Home > Back-end >  IdentityServer4 -How can I add clientId and clientSecret to services?
IdentityServer4 -How can I add clientId and clientSecret to services?

Time:10-14

I have IdentityServer project and API. I get JWT Token from IdentityServer to send requests to my API.

In my API, I don't use clientId and clientSecret anywhere. I don't understand why???

When I researched, API's Program.cs is used like this by many people;

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>
{
   options.Authority = "[identity server url]";
   options.Audience = "[api resourse name]";
   options.RequireHttpsMetadata = false;
});

what I don't understand is, there is no clientId and clientSecret here.

Some people use [IdentityServer4.AccessTokenValidation] to do what I wanted by using this;

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
    options.Authority = "https://demo.identityserver.io";
    options.ApiName = "api1";
    options.ApiSecret = "secret";
});

But when I tried this, my api doesn't return 401 Unauthorized and returns 200 OK even though my clientSecret is not correct.

How can I solve this problem ?

CodePudding user response:

The AddJwtBearer authentication handler that you use in the API doesn't need a clientid/secret because all it needs to do is to accept and validate incoming access tokens using the public key that it downloads from the IdentityServer discovery document.

I think the IdentityServer4.AccessTokenValidation is mainly useful if you need to support both JWT and reference tokens. But usually you only need JWT tokens.

Page link:https//www.codepudding.com/Backend/576124.html

Prev:C# Blazor - How do I throttle an onChange event for my textbox
Next:ASP.NET Core Web API: 405 - HTTP verb used to access this page is not allowed
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding