-
-
Notifications
You must be signed in to change notification settings - Fork 764
Certificates and Token Validation #99
Comments
Well, I think that with OIDC you can use the 'well known' discovery end-points to download the public key part directly from IDSrv3 and use that in your web token validation directly so you can control the certificate management directly from the issuing server (the endpoints are there in IDSrv3 but I've not yet hooked up to them and used them in my JWTHandlers ) [this of course assumes your validating API can reach the Idsrv's https endpoints.... |
nice. /me scraps a bunch of code I'd written ;) |
So yeah - creating certs - pfx to idsrv, cer to consumers is the "standard" way. But you should indeed plan ahead for cert rollover scenarios. Strictly speaking the OIDC middleware does not deal with signing keys for access tokens (only id_tokens). In Idsrv3 they are the same (at least currently). |
Is there then also a AppBuilder Extension in Katana that I can use to make it validate the bearer tokens by just pointing it to the idsrv3 ? I am having a few problems with the following:
when trying calling the api from javascript I just get 401. I have verified with fiddler that the the header is set: Authorization: Bearer I took the token and the content is and iss and aud is correct and I am not sure why webapi returns 401. :
I am not really sure where I want to start debugging. |
If I manually do the validation like this I get the claimprincipal as expected but in the above setup the ctx.user is just the default identity that is not authenticated. Could it be that the authentication middleware is not triggered ? But in the sample webapi in the clients for idsrv3, nothing special is done there either.
|
Thanks. Nothing is being logged about failed validation though. What I am doing in the manual validation step above, do that look okay in your eyes? I just set the ctx.User = claimsPrincipal for now and can debug this more later |
nvm, found out why.
|
Just to make sure I get this done right.
WebApi Uses
app.UseJsonWebToken
with a certificate to validate tokens.And I simply just have to install the public key of the signing certificate (.cer file). (on azure cloud services that mean upload it to the management portal and make it deploy to the machines trusted people store.
Thats the only supported validation right now? If time allows, feel free to share a few lines on if there is anything to be aware of when creating the certificates? I just followed the documentation on azure for how to create it for their management portal and exported both pfx for the identity server and cer for webapi projects.
http://msdn.microsoft.com/en-us/library/azure/gg551722.aspx
The text was updated successfully, but these errors were encountered: