Click here to Skip to main content
15,881,248 members
Search within:


Unauthorized access 401 while accessing openid userinfo endpoint on ADFS server
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
 
I'm trying to access the openId userInfo endpoint for a user on ADFS(not hybrid), with the following request using WebClient API:

//accessToken variable contains access token data
string userInfoURL = "https://[base-server-url]/userinfo?" + accessToken;
Uri userInfoUri = new Uri(userInfoURL);
byte[] userInfoBytes = webClient.DownloadData(userInfoUri);
string response = Encoding.UTF8.GetString(userInfoBytes);

I have successfully created a new Application Group with a Server Application as well as a Web API and the OpenID Connect protocol. The client permission is checked with openid oprtion. The Relying Party identifier is the same GUID as Client ID of the Server Application.

I have included {"scope", "openid"} during access token request. I am not looking for a custom token details, but only details from openid scope. As per my research only 'sub' value is accessible in this request. I would like to proceed with that.

While considering the access token and oauth authentication process, there is no issue with the access token and related procedures. But userinfo endpoint access fails.


What I have tried:

The response fails with '401' Unauthorized error.

Event logs from ADFS server is listed below:

(1)Received request with following properties:

Date: 2020-07-16 09:48:38 Remote endpoint: remote-ip(Not disclosing details) Local endpoint: local-ip(Not disclosing details) Http method: GET Request Url: /adfs/userinfo Query string: ?access_token=eyJ0eXAiOi....(Not disclosing details) Local Port: 443 User agent string: - Body data length: 0 Caller Identity: - Certificate Identity: - Relying Party: - Through proxy: False Proxy name: - Serialized Header: {"Host":"[host-name(Not disclosing details)]","X-MS-Endpoint-Absolute-Path":"/adfs/userinfo"}

(2)Following request context headers present:

X-MS-Client-Application: - X-MS-Client-User-Agent: - client-request-id: - X-MS-Endpoint-Absolute-Path: /adfs/userinfo X-MS-Forwarded-Client-IP: - X-MS-Proxy: - X-MS-ADFS-Proxy-Client-IP: -

(3)UserInfoListener.ParseRequest: Cannot find access token in the request.

(4)Sending response at time: '2020-07-16 09:48:38' with StatusCode: '401' and StatusDescription: 'Unauthorized'. Response headers set: {"WWW-Authenticate":"Bearer error="invalid_token", error_description="MSIS9923: Received invalid UserInfo request. Access token is not present in the request. The access token needs to be carried in Authorization Request Header Field or Form-Encoded Body Parameter."","Content-Type":"text/html; charset=utf-8"}

(5)UserInfoListener.WriteErrorResponse: The UserInfo endpoint meets error when process the request. Writing error response.

I appreciate any advice.
Posted
Updated 15-Dec-20 10:32am
Add a Solution

2 solutions

Your code has this
Quote:
string userInfoURL = "https://[base-server-url]/userinfo?" + accessToken;
yet the error message states
Quote:
Received invalid UserInfo request. Access token is not present in the request. The access token needs to be carried in Authorization Request Header Field or Form-Encoded Body Parameter.
so I doubt it's seeing the token .. I would try 
WebClient client = new WebClient();
client.Headers.Add(HttpRequestHeader.Authorization, 
    "Bearer " + accessToken);
// Do the download ...
 
Share this answer
 
Posted
Comments
Member 10014841 19-Jul-20 5:26am    
I requested as per mentioned modification. But still unauthorized(401) error occurs.

//accessToken variable contains access token data
string userInfoURL = "https://[base-server-url]/userinfo;
Uri userInfoUri = new Uri(userInfoURL);
WebClient client = new WebClient();
client.Headers.Add(HttpRequestHeader.Authorization,"Bearer " + accessToken);
byte[] userInfoBytes = webClient.DownloadData(userInfoUri);
string response = Encoding.UTF8.GetString(userInfoBytes);
Garth J Lancaster 19-Jul-20 5:29am    
change 
byte[] userInfoBytes = webClient.DownloadData(userInfoUri);
to 
byte[] userInfoBytes = client.DownloadData(userInfoUri);
Member 10014841 19-Jul-20 5:49am    
Sorry about typo error. I meant WebClient instance was used(client).

client.DownloadData(userInfoUri)

Unauthorized 401 error still happens.
Garth J Lancaster 19-Jul-20 8:10am    
sorry - (3) also says "UserInfoListener.ParseRequest: Cannot find access token in the request." so if it wont take that as I've suggested, following how it said to do it, I have nothing further I can offer - hopefully someone else has an idea
Member 10014841 19-Jul-20 10:16am    
Thank you so much for your advice. At least I could send the request properly with your guidance. Please somebody help me on the unsolved issue..
I know this is an old post but for posterity:

In my experience when trying to hit the ADFS OIDC userinfo endpoint you need to pass a querystring key value pair (resource=urn:microsoft:userinfo)
 
Share this answer
 
Posted
Updated 15-Dec-20 10:41am
v3
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
WIF - ADFS handle 401 : Unauthorized
401 - Unauthorized: Access is denied due to invalid credentials
Access ADFS endpoints using powershell
401 Unauthorized - Opening an Uploaded File
The remote server returned an error: (401) Unauthorized.
The remote server returned an error: (401) unauthorized using sharepoint in winform
Unable to access a list in a different farm using client context(csom). the remote server returned an error: (401) unauthorized.
Error to unauthorized access of file in C#
Unauthorized access and NOT redirecting to the login page
httpwebresponse the remote server returned an error 401 unauthorized

Advertise
Privacy
Cookies
Terms of Use
Last Updated 15 Dec 2020
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900