I have an IdentityServer4 server setup and have defined a single client as such:
public static IEnumerable<Client> Get()
return new List<Client> {
new Client {
ClientId = "oauthClient",
ClientName = "Example Client Credentials Client Application",
AllowedGrantTypes = GrantTypes.ClientCredentials,
ClientSecrets = new List<Secret> {
new Secret("superSecretPassword".Sha256())},
AllowedScopes = {
Claims = new List<System.Security.Claims.Claim>
new System.Security.Claims.Claim("CEO","true"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CC.Send"),
new System.Security.Claims.Claim(ClaimTypes.Role, "CEO")
RedirectUris = new List<string> {"https://localhost:44345/signin-oidc", ""},
PostLogoutRedirectUris = new List<string> {"https://localhost:44345"}
I am using postman to test this and I can get a Token at the /connect/token endpoint, but when I pass that token into the /connect/introspect endpoint it is returning:
"nbf": 1505422619,
"exp": 1505426219,
"iss": "https://localhost:44357",
"aud": [
"client_id": "oauthClient",
"client_CEO": "true",
"client_": [
"scope": "CC.Send",
"active": true
This was causing me trouble as I had secured my endpoint with:
services.AddAuthorization(options =>
policyBuilder => policyBuilder.RequireClaim("CEO", "true"));
and due to the CEO <> client_CEO, it was returning an error 403. I can get around this pretty simply by looking for client_CEO but I would prefer to understand how client_ is being prepended to my claim.

These get automatically prefixed by IdentityServer4, but you can turn off the prefixing with the PrefixClientClaims = false (boolean property on the Client).
Here is the source code from the DefaultClaimService in IdentityServer4:
if (request.Client.PrefixClientClaims)
claimType = "client_" + claimType;
From IdentityServer4 v.2 and above, property bool PrefixClientClaims was replaced by property string ClientClaimsPrefix which allows you to configure the prefix of your choice.
if (request.Client.ClientClaimsPrefix.IsPresent())
claimType = request.Client.ClientClaimsPrefix + claimType;


Integrate Google OpenID with Swagger in .NET 6

I want to authenticate in my application using Google OpenID. I added authentication in Swagger, but after successfully redirection, login and redirection back to my Swagger, requests are only send access_token in header, but not id_token which is supposed to include e.g. user email (I used scope). Is there an option to get this id_token to correctly authenticate in .NET app? I'm using implicit flow right now. There is my Swagger configuration:
services.AddSwaggerGen(c =>
c.AddSecurityRequirement(new OpenApiSecurityRequirement() {
new OpenApiSecurityScheme {
Reference = new OpenApiReference {
Type = ReferenceType.SecurityScheme,
Id = "oauth2"
Scheme = "oauth2",
Name = "authorization",
In = ParameterLocation.Header
new List <string> ()
c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
Implicit= new OpenApiOAuthFlow
AuthorizationUrl = new Uri($""),
TokenUrl = new Uri($""),
Scopes = new Dictionary<string, string>
"Get email"
The request looks following:
Request with access_token
I read that there is a possibility to change default authorization parameter in Swagger. So after adding following configuration:
Extensions = new Dictionary<string, IOpenApiExtension>
"x-tokenName", new OpenApiString("id_token")
result was still inappropriate:
Request with id_token

Swagger OAuth, how to send bearer token in a different header than "Authorization"

I have an API with authorization code flow authentication and I have configured swagger to use that as a security definition and it works fine.
Now I need swagger to send the bearer token in a different header as well, besides "Authorization", e.g. "X-Forwarded-Authorization". Is there a way to do that?
My current security configuration:
"oauth2", new OpenApiSecurityScheme
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
AuthorizationCode = new OpenApiOAuthFlow
AuthorizationUrl = new Uri("..."),
TokenUrl = new Uri("..."),
Scopes = { }
You can configure swagger when adding service collection like this;
services.AddSwaggerGen(options =>
//...other configurations
options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
In = ParameterLocation.Header,
Description = "Please insert JWT with Bearer into field!",
Name = "X-Forwarded-Authorization",
Type = SecuritySchemeType.ApiKey
options.AddSecurityRequirement(new OpenApiSecurityRequirement
new OpenApiSecurityScheme
Reference = new OpenApiReference
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
}, Array.Empty<string>()
//...other configurations

Firebase google auth in Swagger (Swashbuckle.AspNetCore)

