Where communities thrive

  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
Repo info
  • Sep 17 2021 17:33
    leastprivilege opened #3910
  • Sep 15 2021 17:38

    leastprivilege on same-site-fix

    Update README.md (compare)

  • Sep 15 2021 17:36

    leastprivilege on same-site-fix

    fix for SameSite cookies and ot… (compare)

  • Aug 27 2019 11:16

    leastprivilege on 2.6.1


  • Aug 27 2019 11:06

    leastprivilege on master

    udpate version number (compare)

  • Aug 27 2019 11:05

    leastprivilege on dev

    udpate version number (compare)

  • Aug 27 2019 11:04

    leastprivilege on master

    include value type when seriali… Update ClientStore.cs fix build script and 1 more (compare)

  • Aug 27 2019 11:02

    leastprivilege on dev

    Update ClientStore.cs Merge pull request #134 from br… (compare)

  • Aug 27 2019 11:02
    leastprivilege closed #134
  • Aug 27 2019 11:02

    leastprivilege on dev

    fix build script (compare)

  • Aug 24 2019 15:16
    brockallen opened #134
  • Oct 16 2018 16:34

    leastprivilege on master

    when too many message cookies, … 2.6.3 release Merge branch 'dev' (compare)

  • Oct 16 2018 16:33

    leastprivilege on 2.6.3


  • Oct 16 2018 16:31

    leastprivilege on dev

    2.6.3 release (compare)

  • Oct 10 2018 13:49

    brockallen on dev

    when too many message cookies, … (compare)

  • Jul 26 2018 11:54
    pvasek commented #3239
  • Jul 26 2018 11:18
    Farwell-Liu closed #3902
  • Jul 26 2018 06:13

    leastprivilege on master

    Fix X509 data protector Merge branch 'dev' (compare)

  • Jul 26 2018 06:12

    leastprivilege on 2.6.2


  • Jul 26 2018 06:11

    leastprivilege on dev

    Fix X509 data protector (compare)

Raymond Bergen
hmm well maybe i should start with the first error :S Failed to execute 'postMessage' on 'DOMWindow' this is probably the cause if anyone can help me that would be great ill do some research on this error in the meantim
Dan Orr
Hi all. We're deploying a modified version of IdentityServer3 to a new environment running on IIS but have run into the IDX10803 error where the */.well-known/openid-configuration file can't be created. I'm yet to find any steps to resolve this issue. We are running NetScaler. Any ideas? What are we missing?
Hi all . Could anyone please tell me how to get clients and scopes from database in identityserver3
vishak os
Hi @raghava1605 : you can use the entity framework Implementation of the Identity Server 3 that’s available in the github!
Hi all, could you please tell me, how can I validate token, including expired time?
Jason Haley

I'm trying to add a WebApi controller to a site that serves as my IdentityServer for a few other sites. For some reason I can't get the WebApi with Authorize to work. It keeps returning 401 even when the cookies are passed like normal. The weird and really frustrating part is, I CAN get the same call to work using a regular MVC controller/action with Authorize - but I can't figure out the Cors issues to use that approach for my full implementation.

Has anyone seen this before? It seems like the webapi just isn't recognizing the cookie auth that idsvr adds to the app builder but for some reason the MVC actions do recognize it. Driving me nuts.

Chris G. Stevens

I am wondering if there is a way to redirect to another site from within the override of the DefaultViewService.Login.
I was hoping for an easy Response.Redirect. Basically under if the login_hint contains the domain or @ we need to check if the login needs to be redirected to a 3rd party login page.

Or do I need to built out the javascript to do it. Was hoping to not even load our signin page and just go directly to the 3rd party signin page.

Thanks for any help!

