Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    RobertPalyan
    @RobertPalyan
    Hello. Can anyone please help me with issue I have faced.
    I dig out lot of topics but didn't found exact answer that will work for me.
    Š¢hank you in advance.
    mohitook
    @mohitook
    Hello everyone!
    We are currently using IS4 with asp.Identity and provide JWT tokens for clients - for now we have only browser clients but it will change soon and we'll have mobile clients as well.
    As I see common features like sign out are impossible - or requires serious workarounds with JWT approach.
    Do you have any suggestion what could we change to move in the right direction?
    (I have to mention that we decided to use JWT because next year the whole application will move towards microservice architecture)
    tjmcdevitt
    @tjmcdevitt
    I am using this identitymodel as extension methods with OpenID. I was searching for a way to use the ClientId, ClientSecret and UserName to grant access to the site. All the methods I see on this page is using a password and I was hoping to bypass it. Any help would be great.
    Cody Rees
    @noknokcody
    Hello everyone,
    I'm trying to use the React Project Template but swap out EntityFramework for a custom user store. I'm pretty sure I've got myself 98% of the way on my own by setting up a custom profile service. The only problem is now the React SPA can't connect over oidc-client.js. I'm willing to pay an hourly rate to anyone who can help me get back on track here. I've had my head in this for 8+ hours and i'm getting no-where
    It looks like removing EF removes the default Client and IClientConfigurationProvider aswell as some other basic identity server setup methods.
    Ruben Aleksanyan
    @RubAleksanyan_gitlab

    @noknokcody
    Check this repo

    https://github.com/andreisfedotov/Notes

    Cody Rees
    @noknokcody
    Thanks for the heads up Ruben, sadly the Identity Project is using EF which is what I'm trying to remove
    Phuong Nguyen
    @neunygph
    hi all, is IdentityServer4 free to use on production ?
    Davis Templeton
    @BashfulBandit
    Good morning! I am working through the IdentityServer4 documentation using the Quickstart UIs and I have a use-case I am wondering if there is an implemented way to achieve this. I have an external identity provider configured to work and I currently have one client that is configured to not use Local Logins and only use that external provider. What I need is a way to configure another client to only allow it to use Local Logins. I see on the Client that there is a property called IdentityProviderRestrictions that will restrict which external providers the client can use, but if I set that to null or empty then all of the external providers are allowed. I found a workaround to configure the client to be restricted to an external provider that the Identity Service doesn't support, but this seems a bit problematic if we ever do support that external provider. I guess I could put some garbage value in the array that will never be supported. I guess I am just curious if there is a more appropriate way to achieve this use-case. Thanks!
    kaputsyn
    @kaputsyn
    Hello. I am working with IdentityServer4 and store configurations in EntityFramework store. I see table ClientCorsOrigins and configured my client to allow some allowed origins. But with device code flow I am not receiving any CORS headers on /deviceauthorization request. My client is blazor application and must initiate authorization from browser, but receiving cors errors. How can I properly configure CorsOrigins for my client?
    Jaymie Jeffrey
    @r3plica
    Hey all, does anyone know where I can see some code that shows external authentication working with an SPA?? All the ones I find are using MVC and that is not what I need :(
    1 reply
    Gdwalmsley
    @Gdwalmsley

    Hello all, after some help if you dont mind,
    Trying to integrate Identityserver 4 into an old webforms app.
    Hit a bit of a snag, I am trying to get a new access token from my refresh token, my code works fantastically well in a development environment however when I come to deploy it no longer works.

    Using IdentityModel Version 4.3.1.0
    var tokenResponse = await _client.RequestRefreshTokenAsync(new RefreshTokenRequest
    {
    Address = $"{_apiGateway}{_authority}/connect/token",
    ClientId = _clientId,
    ClientSecret = _clientSecret,
    RefreshToken = refreshToken
    });

    Development locally continues on great and a token is issued successfully.

    In the deployed version, the application immediately stops at the point this is executed
    If i place Logging before and after this only the pre- RequestRefreshTokenAsync runs.

