C

C#

help

Join Server

❔ .net Identity 401 => Roles/Claims available

JJohnny1/27/2023
Hey, I keep getting 401 with the following bearer in Swagger (authorized)

Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoic3RyaW5nIiwianRpIjoiZDgxZTYzN2YtN2YyOS00YTJlLWFkMGQtMzUyYTNmMmM1MmNiIiwidXNlciI6WyJyZWFkIiwid3JpdGUiXSwiaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93cy8yMDA4LzA2L2lkZW50aXR5L2NsYWltcy9yb2xlIjpbIkFkbWluIiwiVXNlciJdLCJleHAiOjE2NzQ4MTc5OTYsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6MjQ5NC8iLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjI0OTQvIn0.3Z-DOjNZpucRtz0VbfJtAPZkKtFYkRrsJIpkeMcc6fI


I have created a controller for the role "Admin" and a controller for the policy "user.read" but both return me 401. Anyone an idea what the problem might be?
I am using a custom policy "creator" that is creating a policy in the format "user.read" => user = ClaimType/read = ClaimValue
Ttebeco1/27/2023
ok so the first thing to know about bearer is that once you leak it ... you can be impersonated
Ttebeco1/27/2023
it's like leaking your temporary credential that are valid for 10 min generally
Ttebeco1/27/2023
you probably know that and gonna tell us "it's fine it's only localhost" ... we cannot guess that so I just wanted to make sure you're aware of that
JJohnny1/27/2023
Yea, I know that - but thanks anyway. It is good to remind someone of it
Ttebeco1/27/2023
can you c#show all your code especially the add authorization
Ttebeco1/27/2023
that's where you're supposed to create the policy
give it a name
Ttebeco1/27/2023
and inside add requirement to find the claim type and match a value
JJohnny1/27/2023
https://hastebin.com/roqayitala.csharp
Ttebeco1/27/2023
Image
Ttebeco1/27/2023
won't load on mobile for some reason
JJohnny1/27/2023
https://pastebin.com/gQwnPzj2
JJohnny1/27/2023
Is the pastebin link working?
Ttebeco1/27/2023
yeah i'm moving to pc
Ttebeco1/27/2023
will look in 10-15 got a call
JJohnny1/27/2023
Thanks for your time
Ttebeco1/27/2023
it's missing the call from add authorization i think
Ttebeco1/27/2023
from program.cs
JJohnny1/27/2023
var builder = WebApplication.CreateBuilder(args);
ConfigurationManager configuration = builder.Configuration;

builder.Services.AddDbContext<ApplicationDbContext>(options => options.UseNpgsql(configuration.GetConnectionString("ConnectionString")));

// For Identity
builder.Services.AddIdentity<IdentityUser, IdentityRole>().AddEntityFrameworkStores<ApplicationDbContext>()
    .AddDefaultTokenProviders();

// Adding Authentication
builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
})

// Adding Jwt Bearer
.AddJwtBearer(options =>
{
    options.SaveToken = true;
    options.RequireHttpsMetadata = false;
    options.TokenValidationParameters = new TokenValidationParameters()
    {
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidAudience = configuration["JWT:ValidAudience"],
        ValidIssuer = configuration["JWT:ValidIssuer"],
        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JWT:Secret"]))
    };
});
builder.Services.AddSingleton<IAuthorizationPolicyProvider, AuthorizationPolicyProvider>();
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(x =>
        x.AddSecurityDefinition("token", new OpenApiSecurityScheme
        {
            Type = SecuritySchemeType.ApiKey,
            In = ParameterLocation.Header,
            Name = HeaderNames.Authorization,
            Scheme = "Bearer"
        })

);
var app = builder.Build();

if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();
app.Run();
JJohnny1/27/2023
I have no clue why but it seems that I am having no claims for some reason
Image
JJohnny1/27/2023
And I am not even authenticated
JJohnny1/27/2023
Got it working
JJohnny1/27/2023
Thanks for your time
JJohnny1/27/2023
Just as information - seems like Swagger wasn't properly configured from me
Ttebeco1/27/2023
sorry the meeting is freaking long
Ttebeco1/27/2023
aaaa
Ttebeco1/27/2023
your issue was only on swagger ?
Ttebeco1/27/2023
but it was working on normal API call ?
Ttebeco1/27/2023
yeah there's OpenApi and AuthScheme to configure so that swagger expose Auth info and force a login
Ttebeco1/27/2023
seems easy to say now, i realize you could not have guessed that easiliy
Ttebeco1/27/2023
just a hint in case next time
Ttebeco1/27/2023
when you're using swagger it's showing you the curl request it's doing
Ttebeco1/27/2023
so you would have seen there that there was no -H Authorization ....
Ttebeco1/27/2023
so no bearer passed
Ttebeco1/27/2023
and thus anonymous call
AAccord1/28/2023
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.