Description
I have an old application using Forms Authentication and I am trying to add service-to-server authentication to it using Identity Server 4.
So, I have added some Owin/Katana setup code to it and I am using this code (from package IdentityServer3.AccessTokenValidation):
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
Authority = ConfigurationManager.AppSettings["IdentityServerUrl"],
RequiredScopes = ConfigurationManager.AppSettings["IdentityServer.ClientAuthorizationScopes"]?.Split(' ', '\t')?.ToArray(),
ClientId = ConfigurationManager.AppSettings["IdentityServer.ClientId"],
ClientSecret = ConfigurationManager.AppSettings["IdentityServer.ClientSecret"],
NameClaimType = "name",
RoleClaimType = "role",
//AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
ValidationMode = ValidationMode.Local,
DelayLoadMetadata = true,
AuthenticationType = "BearerIS",
});
This does not work (I get no identity back), so I debugged the package code (IdentityServer3.AccessTokenValidation) and found out that it "fails" in this place:
The result returned on this active breakpoint is always null.
(The _options.AuthenticationType is Bearer here, from what I remember)
I have verified that the incoming request contains an access token that can be validated successfully by the introspection endpoint of IS4.
Could you maybe tell me what could be wrong here with AuthenticateAsync() and what I can do to make it work (not return null)?
I have tried to follow the code of this repository, but there is a lot of global variables at play (e.g. in the the IOwinContext) that I have no idea where they come from...
Any hints are welcome.
If this doesn't work, I am thinking of using an HttpModule that calls the introspection endpoint of IS4, to validate the token and set the Identity. But this is custom security code, so it might be good to avoid it...