Open Closed

Identity Sever & client_credentials always return 403 forbidden #10108


0
elferone created

Angular & ASP.Net Core Asp.Net Zero version 9.3.0 ABP framework 5.14.0

In our project we are trying to allow machine to machine communication. For that, we enabled identity server. We created a client that support client_credentials. We were able to generate an access token with the client id and client secret. When we try to use this token to execute a http request, we always received 403 forbidden.

Is it something missing ?


The steps we took :

  1. Enable Identity Server in appsettings.json

  1. Added a client for client_credentials

  1. Using Postman, We were able to generate a token. we tried to do an HTTP Get Request to get all the users, but we received 403 forbidden

  1. When the backend received the call, an exception occurred in the class RegistraJwtSecurityTokenHandler

  1. Furthermore, when we took the token generated and go to jwt.io, the token has an invalid signature


7 Answer(s)
  • 0
    ismcagdas created
    Support Team

    Hi,

    You also need to provide a username and a password. You can take a look at https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/test/MyCompanyName.AbpZeroTemplate.ConsoleApiClient/Program.cs. AspNet Zero doesn't work without a valid user.

  • 0
    elferone created

    Hi @ismcagdas,

    So if I want another system (does not have the context of a human user) to connect to my API I absolutely need a user ? I'm not sure I see the use of the identity server then ? I could simply setup as user / password directly ?

    What am I missing here ?

    Thanks !

  • 0
    ismcagdas created
    Support Team

    Hi @elferone

    When using non-human clients, it has no meaning but for users, it provides single sign on.

  • 0
    elferone created

    Hi @ismcagdas,

    Ah I think I understand, basically we might not be using the proper way to connect. Let me talk about the requirement a bit and maybe you can provide a better solution.

    Our customer has an external system, and for reporting purposes, that system would need to connect to our API (asp.net zero) and use the business layer here to perform some queries. We're trying to figure out the best way to give access to the API to that system.

    Can you reccomend an approach?

    Thanks !

  • 1
    ismcagdas created
    Support Team

    Hi,

    Thank you for sharing the details. Curretly, our suggestion is to use https://docs.aspnetzero.com/en/aspnet-core-angular/latest/Features-Angular-Token-Based-Authentication. So, you need to create a user for your customer and assign necessayr permissions to this user.

  • 0
    elferone created

    Hi,

    Ok perfect, not my prefered approach :D But no worries.

    What would be your reccomendation to filter out that user from the normal user administration screen? I would not want the operators to delete or alter that special user. Or maybe show that user only with a special filter? Also avoiding modifications to core ASP.NET Zero pages to avoid updating issues.

    Thanks for the help !

  • 0
    ismcagdas created
    Support Team

    Hi @elferone

    First of all, authenticating clients is on our roadmap but probably it will take some time for us to implement it. It may help you in the future.

    To prevent deletion and modification of those users, you can override some methods in UserManager class in your project. For example, we prevent deletion of admin user here

    For preventing those users to login to the web ui, you can add an extra field to User entity and check it on the web login (for example if the request has user-agent header).