authorization - ASP.NET JSON Web Token "401 Unauthorized" -


i'm using decoupled resource , authentication servers. when json web token, check jwt.io , ok token format , it's secret.

request authorization header:

authorization: bearer token_here

response "401 unauthorized":

{   "message": "authorization has been denied request." }

here startup.cs resource server

using microsoft.owin; using microsoft.owin.cors; using microsoft.owin.security; using microsoft.owin.security.jwt; using newtonsoft.json.serialization; using owin; using system.web.http; using test.database; using test.infrastructure; using microsoft.windowsazure.serviceruntime;  [assembly: owinstartup(typeof(test.api.startup))] namespace custodesk.api {     public class startup     {         public void configuration(iappbuilder app)         {             app.createperowincontext(() =>                  applicationdbcontext.create(roleenvironment.getconfigurationsettingvalue("sqlconnectionstring")));             app.createperowincontext<applicationusermanager>(applicationusermanager.create);              globalconfiguration.configuration.suppressdefaulthostauthentication();              configureoauthtokenconsumption(app);              globalconfiguration.configure(config =>             {                 //global filters                 config.filters.add(new authorizeattribute());                  // web api routes                 config.maphttpattributeroutes();                 config.routes.maphttproute(                     name: "defaultapi",                     routetemplate: "{controller}/{action}/{id}",                     defaults: new { id = routeparameter.optional }                 );                  config.formatters.jsonformatter.serializersettings.contractresolver = new camelcasepropertynamescontractresolver();             });              app.usecors(corsoptions.allowall);              app.usewebapi(globalconfiguration.configuration);         }          private void configureoauthtokenconsumption(iappbuilder app)         {             var issuer = "http://localhost";             var audience = "universal_application";             var secret = helper.gethash("helper_class_to_get_the_same_hash_as_authentication_server");              // api controllers [authorize] attribute validated jwt             app.usejwtbearerauthentication(                 new jwtbearerauthenticationoptions                 {                     authenticationmode = authenticationmode.active,                     allowedaudiences = new[] { audience },                     issuersecuritytokenproviders = new iissuersecuritytokenprovider[]                     {                         new symmetrickeyissuersecuritytokenprovider(issuer, secret)                     }                 });          }     } }

here example of token decrypted:

{   "typ": "jwt",   "alg": "hs256" } {   "nameid": "b22a825e-60ce-45ed-b2cb-b2ee46a47936",   "unique_name": "begunini",   "role": [     "owner",     "admin",     "managerviewer"   ],   "iss": "http://localhost",   "aud": "universal_application",   "exp": 1454876502,   "nbf": 1454876202 }

i've checked secret , it's same on both sides (auth , resource servers). audience matches, issuer also. tried downgrade system.identitymodel.tokens.jwt version 3.0.2 no luck

i guess there problem in configuration order, nothing helped.

any ideas ?

tl;dr: have tried removing globalconfiguration.configuration.suppressdefaulthostauthentication()?

when using method, web api removes user principal created , added owin context host or middleware registered before web api (in case, jwt bearer middleware).

this method intended used hostauthenticationfilter or hostauthenticationattribute, directly invokes authentication middleware corresponding specified authentication type , persists resulting user principal in owin context.

since you're using suppressdefaulthostauthentication without hostauthenticationattribute, web api sees unauthenticated requests, , that's why rejected authorizeattribute.


Comments

Post a Comment

Popular posts from this blog

javascript - jQuery: Add class depending on URL in the best way -

i have html progress meter: <div class="col-md-3" style="margin-left: -20px;"> <div class="progress-pos active" id="progess-1"> <div class="progress-pos-inner"> login </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-2"> <div class="progress-pos-inner"> scan items </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-3"> <div class="progress-pos-inner"> confirm address </div> </div> </div> <div class="col-md-3 progress-pos-container"> <div class="progress-pos" id="progess-4"> <div class="progress-pos-in
Read more

caching - How to check if a url path exists in the service worker cache -

i need check if particular url path exists in service worker cache. example, suppose url is: /myserviceworker/service?a=110&b=70 this url exists in cache, there many of them different values of , b. now, suppose want refresh of these urls, how can that? i want know how access key values service worker cache. if know key, plan follows: var url = new url(key); if(url.pathname === "\/myserviceworker/service") refetch key but not sure how cache key , in format is. mean, string or url? cache api has match() method returns promise resolving in response object if match or undefined if no match exists. second parameter object can specify ignoresearch not take account url parameters. the ignoresearch option supported firefox ( chrome status here ). in other hand, retrieve cache entries, can use keys() method.
Read more

Redirect to a HTTPS version using .htaccess -

i need modify .htaccess file redirect urls https version without "www". http://example.com --> https://example.com http://www.example.com --> https://example.com https://www.example.com --> https://example.com this how .htaccess file looks like: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^(.*)$ redirect.php?id=$1&page=$2 [qsa,l] what modifications need make .htaccess in order forward https without "www"? it depends on doing current code. looks file called redirect trying display php page seo friendly url. think might confusing people. anyway, need , force https without www, need 1 more rule above. also second rule needs two capture groups in rewriterule test string because wanting 2 different values using $1 , $2 references. rewriteengine on #rediect www non www and/or http https --- combinations. rewritecond %{http_host} !^example\.com [nc,or] rewritecond %{https} !^
Read more