Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
  • Sep 17 2021 17:33
    leastprivilege opened #3910
  • Sep 15 2021 17:38

    leastprivilege on same-site-fix

    Update README.md (compare)

  • Sep 15 2021 17:36

    leastprivilege on same-site-fix

    fix for SameSite cookies and ot… (compare)

  • Aug 27 2019 11:16

    leastprivilege on 2.6.1


  • Aug 27 2019 11:06

    leastprivilege on master

    udpate version number (compare)

  • Aug 27 2019 11:05

    leastprivilege on dev

    udpate version number (compare)

  • Aug 27 2019 11:04

    leastprivilege on master

    include value type when seriali… Update ClientStore.cs fix build script and 1 more (compare)

  • Aug 27 2019 11:02

    leastprivilege on dev

    Update ClientStore.cs Merge pull request #134 from br… (compare)

  • Aug 27 2019 11:02
    leastprivilege closed #134
  • Aug 27 2019 11:02

    leastprivilege on dev

    fix build script (compare)

  • Aug 24 2019 15:16
    brockallen opened #134
  • Oct 16 2018 16:34

    leastprivilege on master

    when too many message cookies, … 2.6.3 release Merge branch 'dev' (compare)

  • Oct 16 2018 16:33

    leastprivilege on 2.6.3


  • Oct 16 2018 16:31

    leastprivilege on dev

    2.6.3 release (compare)

  • Oct 10 2018 13:49

    brockallen on dev

    when too many message cookies, … (compare)

  • Jul 26 2018 11:54
    pvasek commented #3239
  • Jul 26 2018 11:18
    Farwell-Liu closed #3902
  • Jul 26 2018 06:13

    leastprivilege on master

    Fix X509 data protector Merge branch 'dev' (compare)

  • Jul 26 2018 06:12

    leastprivilege on 2.6.2


  • Jul 26 2018 06:11

    leastprivilege on dev

    Fix X509 data protector (compare)

Richard Bennett
@reloutino_gitlab we're doing that today... idsrv3 and dotnetcore
errr... idsr3 with dotnetcore client
how can i connect ids4 to an api in .net standard?
i got this erro {"Message":"Authorization has been denied for this request."} when i run api project despite my identityserver4 project is running, and i set in my config of api like this
 app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        Authority = "http://localhost:6001",
        RequiredScopes = new[] { "api" },

        DelayLoadMetadata = true
Richard Bennett
@samanevrc you may want to go into the identityserver4 channel, as this is for identitiyserver3
Is Identity Server 3 still maintained?
Richard Bennett
it is not. it's marked as archived on github, so my assumption would be "NO". https://github.com/IdentityServer/IdentityServer3
Hi everyone, I am using CustomViewService in identity server 3 and I needed to add reset password page. I followed the solution provided here: https://stackoverflow.com/questions/31046208/identity-server-v3-custom-page-reset-password . But, Identity Server is not able to find resetPassword.html page even though I provided it in "templates" folder and it keeps returning 404 error "No webpage was found for the web address: http://localhost:44333/core/resetPassword?signin=b3253f1ef659cffe9165c7c6b134715a". Any help will be appreciated.
vishak os

Hi All,
Need some help.


LoadBalancing Issue In IIS

Issue with setting up the Load Balancer for a MVC Web API and Identity Server

Staging Server A: Identity sever And a resource server (MVC web api)
The resource server is connected via Hybrid Grant Flow.

Staging Server B: Identity sever And a resource server (web api)

Both the Identity Servers have a public origin and it uses the exposed URL.

The webAPI In both the servers are using the public origin URL for the Identity Server which is same as an extra internal binding in that server.

I’m using JWT tokens for the Access token and the signing certificates used are also synchronized in both servers.

The problem that I’ve is when I connect connect from the presentation side of the MVC webapi of Server A and Click On the Login Button for the user to login - it may direct the user to Server B’s Identity Server.
In this scenario once the user is successfully authenticated it’s not able to redirect to the Server A.
The configuration works when Server A login button directs to Server A’s Identity Server, not otherwise.

What should I implement to get this working.

I’m using Inmemory stores for now. I’m not sure if it’s because of a caching issue.
Or is there anything else that I need to implement to get the servers work under load balancing.

Any help will be highly appreciated.

Richard Bennett
@vichu28_twitter your best bet is to transition to idsrv4... this is dead now.
vishak os

Thanks for the update and I’m actually working on the ID4 and need to do the transition once it’s complete.

btw I got the load-balancing finally work yesterday with ID3 using the default EF implementation and machine key synchronization.

Richard Bennett
ah :D
sorry.. but cool!
Raymond Bergen
hi all im running into an issue trying to get the silent renew to work i get the following error
the issue is probably the 404 it gets on the authorize this is the call its doing:
This does indeed return a 404
if i however remove the id_token_hint from the url it doesnot give a 404
im using the latest oidc-client-js here
has anyone encountered this issue of know what i could be doing wrong or could check?
Raymond Bergen
hmm well maybe i should start with the first error :S Failed to execute 'postMessage' on 'DOMWindow' this is probably the cause if anyone can help me that would be great ill do some research on this error in the meantim
Dan Orr
Hi all. We're deploying a modified version of IdentityServer3 to a new environment running on IIS but have run into the IDX10803 error where the */.well-known/openid-configuration file can't be created. I'm yet to find any steps to resolve this issue. We are running NetScaler. Any ideas? What are we missing?
Hi all . Could anyone please tell me how to get clients and scopes from database in identityserver3
vishak os
Hi @raghava1605 : you can use the entity framework Implementation of the Identity Server 3 that’s available in the github!
Hi all, could you please tell me, how can I validate token, including expired time?
Jason Haley

I'm trying to add a WebApi controller to a site that serves as my IdentityServer for a few other sites. For some reason I can't get the WebApi with Authorize to work. It keeps returning 401 even when the cookies are passed like normal. The weird and really frustrating part is, I CAN get the same call to work using a regular MVC controller/action with Authorize - but I can't figure out the Cors issues to use that approach for my full implementation.

