openiddict-core: Resource server requests result in 403 (insufficient_access)

Confirm you’ve already contributed to this project or that you sponsor it

  • I confirm I’m a sponsor or a contributor

Version

3.x

Question

Hello, first off thanks for making this amazing library. I’m running into an issue where my resource server is constantly giving back errors saying insufficient_access.

I get the following log (enabled trace logging):

info: Microsoft.EntityFrameworkCore.Database.Command[20101]
      Executed DbCommand (2ms) [Parameters=[@__identifier_0='?' (Size = 4000)], CommandType='Text', CommandTimeout='30']
      SELECT TOP(1) [c].[Id], [c].[Name], [c].[TenantIdentifier]
      FROM [CRM_Company] AS [c]
      WHERE [c].[TenantIdentifier] = @__identifier_0
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessRequestContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+InferIssuerFromHost.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromAuthorizationHeader.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromBodyForm.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ExtractAccessTokenFromQueryString.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateToken.
trce: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The ASP.NET Core Data Protection token 'CfDJ8OpP9CaZdrhJkH68OTXlDjysdPNz2QHn-sGvfq4CWi8XFygCCaOPUO3an6nR0e5hRgQNglVRf1XDM8WenPn3PlSGu97v3ecOjBXT3O8nU7dRn9WWu18yshJEuflKgGwM9zNpyy7KETAxGSGmhWQl7N103HV47KulgAZavtNvS12m6WfLzCJrfe3N0cuWamr6nKKR6MNSv3g1da4Kxo53EtT2UeKUaCl_I21K-KsOnFwubWpfKzuCELkF4LaM_1qDFObvKKRb3Itl2o8FlDeTJmlEPoBA0G3chi_XuC8L2HjahqkY_mcLHGY15OWfeYuQdDbV9DnpCKscg8Bufj56_lszn2KNHzabkldZIE5lVMC318Vx7-_S5L_nLwv0J69mVkQzmvjX9Sr8oT8YrFNpu6b7IZV9Jd5AeyI6CcyXniGovv14nLA2u6-qYqtsrZCkgx-MJ1hgjrg83ykDTknaxg09bpcZUOBTQusW9JLhcEd0cyyGgykMsSFE271sYoHS1FkPFy8XL_NuFzqMwwwadePE14Fu6WUpUEr_RltsZB-2BSXUohq4fVF2KF8DMgbMSjslBoAQbf8bUvYK-eFKhTaObhATNh7sGf9N6JklwcWaEAq8uKSlVbn25iPRfkrieEU6kecwbMT5uwt94njWYS04-LNzU4WJ9LT9ZfeMWzt9D1Qs5b9p95oY5mBdcobn1LPu_qAjOng3qmwfjJNBpqE' was successfully validated and the following claims could be extracted: sub: 5, email: thom.vandenakker@outlook.com, name: Admin, role: Admin, client_id: mobile-app, oi_prst: mobile-app, oi_scp: openid, oi_scp: profile, oi_scp: email, oi_scp: roles, oi_scp: offline_access, oi_scp: mobile.access, oi_au_id: 874, oi_crt_dt: Thu, 04 Aug 2022 18:15:34 GMT, oi_exp_dt: Thu, 04 Aug 2022 18:18:34 GMT, oi_tkn_id: 857, oi_tkn_typ: access_token.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.DataProtection.OpenIddictValidationDataProtectionHandlers+ValidateDataProtectionToken.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+IntrospectToken.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+NormalizeScopeClaims.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+MapInternalClaims.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidatePrincipal.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateExpirationDate.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+ValidateAudience.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+AttachHostChallengeError.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.OpenIddictValidationHandlers+AttachDefaultChallengeError.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+AttachCacheControlHeader`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+AttachWwwAuthenticateHeader`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
info: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The response was successfully returned as a challenge response: {
        "error": "insufficient_access",
        "error_description": "The user represented by the token is not allowed to perform the requested action.",
        "error_uri": "https://documentation.openiddict.com/errors/ID2095"
      }.
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was successfully processed by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ProcessChallengeErrorResponse`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
dbug: OpenIddict.Validation.OpenIddictValidationDispatcher[0]
      The event OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext was marked as handled by OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandlers+ProcessChallengeErrorResponse`1[[OpenIddict.Validation.OpenIddictValidationEvents+ProcessChallengeContext, OpenIddict.Validation, Version=3.1.1.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
info: OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandler[13]
      AuthenticationScheme: OpenIddict.Validation.AspNetCore was forbidden.

I find this strange because my I debugged my authorization policies and the conditions seem to be correct (at least the scope assertion does). I don’t know where this error comes from but it seems to be something that OpenIddict throws (because of the error format).

I’m using the following configuration for: Authorization server: https://gist.github.com/Thodor12/eab711b9e2d5cfbc96616a1e31911945 Resource server: https://gist.github.com/Thodor12/0a4bd83157d3470590e61e0989c56b67 Authorization endpoint: https://gist.github.com/Thodor12/d6d65143e9b19335668525c2b2142ece

I have populated my scopes through code, not in the database, my endpoints use the Authorize attribute like so: [Authorize(Policy = nameof(Scope.Customers))].

I also have a small middleware to unpack the scopes (so that mobile.access is transformed into mobile.access customers etc (mobile.access is a combination of other scopes).

Let me know if you need any more info or see something out of the ordinary, I’m a bit stumped on the problem.

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Comments: 39 (18 by maintainers)

Most upvoted comments

Alright, good to know, saves me the trouble of having to throw that certificate around to multiple runtimes, haha. Thanks so much for your help, I’ll close this now.

+1
Thodor12 on Aug 4, 2022
Read more comments on GitHub
← openiddict-core: Quartz exception after upgrade
openiddict-core: Signing certificate invalid on production in docker container →