Trying to implement firebase google authentication in the swagger
onboard: core 5, Swashbuckle.AspNetCore 6.3.1,
In fairbase console > authentication > Sign-in method > authentication via google is enabled
On ServiceConfigure method:
services.AddSwaggerGen(c =>
c.SwaggerDoc("v1", new OpenApiInfo { Title = "MyApi", Version = "v1" });
c.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
//email and password authentication - works fine
Password = new OpenApiOAuthFlow
TokenUrl = new Uri("/api/v1/auth/password", UriKind.Relative), //here my backend endpoint
Extensions = new Dictionary<string, IOpenApiExtension>
{ "returnSecureToken", new OpenApiBoolean(true) },
//try add google auth - troble here
Implicit = new OpenApiOAuthFlow()
//Not sure about the endpoints. Its not work with 404 err
AuthorizationUrl = new Uri(""),
TokenUrl = new Uri(""),
Scopes = new Dictionary<string, string>
{ "profile", "profile" },
class filter:
public class AuthorizeCheckOperationFilter : IOperationFilter
public void Apply(OpenApiOperation operation, OperationFilterContext context)
var requiredScopes = context.MethodInfo.DeclaringType.GetCustomAttributes(true)
.Select(attr => attr.Policy)
if (requiredScopes.Any())
var oAuthScheme = new OpenApiSecurityScheme
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "oauth2" }
operation.Security = new List<OpenApiSecurityRequirement>
new OpenApiSecurityRequirement
[ oAuthScheme ] = requiredScopes.ToList()
in Configure method:
app.UseSwaggerUI(c => c.SwaggerEndpoint("/swagger/v1/swagger.json", "MyApi v1");
What endpoints for AuthorizationUrl / TokenUrl should call?
Any additinal options for swagger?
I`m new in Firebase. M.b. need aditional adjustments in firebase console?
I would be very appreciate for a code sample.
I found a good repo for you. This simple is .NET 5 WebApi project base with the following features implemented:
Swagger with Firebase login
Serilog Logging to Amazon CloudWatch
Encrypted fields in AppSettings
Soft Delete and Audit Columns
Multitenancy support
Data Seeding
code sample:clean-base-api

Blazor IdentityServer Authenthentication

Currently I have three separate servers. Client on :5001, API on :5002 and IdentityServer on :5003. I can athenticate my Blazor pages using #attribute [Authorize] but when I call the API I get a 401 error. If I past the token_id into postman and make a request to the API server it authenticates. If I make a request from my Blazor client it fails. I have whitelisted CORS to rule out that being the issue. If I remove the Audience check on the api with:
options.TokenValidationParameters = new TokenValidationParameters
ValidateAudience = false
It works
Client program.cs
.AddHttpMessageHandler(sp =>
var handler = sp.GetService<AuthorizationMessageHandler>()
authorizedUrls: new[] { "https://localhost:5002" },
scopes: new[] { "coredesk" });
return handler;
sp => sp.GetService<IHttpClientFactory>().CreateClient("api"));
builder.Services.AddOidcAuthentication(options =>
builder.Configuration.Bind("oidc", options.ProviderOptions);
Client appsettings.json
"oidc": {
"Authority": "https://localhost:5003/",
"ClientId": "coredesk",
"DefaultScopes": [
"PostLogoutRedirectUri": "/",
"ResponseType": "code"
API Startup.cs
.AddJwtBearer(options =>
options.Authority = "https://localhost:5003";
options.Audience = "coredesk";
IdentityServer Config.cs
public static IEnumerable<IdentityResource> IdentityResources =>
new IdentityResource[]
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
public static IEnumerable<ApiResource> Apis =>
new ApiResource[]
new ApiResource("coredesk", "CoreDesk API")
public static IEnumerable<ApiScope> ApiScopes =>
new ApiScope[]
new ApiScope("coredesk"),
public static IEnumerable<Client> Clients =>
new Client[]
new Client
ClientId = "coredesk",
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
RequireClientSecret = false,
AllowedCorsOrigins = { "https://localhost:5001", "https://localhost:5002" },
AllowedScopes = { "openid", "profile", "coredesk" },
RedirectUris = { "https://localhost:5001/authentication/login-callback" },
PostLogoutRedirectUris = { "https://localhost:5001/" },
Enabled = true
if you look at the source code for AddJwtBearer you find this part:
// If no authorization header found, nothing to process further
if (string.IsNullOrEmpty(authorization))
return AuthenticateResult.NoResult();
if (authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
token = authorization.Substring("Bearer ".Length).Trim();
// If no token found, no further work possible
if (string.IsNullOrEmpty(token))
return AuthenticateResult.NoResult();
this shows that by default (without customization) it requires the token to be provided in the Authorization header, like this:
GET /api/payments HTTP/1.1
Host: localhost:7001
Authorization: Bearer eyJhbGciOiJSUzI1NiIsIYwA...
to further debug, I would remove the authorize attribute and then put a breakpoint in one of the action method and examine what the ClaimsPrincipal user object contains.