Jaymie Jeffrey
Hey all, I was wondering if someone can give me a hand. Should be relatively simple
I already have an API setup with identity server integrated into it
Now my client is asking for a new API completely separate but wants to use the current identity server to authenticate and authorize on the routes
is that as simple as just changing this:
    public static void ConfigureIdentityServer(this IAppBuilder app, ICormarConfig config)
        // Create our options
        var identityServerOptions = new IdentityServerOptions
            SiteName = "Cormar API",
            SigningCertificate = LoadCertificate(),
            IssuerUri = $"{config.AuthorityEndpoint}",

            LoggingOptions = new LoggingOptions
                EnableHttpLogging = true,
                EnableWebApiDiagnostics = true,
                EnableKatanaLogging = true,
                WebApiDiagnosticsIsVerbose = true

            Factory = new IdentityServerServiceFactory().Configure(config),

            Endpoints = new EndpointOptions
                EnableAccessTokenValidationEndpoint = false

            // Disable when live
            EnableWelcomePage = true

        // Setup our auth path
        app.Map("/identity", idsrvApp => { idsrvApp.UseIdentityServer(identityServerOptions); });
and changing the AuthorityEndpoint to my identity server path?
Chris G. Stevens

I have this weird issue which I can't seem to track down.
2,000 of 500,000 tokens the UPN is missing from the Subject.Claims.
8 of the 500,000 tokens the UPN is missing from both Subject.Claims and AccessToken.Claims.

I am also kinda new to IdentityServer so any sort of clue for me to go look at would be much appreciated.

Chris Robinson
Getting a 401 error during introspection. The error in the logs says the scope doesn't have access to introspect the token.
Tomas Jurasek
Hi, can you help me with ICustomGrantValidator? I have a basic implementation of this interface and return empty new CustomGrantValidationResult. When I want call the token edpoint with custom grant type client I get the error: Returning error: invalid_grant
Tomas Jurasek
My client has Flow.Custom and AllowedCustomGrantTypes for this flow type

I am trying to add a Microsoft SSO to my application
However I would like to give extra permission to user with Education Tenant (need admin consent)

What do you recommand?

I am trying to follow the code in IdentityServer3.Samples/source/Clients/MVC OWIN Client (Hybrid)/ Startup.cs to connect Asp.Net 4.5 MVC5 to IdenityServer4 to get claims, with the newest IdentityModel v3.10.10 package, I got issue on id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims) in the Notifications; it says
UserInfoResponseextensions.GetClaimsIdentity(userInfoResponse). is inaccessible due to its protection level.
Should I use different version or should change to use something else to get Claims?
Raymond Bergen
when calling the userendpoint done in my case using the oidcclientjs i only get the sub as claim. when it calls the other endpoint it also passes extra claims .... most important for me now is the idp claim is there a way to pass this claim to the userinfoendpoint?
i read in a few posts that you should have enough info by just using the sub claim ... but in my case it would be best if i knew which idp claim was set. with these 2 claims i can then find the extra claims for the user in my DB

How to add a custom MVC controller to Identityserver3 owin application

I have an owin app which issues OAuth token to different applications. Which is using IdentityServer3 for issuing tokens. My requirement is I need to implement custom MFA for some of the apps before releasing the token. The MFA controller is a custom implementation and have a custom view. I added an MVC controller in my owin app that contains identityserver3 code, and before release the token, to app, I redirected the user to this controller method. My issue is I am not able to read the user session from the MVC controller. Which should an authenticated controller.

So far I tried is created a controller and register it using IdentityServerServiceFactory. I am not sure whether it is possible to inject an external dependency to the IdentityServer3.

Someone, please help me to resolve this.

Raymond Bergen
how do you pass the login_hint in the url to an external identityprovider? i tried the following:
        public override Task PreAuthenticateAsync(PreAuthenticationContext context)
            context.SignInMessage.IdP = "myIdp";
            context.SignInMessage.LoginHint = "test@test.com";

            return base.PreAuthenticateAsync(context);
Raymond Bergen
now i did the following
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
                                Notifications = new OpenIdConnectAuthenticationNotifications
                                    RedirectToIdentityProvider = (context) =>
                                        context.ProtocolMessage.LoginHint = "YEAH@Yeah.com";
                                        return Task.FromResult(0);
this does work, but my question is is thes the way to do it? because i expected it to be set in the userservice
I'm trying to inject custom view service as below
factory.ViewService = new Registration<IViewService, CustomViewService>();
But looks like it never get called when tries to access a controller with [Authorize] attribute. Is this functionality working for anyone IdentityServer3
vishak os

Can someone give some guideline on what's happening when a .Net MVC Web API try to validate the bearer token using identityserverbearertokenauthentication middleware. I would like to know the process that's happening in the background. I wan't to enable logging during this process but i'm not sure on enabling the logging for Identity Model library.