Has anyone seen this before? It seems like the webapi just isn't recognizing the cookie auth that idsvr adds to the app builder but for some reason the MVC actions do recognize it. Driving me nuts.

Chris G. Stevens

I am wondering if there is a way to redirect to another site from within the override of the DefaultViewService.Login.
I was hoping for an easy Response.Redirect. Basically under if the login_hint contains the domain or @ we need to check if the login needs to be redirected to a 3rd party login page.

Or do I need to built out the javascript to do it. Was hoping to not even load our signin page and just go directly to the 3rd party signin page.

Thanks for any help!

Jaymie Jeffrey
Hey all, I was wondering if someone can give me a hand. Should be relatively simple
I already have an API setup with identity server integrated into it
Now my client is asking for a new API completely separate but wants to use the current identity server to authenticate and authorize on the routes
is that as simple as just changing this:
    public static void ConfigureIdentityServer(this IAppBuilder app, ICormarConfig config)
        // Create our options
        var identityServerOptions = new IdentityServerOptions
            SiteName = "Cormar API",
            SigningCertificate = LoadCertificate(),
            IssuerUri = $"{config.AuthorityEndpoint}",

            LoggingOptions = new LoggingOptions
                EnableHttpLogging = true,
                EnableWebApiDiagnostics = true,
                EnableKatanaLogging = true,
                WebApiDiagnosticsIsVerbose = true

            Factory = new IdentityServerServiceFactory().Configure(config),

            Endpoints = new EndpointOptions
                EnableAccessTokenValidationEndpoint = false

            // Disable when live
            EnableWelcomePage = true

        // Setup our auth path
        app.Map("/identity", idsrvApp => { idsrvApp.UseIdentityServer(identityServerOptions); });
and changing the AuthorityEndpoint to my identity server path?
Chris G. Stevens

I have this weird issue which I can't seem to track down.
2,000 of 500,000 tokens the UPN is missing from the Subject.Claims.
8 of the 500,000 tokens the UPN is missing from both Subject.Claims and AccessToken.Claims.

I am also kinda new to IdentityServer so any sort of clue for me to go look at would be much appreciated.

Chris Robinson
Getting a 401 error during introspection. The error in the logs says the scope doesn't have access to introspect the token.
Tomas Jurasek
Hi, can you help me with ICustomGrantValidator? I have a basic implementation of this interface and return empty new CustomGrantValidationResult. When I want call the token edpoint with custom grant type client I get the error: Returning error: invalid_grant
Tomas Jurasek
My client has Flow.Custom and AllowedCustomGrantTypes for this flow type

I am trying to add a Microsoft SSO to my application
However I would like to give extra permission to user with Education Tenant (need admin consent)

What do you recommand?

I am trying to follow the code in IdentityServer3.Samples/source/Clients/MVC OWIN Client (Hybrid)/ Startup.cs to connect Asp.Net 4.5 MVC5 to IdenityServer4 to get claims, with the newest IdentityModel v3.10.10 package, I got issue on id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims) in the Notifications; it says
UserInfoResponseextensions.GetClaimsIdentity(userInfoResponse). is inaccessible due to its protection level.
Should I use different version or should change to use something else to get Claims?
Raymond Bergen
when calling the userendpoint done in my case using the oidcclientjs i only get the sub as claim. when it calls the other endpoint it also passes extra claims .... most important for me now is the idp claim is there a way to pass this claim to the userinfoendpoint?
i read in a few posts that you should have enough info by just using the sub claim ... but in my case it would be best if i knew which idp claim was set. with these 2 claims i can then find the extra claims for the user in my DB

How to add a custom MVC controller to Identityserver3 owin application

I have an owin app which issues OAuth token to different applications. Which is using IdentityServer3 for issuing tokens. My requirement is I need to implement custom MFA for some of the apps before releasing the token. The MFA controller is a custom implementation and have a custom view. I added an MVC controller in my owin app that contains identityserver3 code, and before release the token, to app, I redirected the user to this controller method. My issue is I am not able to read the user session from the MVC controller. Which should an authenticated controller.

So far I tried is created a controller and register it using IdentityServerServiceFactory. I am not sure whether it is possible to inject an external dependency to the IdentityServer3.

Someone, please help me to resolve this.

Raymond Bergen
how do you pass the login_hint in the url to an external identityprovider? i tried the following:
        public override Task PreAuthenticateAsync(PreAuthenticationContext context)
            context.SignInMessage.IdP = "myIdp";
            context.SignInMessage.LoginHint = "test@test.com";

            return base.PreAuthenticateAsync(context);
Raymond Bergen
now i did the following
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
                                Notifications = new OpenIdConnectAuthenticationNotifications
                                    RedirectToIdentityProvider = (context) =>
                                        context.ProtocolMessage.LoginHint = "YEAH@Yeah.com";
                                        return Task.FromResult(0);
this does work, but my question is is thes the way to do it? because i expected it to be set in the userservice