Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    divaker chauhan
    @cdivaker_gitlab
    @majumajid
    i have overwrite device flow strore and saved device and user code in my database and i have authenticationed with userid pass but when i am trying to get token by calling token endpoint using device code then getting me authorization Pending error please help
    divaker chauhan
    @cdivaker_gitlab
    @majumajid could you please help me ?
    Muhammd Majid
    @majumajid
    Which endpoint you are calling for tokrn
    Token
    NicoD-NITH
    @NicoD-NITH
    Does anyone have their Idsrv4 setup with both username/pw login and client certificate login inside the same instance ? can't set requirecert for the mtls paths only, either the whole project or nothing with Kestrel.. tips/recommendations ? just want the user to be prompted to supply their certificate if they select to sign in using "certificate"
    BradRaynaudCIC
    @BradRaynaudCIC
    Has anyone encountered an IDX20803 error when dockerizing a .NET 5 ASP.NET website? Our authentication works perfectly outside of the container and deployed on azure. However, the second that its put inside a container (with a valid cert) we are unable to access the well known open id config
    xlp100
    @xlp100
    How to solve Identity4 /Connect/token request is slow
    Stefan Cvetkovic
    @stefancvetkovic
    Hello, I need an example with .net core api with identityserver in same project using services.AddLocalApiAuthentication also I need to add swagger with authorization
    where I can find that?
    Victorio Berra
    @VictorioBerra
    How crazy would it be to create a C# proxy with ProxyKit that validates all bearer tokens before proxying them down to other apps. It could determine the downstreap app, validate the target and audience for that app, and then proxy the request and maybe add headers for the logged in userid and name or whatever.
    It could do the same for cookie auth. It could verify the user is authenticated, it could challenge if not, otherwise it would proxy the request. This abstracting IS4 out to a single proxy.
    The benefit would be: We are considering options like AAD since IS4 has converted to a paid model. So im just tossing around ideas. The pain of changing every service over would be isolated to a single proxy.
    Maks Szokalski
    @illunix
    Hello, anyone knows how to fix this error? IIDX10214: Audience validation failed. Audiences: 'System.String'. Did not match: validationParameters.ValidAudience: 'System.String' or validationParameters.ValidAudiences: 'System.String'
    Victorio Berra
    @VictorioBerra
    @illunix When you obtained a token, you asked for a scope. IE: "api1". This probably caused the audience "aud" claim to be set to whatever the API is for that scope. And then you attempted to use it at something that did not have the audience set properly like api2 or api1 but you didnt set the audience.
    Maks Szokalski
    @illunix
    How can i set the audience? @VictorioBerra
    Robert Karlsson
    @Robban1980
    Maybe a stupid question but i cannot find a clear answer. If i have an Refresh Token that is a Refresh token is it possible to use the introspect endpoint to see if it is still valid?
    right now my issue is that if i try to use it, it always returns invalid
    found the RFC shoudl be possible
    what am i doing wrong ghaa
    Robert Karlsson
    @Robban1980
    found it, identityserver is looking for the wrong type of token.... dont think the token hint is working
    Robert Karlsson
    @Robban1980
    hmm then i could just dump the refresh token and use a longer lived access token but need to know why!!
    Paul McNamara
    @mackie1001
    Out of interest, what action would you take upon discovering that a refresh token was invalid ahead of needing it vs using it when you need it?
    Robert Karlsson
    @Robban1980
    it is because it is an reference token, i would not know if it has been revoked until a call is made to the OP server
    this call happens in an Ajax request or in an Iframe (in with in the same site) in non of these cases can handle the redirect to the OP i must be able to check if a token is valid. and process that. Mind you this is a server side application so the server side autentication is still valid
    but as i found that when trying to validate the refresh token it is looking up with the wrong grant type internally some where. I am solving it by only using the access token instead.
    Robert Karlsson
    @Robban1980
    Ah forgot to mention the most important part this is a cross browser single sign out scenario
    Paul McNamara
    @mackie1001
    As an aside, refresh tokens shouldn't really exist in client side web apps IMO
    Since you can acheive automatic token renewal via other means (provided you're not going cross-site - hence why Auth0 and the like tout this approach)
    But the best way to check if a refresh token is valid is to use it to actually do a refresh isn't it?
    And if it fails it renders the serverside session invalid
    Eugenio Favalli
    @eugeniofavalli_twitter
    hi sorry to bother, i have an urgent problem in prod. context: android application with adfs5 as external provider. one of the users during login is presented with the authentication complete page the one that should auto-close. as far as i can understand it seems it gets the authorization code and redirected to the authorize endpoint, but then it doesn't exchange for the access token. doing the login again works (when adfs5 already stored its auth cookie). also using application credentials instead of adfs is working properly. it seems not user related, since using my user has same behavior.
    Eugenio Favalli
    @eugeniofavalli_twitter
    any idea?
    Foad Ardalan
    @techla