I’m getting a 401 error and not sure what’s causing the issue. I’ve enabled the Katana logging at the identity server side but I don’t see any entry regarding the bearer token validation.

Current setup.
I’ve a MVC web api protected by identity server 3. I had it working earlier with endpoint as https://local host:4434/api,
I changed the routing parameter to have three extra fields: https://localhost:4434/{param1}/{param2}/{param3}/api.

I would like to know what changes I may need to make at the Identity Server to get the access token validated.
From my postman client - I’m able to get an access token but not able to validate it. Any help will be highly appreciated.

i am getting this error after hosting the application.
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 164.XXX.XXX.XX:443. This is when client application tries to login via SSO. Can anybody help please?
Chris G. Stevens
I have a requirement to be able to add/update IdentityProviders. It seems like the only way to add is through the startup and registering at runtime with app.UseOpenIdConnectAuthentication()
Is this something can be done or even recommended? It would be nice to add an external auth and not have to restart the site.
Chris Asis
hello, anyone knows the password for idsrv3test.pfx?
Hi, Has any one implemented Password Reset functionality using Identity Server3?
I need some help in this area
public class CustomViewService : DefaultViewService
public CustomViewService(DefaultViewServiceOptions config, IViewLoader viewLoader)
: base(config, viewLoader)
    public override Task<Stream> Login(LoginViewModel model, SignInMessage message)
        //if(model.ErrorMessage == "Invalid Username or password")
        if (model.ErrorMessage == "Your Password is expired.")
            //model.Custom = new
            //    reenterpassword = "",
            //    confirmpassword = ""

            return base.Render(model, "resetPassword");
            model.Custom = new
                newpassword = "",
                confirmpassword = ""

            return base.Login(model, message);
        //return base.Login(model, message);
I just created one view called resetPassword and redirecting it when password is expired
I created custom view in Templates folder
In the Custom view trying to access New Password and Confirm Password through model.Custom object
<div class="form-group">
<label for="New Password">New Password</label>
<input required id="newpassword" name="newpassword" type="password" class="form-control" placeholder="New Password" ng-model="model.custom.newpassword" autocomplete="off" maxlength="100">
<div class="form-group">
<label for="Confirm Password">Confirm Password</label>
<input required id="confirmpassword" name="confirmpassword" type="password" class="form-control" placeholder="Confirm Password" ng-model="model.custom.confirmpassword" maxlength="100">
but I am getting custom object as null
Is there any way to pass custom view custom fields from view to CustomViewService?
created a question in stackoverflow for same
Hi, i know this is the wrong fora to ask but i thought it was worth a shot, does anyone have experience with IdSrv2 and External IdP ? getting redirected, authenticated and returned to IdSrvs HRD endpoint but keep getting ID1032 and ID4175 exceptions, Shouldn't the issuer thumbprint in IdP configuration be enough to specify the Audience and IssuerName links ? planning on migrating over to IdSrv4 but need to get this up and running for a customer for a pilot first
We are using IdentityServer through Nuget and the tempkey.rsa. Will this be decommissioned after Nov 2022?
Hi I am adding Microsoft login support on my Microsoft teams client app. I can't add Microsoft as an external identity provider, because in teams I have to use MSAL.js library to get token from Mcirosoft. After getting access token, how can should i call Identity server with that token to authenticate user. Which O Auth 2 flow should i use?
Lms is an aim to pass dotNet platform quickly constructs the framework of micro-service development. It has the characteristics of stability, safety, high performance, easy expansion and easy use.
https://github.com/liuhll/lms Lms is an aim to pass dotNet platform quickly constructs the framework of micro-service development. It has the characteristics of stability, safety, high performance, easy expansion and easy use.