asp.net-mvcoauthoauth-2.0openid-connectidentityserver3

Identity Server 3 - The client application is not known or is not authorized


I am getting the error 'The client application is not known or is not authorized.' when accessing a protected area of my site.

Here's my Clients:

public static class Clients
{
    public static IEnumerable<Client> Get()
    {
        return new[]
        {
            new Client
            {
                Enabled = true,
                ClientName = "Web Application",
                ClientId = "webapplication",
                Flow = Flows.AuthorizationCode,

                ClientSecrets = new List<Secret>
                {
                    new Secret("webappsecret".Sha256())
                },

                RedirectUris = new List<string>
                {
                    UrlManager.WebApplication
                },
                PostLogoutRedirectUris = new List<string>
                {
                    UrlManager.WebApplication
                },

                AllowedScopes = new List<string>
                {
                    Constants.StandardScopes.OpenId,
                    Constants.StandardScopes.Profile,
                    Constants.StandardScopes.Email,
                    Constants.StandardScopes.Roles,
                    Constants.StandardScopes.OfflineAccess,
                    "read",
                    "write"
                }
            }
        };
    }
}

Here's my web application startup:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            Authority = UrlManager.AuthenticationService + "identity",

            ClientId = "webapplication",
            Scope = "openid profile",
            ResponseType = "code id_token",
            RedirectUri = UrlManager.WebApplication,

            SignInAsAuthenticationType = "Cookies"
        });
    }
}

This is my authentication service (where IDS3 is installed) startup:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.Map("/identity", idsrvApp =>
        {
            idsrvApp.UseIdentityServer(new IdentityServerOptions
            {
                SiteName = "Authentication Service - Embedded IdentityServer",
                SigningCertificate = Certificate.LoadCertificate(),

                Factory = new IdentityServerServiceFactory()
                            .UseInMemoryUsers(Users.Get())
                            .UseInMemoryClients(Clients.Get())
                            .UseInMemoryScopes(Scopes.Get())
            });
        });
    }
}

This is UrlManager:

public static class UrlManager
{
    public static string WebApplication
    {
        get { return "https://localhost:44381/"; }
    }

    public static string AuthenticationService
    {
        get { return "https://localhost:44329/"; }
    }
}

This is my Home Controller:

public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }

    [Authorize]
    public ActionResult Private()
    {
        return View((User as ClaimsPrincipal).Claims);
    }
}

When I access Private I get an Identity Server 3 screen that gives me the error message 'The client application is not known or is not authorized.'.

I have read that this can come from mis-matches in the redirect URIs but as far as I can see mine are correct. I don't know what else can cause it. The application works perfectly if I change the flow to implicit but I want to implement AuthorizationCode flow.

The documentation does not seem to shed any light on this either.


Solution

  • The Client was configured for Authorization Code flow

    Flow = Flows.AuthorizationCode

    But the response type in the startup is set to hybrid flow.

    ResponseType = "code id_token"

    Try changing this to

    ResponseType = "code" (or Change the Flow type to Hybrid)

    Below is the list of ResponseType and corresponding Flowenter image description here