    Hi all,
    I spend the two past days to understand OAuth and openId connect. I think I got It right at 80%. I made an SSR/GraphQL app based on NextJs/Appolo and try to introduce an OpenId authentication layer for getting my data from a protectected API endpoints. Since 2019, the recommanded way for OpenId is the Autorization Code Flow (base on the OAuth Autorization Grant with a little id_token twist) + PKCE
    I found an openId-client library that cares of the oidc protocole part for us (redirections etc...) and provide a higher level API of user management
    Even if I read a lot about Oidc, I still have some questions:

    1 - On the OIDC Autorization Code Flow with Private Client, the access_token and id_token are transmitted to the nodeJs server (in my case). Then, should I forward them to the browser ? If so, why don't manage every thing from the browser with the Autorization Code Flow with a Public Client + PKCE ? If leaking the tokens to the browser are security issues, I need to make use of sessions that make my server statefull. How can I deal properly with that ? what are the best practices ?

    2 - can we deal with refresh token on On the OIDC Autorization Code Flow with Public Client without storing it on the browser ?

    3 - how can we deal with refresh token on On the OIDC Autorization Code Flow with Private Client without managing sessions ?

    4 - Last but not least
    =====> should I ask for a new access_tokent each time I want to make an API call ?

    Meghnath Das
    @MeghnathDas
    I want to add a certificate for production, is there any way to do self generation?
    dgnavarro86
    @dgnavarro86

    Hi, i am using my identity server 4 connected to an Oracle database and I am getting this exception even when we disabled the refreshToken. Could someone advise?

    2021-04-07 16:06:29.865 -07:00 [Error] Microsoft.EntityFrameworkCore.Update: 2021-04-07 16:06:29.865449 ThreadID:110 (ERROR) OracleModificationCommandBatch.Consume() : Microsoft.EntityFrameworkCore.DbUpdateConcurrencyException: Database operation expected to affect 1 row(s) but actually affected 0 row(s). Data may have been modified or deleted since entities were loaded.
    at Oracle.EntityFrameworkCore.Update.Internal.OracleModificationCommandBatch.Consume(RelationalDataReader relationalReader)

    2021-04-07 16:06:29.868 -07:00 [Error] Microsoft.EntityFrameworkCore.Update: An exception occurred in the database while saving changes for context type 'IdentityServer4.EntityFramework.DbContexts.PersistedGrantDbContext'.
    Microsoft.EntityFrameworkCore.DbUpdateConcurrencyException: Database operation expected to affect 1 row(s) but actually affected 0 row(s). Data may have been modified or deleted since entities were loaded.
    at Oracle.EntityFrameworkCore.Update.Internal.OracleModificationCommandBatch.Consume(RelationalDataReader relationalReader)
    at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.Execute(IRelationalConnection connection)
    at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.Execute(DbContext _, ValueTuple2 parameters) at Oracle.EntityFrameworkCore.Storage.Internal.OracleExecutionStrategy.Execute[TState,TResult](TState state, Func3 operation, Func3 verifySucceeded) at Microsoft.EntityFrameworkCore.Update.Internal.BatchExecutor.Execute(IEnumerable1 commandBatches, IRelationalConnection connection)
    at Microsoft.EntityFrameworkCore.Storage.RelationalDatabase.SaveChanges(IReadOnlyList1 entries) at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChanges(IReadOnlyList1 entriesToSave)
    at Microsoft.EntityFrameworkCore.ChangeTracking.Internal.StateManager.SaveChanges(Boolean acceptAllChangesOnSuccess)
    at Microsoft.EntityFrameworkCore.DbContext.SaveChanges(Boolean acceptAllChangesOnSuccess)
    Microsoft.EntityFrameworkCore.DbUpdateConcurrencyException: Database operation expected to affect 1 row(s) but actually affected 0 row(s). Data may have been modified or deleted since entities were loaded.