'Invalid token' when using webapi thru Swagger authenticated by Azure AD

I try to use AAD authentification on my WebApi (dotnet core 3.1) from swagger (Swashbuckle) client.
In my Startup class, I've configured like follow:
// Configure authentication
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
my settings for AzureAd:
"AzureAd": {
"Instance": "",
"ClientId": "xxxx-xxxxx1b",
"Domain": "",
"TenantId": "xxxxx-xxxxa5",
"Scope": "api://xxxxxxxx-abc3cff48f1b/Full.Access",
"ScopeDescription": "Full Access"
services.AddSwaggerGen(c =>
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
Type = SecuritySchemeType.OAuth2,
In = ParameterLocation.Header,
Flows = new OpenApiOAuthFlows()
Implicit = new OpenApiOAuthFlow
TokenUrl = new Uri($"Configuration["AzureAd:Instance"]}/{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/token"),
AuthorizationUrl = new Uri($"{Configuration["AzureAd:Instance"]}/{Configuration["AzureAd:TenantId"]}/oauth2/v2.0/authorize"),
Scopes =
c.AddSecurityRequirement(new OpenApiSecurityRequirement
new OpenApiSecurityScheme
Reference = new OpenApiReference
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
And in my Configure method:
app.UseSwaggerUI(c =>
c.RoutePrefix = string.Empty;
c.SwaggerEndpoint($"/swagger/{ApiVersion}/swagger.json", ApiName);
c.OAuthScopeSeparator(" ");
Swagger corectly log to AAD using my credential and when I use a route protected by [Authorize] the token is correcly sent to the API by I receive a 401 error with the following message:
www-authenticate: Bearer error="invalid_token"error_description="The issuer '{tenantid}/v2.0' is invalid"
The url{tenantid}/v2.0 is in the token in the iss section.
What is wrong?
According to your error and your code, you do not tell your application the ValidIssuer. So you get the error. Please add the following code in the method ConfigureServices of startup.cs file
services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
options.TokenValidationParameters = new TokenValidationParameters
ValidIssuers = new[] {
For example
Configure Azure AD for your web API. For more details, please refer to the document
a. Create Azure AD web api application
b. Expose API
c. Configure code
config file
"AzureAd": {
"Instance": "",
"ClientId": "[Client_id-of-web-api-eg-2ec40e65-ba09-4853-bcde-bcb60029e596]",
"TenantId": "<your tenant id>"
Add following code in the Stratup.cs
.AddAzureADBearer(options => Configuration.Bind("AzureAd", options));
services.Configure<JwtBearerOptions>(AzureADDefaults.JwtBearerAuthenticationScheme, options =>
options.Authority += "/v2.0";
options.TokenValidationParameters = new TokenValidationParameters
* with the single-tenant application, you can configure your issuers
* with the multiple-tenant application, please set ValidateIssuer as false to disable issuer validation
ValidIssuers = new[] {
ValidAudiences = new[]
Configure swagger. For more details, please refer to the blog.
a. Create Azure Web application
b. Configure API permissions. Regarding how to configure, you can refer to the document
c. code
Install SDK
<PackageReference Include="Swashbuckle.AspNetCore" Version="5.5.1" />
config file
"Swagger": {
"ClientId": ""
Add the following code to Startup.cs in the ConfigureServices method:
services.AddSwaggerGen(o =>
// Setup our document's basic info
o.SwaggerDoc("v1", new OpenApiInfo
Title = "Protected Api",
Version = "1.0"
// Define that the API requires OAuth 2 tokens
o.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme
Type = SecuritySchemeType.OAuth2,
Flows = new OpenApiOAuthFlows
Implicit = new OpenApiOAuthFlow
Scopes = new Dictionary<string, string>
{ "api://872ebcec-c24a-4399-835a-201cdaf7d68b/user_impersonation","allow user to access api"}
AuthorizationUrl = new Uri($"{Configuration["AzureAD:TenantId"]}/oauth2/v2.0/authorize"),
TokenUrl = new Uri($"{Configuration["AzureAD:TenantId"]}/oauth2/v2.0/token")
o.AddSecurityRequirement(new OpenApiSecurityRequirement{
new OpenApiSecurityScheme{
Reference = new OpenApiReference{
Id = "oauth2",
Type = ReferenceType.SecurityScheme
},new List<string>()
Add the following code to the Configure method:
app.UseSwaggerUI(c =>
c.OAuthScopeSeparator(" ");
c.OAuthAppName("Protected Api");
c.SwaggerEndpoint("/swagger/v1/swagger.json", "My API V1");
