Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Paul Smith
    @eratos
    Parthi - that doesn't look like an IDSvr issue to me - it looks like an EntityFramework issue.
    Parthi
    @ParthiKarnan
    @eratos - Yes, it's look like an EF issue. Let me check with that issue. Thanks for your response :-)
    Daniel Anselm
    @daniel.anselm_gitlab
    Hi, I am getting the 'Issuer name does not match authority' error because I have an ssl-terminating load balancer in front of my is4 service (i.e. issuer is https://myurl and authority is http://myurl). What should I do in this situation? The dns names are identical, it is the s in https which is causing the validation failure!
    Paul McNamara
    @mackie1001
    your load balancer should forward on the original protocol (X-Forwarded-Proto) and you can use that to set the current request scheme to match the incoming request
    you'd just need to create a middleware function to do it
    Parthi
    @ParthiKarnan

    Hi all, I have implemented automatic token cleanup with the below code.

    public IServiceProvider ConfigureServices(IServiceCollection services)
    {
    const string connectionString = @"Data Source=(LocalDb)\MSSQLLocalDB;database=IdentityServer4.EntityFramework-2.0.0;trusted_connection=yes;";
    var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
    services.AddIdentityServer()
    // this adds the operational data from DB (codes, tokens, consents)
    .AddOperationalStore(options =>
    {
    options.ConfigureDbContext = builder =>
    builder.UseSqlServer(connectionString,
    sql => sql.MigrationsAssembly(migrationsAssembly));

            // this enables automatic token cleanup. this is optional.
            options.EnableTokenCleanup = true;
            options.TokenCleanupInterval = 30; // interval in seconds
        });

    }

    After the implementation my Azure SQL DB's DTO percentage getting increased suddenly DTO percentage getting increased around 90 to 100 % once after the deployment in my WebApp . It cause my application. If anyone knows kindly let me know. I'm trying to understand what I did wrong.

    Dan Anselm
    @dan.rockcoll_gitlab
    @mackie1001 - you are spot on! the load balancer was indeed sending the protocol header so i just needed to add the bits in startup to collect it, thank you so much for that :)
    Paul McNamara
    @mackie1001
    :)
    @ParthiKarnan that feels like it's running more often than it needs to but assuming it's just running SQL to delete persisted grants behind the scenes I can't really see a problem with the "little and often" approach as long as there's appropriate indexes on that table
    I'd suggest reviewing the code that does the cleanup and profiling the query it performs yourself to see if there are any lurking performance issues
    Robert Hertenstein
    @rhertenstein_twitter

    hi All, I was wondering if I could get a hand with a URL that I am messing up on somehow:
    https://id-dev.bissell.com/connect/authorize?response_type=code%20id_token&nonce=P-4fP7SKrp1_UHxK5S0pQg&state=Flb-8HeAtJOnUbhswfJzwg&code_challenge=b5cjPEPuNMFTOF7og8bWlGaCXSllnqdPa9wILWKGDaA&code_challenge_method=S256&client_id=rw.MobileClient&scope=openid%20profile%20mobileBHI%20offline_access&redirect_uri=com.bissell.cleanconnectsbx%3A%2F%2Fopenidconnect&acr_values=idp%3AGoogle

    this provides a code that then states unauthorized_client when calling /connect/token with client_id=rw.MobileClient (and the bearer token has the same)

    Paul McNamara
    @mackie1001
    @rhertenstein_twitter you're getting an error when trying to exchange the authorization code for the tokens?
    Robert Hertenstein
    @rhertenstein_twitter
    correct @mackie1001
    Preston Alvarado
    @coolhome

    @rhertenstein_twitter IdentityServer4 writes to Microsoft.Extension.Logging ILogger. Usually more information is written there. I would suggest diving into those and posting back some logs if you can't resolve it.

    Here are a few places that will return an unauthorized_client error https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Validation/Default/AuthorizeRequestValidator.cs
    https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Validation/Default/DeviceAuthorizationRequestValidator.cs#L94-L106
    https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/src/Validation/Default/TokenRequestValidator.cs

    Paul McNamara
    @mackie1001
    @rhertenstein_twitter what does your code look like that calls the token endpoint? I can see from that URL that you're using PKCE, if you're hand rolling that code then that's a likely suspect for the problem
    FRizZL
    @FRizZL

    We are misusing claims for authorization purposes and our app is crashing (CGI app encountered an error and the server terminated the process) after a user logs in with say 3,000 claims. This happens when we use local login. We can't find the code where the claims are being added to the "ClaimsPrincipal". We also support remote login (via Microsoft) and we did find how to disable it there. In that case there was a separate line of code which added the claims to the principal which we simply commented out. For authorization we created a class that checks the user's claims via the database instead.

    So we are stuck at "Where does Identity server append the claims to a locally logged in user?" and "How do we prevent it from doing so?".

