Identity Server 3 - The client application is not known or is not authorized
Asked Answered
H

3

11

I am getting the error 'The client application is not known or is not authorized.' when accessing a protected area of my site.

Here's my Clients:

public static class Clients
{
    public static IEnumerable<Client> Get()
    {
        return new[]
        {
            new Client
            {
                Enabled = true,
                ClientName = "Web Application",
                ClientId = "webapplication",
                Flow = Flows.AuthorizationCode,

                ClientSecrets = new List<Secret>
                {
                    new Secret("webappsecret".Sha256())
                },

                RedirectUris = new List<string>
                {
                    UrlManager.WebApplication
                },
                PostLogoutRedirectUris = new List<string>
                {
                    UrlManager.WebApplication
                },

                AllowedScopes = new List<string>
                {
                    Constants.StandardScopes.OpenId,
                    Constants.StandardScopes.Profile,
                    Constants.StandardScopes.Email,
                    Constants.StandardScopes.Roles,
                    Constants.StandardScopes.OfflineAccess,
                    "read",
                    "write"
                }
            }
        };
    }
}

Here's my web application startup:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies"
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            Authority = UrlManager.AuthenticationService + "identity",

            ClientId = "webapplication",
            Scope = "openid profile",
            ResponseType = "code id_token",
            RedirectUri = UrlManager.WebApplication,

            SignInAsAuthenticationType = "Cookies"
        });
    }
}

This is my authentication service (where IDS3 is installed) startup:

public class Startup
{
    public void Configuration(IAppBuilder app)
    {
        app.Map("/identity", idsrvApp =>
        {
            idsrvApp.UseIdentityServer(new IdentityServerOptions
            {
                SiteName = "Authentication Service - Embedded IdentityServer",
                SigningCertificate = Certificate.LoadCertificate(),

                Factory = new IdentityServerServiceFactory()
                            .UseInMemoryUsers(Users.Get())
                            .UseInMemoryClients(Clients.Get())
                            .UseInMemoryScopes(Scopes.Get())
            });
        });
    }
}

This is UrlManager:

public static class UrlManager
{
    public static string WebApplication
    {
        get { return "https://localhost:44381/"; }
    }

    public static string AuthenticationService
    {
        get { return "https://localhost:44329/"; }
    }
}

This is my Home Controller:

public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }

    [Authorize]
    public ActionResult Private()
    {
        return View((User as ClaimsPrincipal).Claims);
    }
}

When I access Private I get an Identity Server 3 screen that gives me the error message 'The client application is not known or is not authorized.'.

I have read that this can come from mis-matches in the redirect URIs but as far as I can see mine are correct. I don't know what else can cause it. The application works perfectly if I change the flow to implicit but I want to implement AuthorizationCode flow.

The documentation does not seem to shed any light on this either.

Housewifely answered 6/6, 2016 at 15:31 Comment(0)
S
14

The Client was configured for Authorization Code flow

Flow = Flows.AuthorizationCode

But the response type in the startup is set to hybrid flow.

ResponseType = "code id_token"

Try changing this to

ResponseType = "code" (or Change the Flow type to Hybrid)

Below is the list of ResponseType and corresponding Flowenter image description here

Sylvanite answered 7/6, 2016 at 4:6 Comment(3)
Thank you. Where did you find that flow flow chart?Shipley
@Shipley - From the OIDC spec -> openid.net/specs/openid-connect-core-1_0.html#AuthenticationSylvanite
What about Authorization Code with PKCE? I can't seem to get that to work.Adamsun
R
6

I got this error, and the problem was that RedirectUri. in the Authorization server was http://localhost:56840/ and in the Web App was http://localhost:56840. Note the missing "/" at the end of the url.

Ratchford answered 14/1, 2017 at 18:4 Comment(1)
I'd be interested in how you rectified this, if it was the actual fault. cheersProvence
L
1

This could also happen if your ClientUri domain name doesn't match with your ClientRedirectUri domain name.

See that I had this problem because of missing "www." in the client redirect uri.

Problem - ClientRedirectUri doesn't have "www." in it:

ClientUri: https://www.mydomainname.co.uk

ClientRedirectUri: https://mydomainname.co.uk/umbraco/surface/UmbracoIdentityAccount/ExternalLoginCallback

Solution - ClientRedirectUri has "www." in it, just like the ClientUri does:

ClientUri: https://www.mydomainname.co.uk

ClientRedirectUri: https://www.mydomainname.co.uk/umbraco/surface/UmbracoIdentityAccount/ExternalLoginCallback

Loesceke answered 18/5, 2021 at 16:53 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.