
hmm
thank you
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
example/support/configuration.js It's just the example.
Oh. I had offline_access before and I removed it.
Watch this be my entire issue.
please be
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
I don't see that term anywhere in their codebase
oh flip it wasn't searching their code because i was in incognito and needed to sign in to do a search with github
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
ikr
I think it's because it's the example. I'd have to figure out how to get output.
I'll be pretty much doing this all weekend, so I'll track down that answer for you.
I'm working on a branch right now to let you see how we've implemented it.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
lol
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
GitHub
Comparing master...our-implementation Ā· bluebaroncanada/oidc-issue
Contribute to bluebaroncanada/oidc-issue development by creating an account on GitHub.
I updated the master branch, too with a small fix.
k .. .vscode file.
Unknown Userā¢4w ago
Message Not Public
Sign In & Join Server To View
night night
Thanks for all the help
Done