    Paul McNamara
    @mackie1001
    Are you talking about the authentication cookie within an identityserver4 application?
    FRizZL
    @FRizZL
    If the claims are inserted into the cookie, then yes.
    HariSirigouniTest
    @HariSirigouniTest
    Hi, Has any one deployed Identity Server 4 - windows authentication apps to Azure?
    To get Windows authentication scheme we need to enable Windows Authentication for the project (or in IIS), looks this is not directly supported by Azure App Service.
    Paul McNamara
    @mackie1001
    @FRizZL ok, well long story short - that has nothing to do with identityserver4, although it will automatically add its own claims and properties for its own needs
    rexdefuror
    @rexdefuror

    Hi folks,

    I've encountered a problem after upgrading from 2.2.x version to 3 of Identity Server 4. The issue is that tokens according to IdentityServer3.AccessTokenValidation library are no longer valid. After investigation, I've found out that audience that existed in the previous version auth.ouridentityserver-instance.com/resources no longer exist in the new version, thus this is my prime suspect.

    Has anyone else encountered this problem, or have some idea what's wrong with it?

    To note, .netcore equivalent of AccessTokenValidation library seems to be working fine.
    rexdefuror
    @rexdefuror
    Found the answer, in case anyone else has this problem, option EmitLegacyResourceAudienceClaim resolves it.
    Mart
    @mart90
    @mackie1001 (I'm a colleague of FRizZL's) Identityserver is the app that is crashing though. That shouldn't happen if it's only working with its own claims.
    Paul McNamara
    @mackie1001
    Where are the 3000 claims coming from?
    Mart
    @mart90
    The db
    I believe we used the structure from tutorials, the claims are in AspNetUserClaims with a FK to AspNetUsers
    Our theory is that identityserver does something with the claims it finds there, and because of the high amount it crashes
    Paul McNamara
    @mackie1001
    It'll be Asp.Net Identity that adds the claims to the ClaimsPrincipal that ultimately ends up in the auth cookie
    However those claims will indeed be used by logic internal to ids4
    Do you have any details of the nature of the crash?
    Mart
    @mart90
    Not really, that's why it's so hard to troubleshoot. The error message is "The CGI application encountered an error and the server terminated the process" which we think means the thread crashed. There's no exception or anything out of the ordinary in the debug output
    Paul McNamara
    @mackie1001
    Out of interest, what happens to these 3000 claims down the line? Do they all end up in tokens issued by ids4 or are only subsets returned?
    I'd probably customise the Asp.Net Identity sign in process (override SignInManager) to not put them all in the ClaimsPrincipal and instead just load as needed from the DB
    Likewise you can customise the services used by ids4 to retreive claims for the current user
    Mart
    @mart90
    They all end up in the token, when it works (most of our users have less than 500 claims which works fine). We can then use them for authorization purposes in our non-ids web apps
    Because of this issue we have already customized the retrieval in the non-ids web apps so that they check the db instead of the ClaimsPrincipal built from the token. Now we just need the ClaimsPrincipal to not contain the unneeded claims
    Customizing the sign in process seems like a hassle, but yeah that may be our only option
    Robert Hertenstein
    @rhertenstein_twitter
    @mackie1001 @coolhome thanks for the updates. RE the PKCE, it is coming from a C# library, so I am guessing it is just using standard. When I remove the PKCE items, it still fails, so no luck there. RE logs, thanks for pointing me in the right direction. The logs from SeriaLog are horrible
    maulik-modi
    @maulik-modi
    We have implemented Single sign on between Angular SPA application and Server side MVC application
    Somehow when Angular SPA application initiates Sign out, Server side MVC application sign out is not triggered, what are the options to investigate? Front-channel LogOut URI is configured
    Robert Hertenstein
    @rhertenstein_twitter
    @mackie1001 @coolhome Thanks for the help. We were able to get the link to work. I removed the PKCE, and changed the return URL to a standard URL (instead of mobile) and everything went through fine. Thanks again for the help
    Paul McNamara
    @mackie1001
    What type of app is it? The current one-side-fits-all recommendation is to use authorization code flow with PKCE
    So I'd be cautious about disabling it
    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab
    Does anyone know the necessary steps for the User property (ClaimsPrincipal) to be populated in a .NET Core web project? When you're getting an Authorization header with: "Bearer <jwt>" - I'm guessing something along the lines of services.UseAuthentication(Bearer...) with Audience and Authority but I'm running into some problems there so I just want to make sure i'm looking in the right direction.
    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab
    The issue with UseAuthentication looks like it's failing to validate the signature because it can't match the RSA256 key
    johnfleenor
    @johnfleenor
    Is there a way to configure identity server to have a private url to that behind a firewall on one url and have the client out side the firewall be redirected to a public ip that is load balanced to a diffrent url?
    I have apis that are trying to be secured using a identity server that is hosted on machines that are behind f5s firewalls. when i connect from out side the firewall to a secured api it needs to forward to an internal address for identity server config and then it needs to have the public client redirect to a public address that goes the the public side of the f5. then when the identity server gives the client a token. it should passed it through the f5 to the api service then identity server can verify token by talking to the private side identity server intead of the identity serve url that is the one the public client hit to login... if that makes since