    Eugenio Favalli
    @eugeniofavalli_twitter
    just FYI i isolated the problem is only with recent versions of chrome (upgrading from 74 to 8x)
    Nikola Josipović
    @mcrio
    @dgnavarro86 Seems IS4 is trying to modify probably the refresh token from the persisted grants table. If possible try logging the queries and see what's going on. Check if you have concurrent requests trying to refresh the same token... (you said you disabled refresh tokens but examine the requests for just in case)
    Kevin Kallberg
    @kkallberg
    I am using OIDC's Authorization Code grant to access an external IdP. I'm requesting both the openid and email scopes. This returns both an id_token and an access_token as expected. What is not expected is that the OpenIdConnectHandler in ASP.NET Core 3.1 appears to only pull the claims from the id_token. This is problematic as the external IdP places the email claim in the access_token. From what I've been able to find, the solution to this is to set the option to pull additional claims from the UserInfo endpoint. However, the UserInfo endpoint on the external IdP is only returning the sub claim. Does anyone know what I'm doing wrong, or have any advice on a path forward?
    Paul McNamara
    @mackie1001
    Sounds like you’re not doinh anythinn weong on your end and theyre mot providing claims how they should. It may be possible for you to write some custom code (in the form of a middleware event handler) to extract the claims you need from both tokens
    Milad Rashidi
    @MiladRashidi_gitlab
    Hi guys. I have an API service that is secured via JWE. I'm going to replace JWE with Identity Server 4 and secure my API with Identity Server 4. I had a custom way of generating JWE tokens. How can I replace JWE with Identity Server 4 without the current signed-in users to the site need to re-login?
    Kevin Kallberg
    @kkallberg
    @mackie1001 Thanks for the reply!
    santosh2812
    @santosh2812
    Hello All, I trying to do silent token refresh in Identity Server 4 and my client Application is in Vue.js. But unable to do so. Can you please send me any example. I am using vuexOidcCreateStoreModule from vuex-oidc.
    Sean
    @DapperDeer

    Hey there, I'm getting this error:

    System.InvalidOperationException: Type '' is not supported.
       at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.ConfigureClients.GetClients()+MoveNext()

    and have no idea why. Initial Googling told me that it's missing a "Profile" k:v pair which I've added

    "IdentityServer": {
        "Clients": {
          "WebAssembly.Client": {
            "Profile": "IdentityServerSPA",
            "Enabled": true,
            "ClientId": "WebAssembly.Client",
            "AllowedGrantTypes": [ "code", "client_credentials" ],
            "AllowedScopes": [ "WebAssembly.ServerAPI" ]
          }
        }

    but that has not fixed my issue.

    Nikola Josipović
    @mcrio
    @santosh2812 In case you don't figure out the solution with "vuex-oidc" you can try using "oidc-client" which is a lib made by the same team behind IdentityServer4
    Sean
    @DapperDeer

    Can someone help me figure out why I'm getting an "unauthorized client" error?

    Extensions for .AddIdentityServer()

    
                var delosWasm = new Client {
                    ClientId = "WebAssembly.Client",
                    ClientSecrets = { new Secret("SuperSecretPassword".Sha256()) },
                    AllowedScopes = {
                        "WebAssembly.ServerAPI",
                        IdentityServerConstants.StandardScopes.Profile,
                        IdentityServerConstants.StandardScopes.OpenId
                    },
                    AllowedGrantTypes = GrantTypes.Code
                };
    ------------------
                    .AddApiAuthorization<IdentityUser, PersistedGrantDbContext>(options => {
                        options.Clients.Add(delosWasm);
                    })
                    .AddInMemoryClients(new[] { delosWasm })

    Blazor Wasm Program.cs

    
                services.AddOidcAuthentication(options => {
                    options.ProviderOptions.ClientId = "WebAssembly.Client";
                    options.ProviderOptions.Authority = "https://localhost:5001";
                    options.ProviderOptions.ResponseType = "code";
                });
    Jassim Ibrahim
    @VinsmokeJazz
    Hi, There is one issue I am facing in Multi-tenancy concept. I am trying to implement multi tenant application with identityserver4. For example, there are 2 URLs, web1.domain.com and web2.domain.com. When I log in my credentials to web1.domain.com, other domain which is web2.domain.com also automatically logs in with same credentials.
    is there anyway to separate these logins?
    Nikola Josipović
    @mcrio
    @DapperDeer Seems you are not sending the client secret anywhere? I suppose you have interactive users as you are using Blazor so client secret is not really needed for scenarios where you have a public client as it can be reverse-engineered. Try omitting the client secret setting.
    Nikola Josipović
    @mcrio
    @VinsmokeJazz Your asp.net Identity needs to be multi-tenant aware in the first place, and logging in with one subdomain should not produce cookies that are valid on another subdomain. From your example, it seems that you want to have users separated for each tenant which means a user is assigned to just one tenant so that the same username can be used to register another user for another tenant. Another scenario is when a single user can be granted access to multiple tenants, but this depends on your app requirements. Regarding Identity server you will need the PersistedStorage to be multi-tenant aware as refresh tokens and other settings need to be tied to a tenant. Also you will need to write custom redirect URL validators because of different subdomains, and probably each tenant subdomain should produce its own Authority endpoint... From my experience, it's a topic you need to spend some time researching all components and how they are tied together.
    Jassim Ibrahim
    @VinsmokeJazz
    Okay @mcrio , Thank you. I will look into that and get back.