    This is really strange, in the identityserver logs I can see that a token has been issued successfully.

    any ideas, im a bit stumped.
    Gdwalmsley
    @Gdwalmsley
    This has been resolved, this turned out to be that var tokenResponse was ambiguous, defining it from the identitymodel specifically resolved the issue.
    Gdwalmsley
    @Gdwalmsley
    actually, it hasnt :(
    pratibha tiwari
    @pratibha777
    Hi All, Need HELP. I am not able to find a right template or quickstart for this requirement: We have all new 1. net core project with EF core with SQL server, 2. Front End Angular. As far as I read, the best secured approach for using Identity server4 and ASPNET Identity is -> Authorization Code as of now. And we dont want to use MVC and I am a backend developer. So Angular/JS template is also not useful. So guess I need to add Identity Server and ASP NET and some how provide custom service to register user/changereset password etc etc. -> Do you know of any ready sample that could be helpful for this? OR what do you think should be my way to approcah this step by step. Please advise.
    pratibha tiwari
    @pratibha777
    I cant find any documentation regarding Profile service to understand if that will be helpful for my need.
    waywardcode
    @waywardcode
    @pratibha777 - I know the react .net Core template project has ID4 support if you select Authorization, you can study that to get started. It uses the standard JS lib oidc-client (lookup it on github) https://github.com/damienbod/angular-auth-oidc-client
    pratibha tiwari
    @pratibha777
    Hey @waywardcode, this one is available for Angular too. But aren't these resource owner flows? which is not recommended?
    6 replies
    naveen21may
    @naveen21may
    Hi Team
    i m using IDS4 with aspnetidentity
    i have one ui client and two apis
    when i want access token for my UI then i pass username and password
    on IDS
    so i got access token on react application and it contain all the claims
    now i want to hit other api so i again call IDS to get access token but this time i m using GrantType = Client Credential
    so i m not having any claim
    in this access token
    naveen21may
    @naveen21may
    now if i want to send claims on api then is there any other way that token will include claims without pass any username and password
    naveen21may
    @naveen21may:matrix.org
    [m]
    can some one help me ??
    1 reply
    Bebins
    @BebinsRam_twitter

    System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '/.well-known/openid-configuration'.
    ---> System.IO.IOException: IDX20807: Unable to retrieve document from: '/.well-known/openid-configuration'. HttpResponseMessage: 'StatusCode: 403, ReasonPhrase: 'Forbidden', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
    {
    Server: awselb/2.0
    Date: Sat, 06 Nov 2021 01:15:39 GMT
    Connection: keep-alive
    Content-Type: text/html
    Content-Length: 118
    }', HttpResponseMessage.Content: '<html>

    <head><title>403 Forbidden</title></head>

    <body>

    <center><h1>403 Forbidden</h1></center>
    </body>
    </html>
    '.
    at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
    at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
    at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel)
    at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
    at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
    at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.HandleAuthenticateOnceSafeAsync()

    Hi Team
    Iam getting the above error
    I can able to load the document uri in browser
    In local and UAT good
    only production ave issue
    production is having load balancer
    any idea?
    pouliosioannis
    @pouliosioannis
    Hello. I have an application that has cookie lifetime 40 minutes(sliding). if a user is inactive for 40m and then do something, I want to send him on Identity server to re-authenticate again. I was thinking to add the max_age property. My question is: which is the correct way to do it? Is it correct to set 40m refresh token (I know it is short lifetime for refresh tokens) and when it is expired to redirect the user on Identity Server? Or there is a more automated way? I use dot Net Core client.
    Tomas Sykora, jr.
    @syky27

    Hi, I am in need of help :(

    I have Angular SPA app, with this config in appsettings.json:

        "Clients": {
          "nobleui-angular": {
            "Profile": "SPA",
            "RedirectUri": "http://localhost:4200/authentication/login-callback",
            "LogoutUri": "http://localhost:4200/authentication/logout-callback",
            "AllowedCorsOrigins": ["http://localhost:4200"]
          }
        }

    I am able to login, but when I am trying to get data from /api I get :

    dbug: IdentityServer4.Hosting.CorsPolicyProvider[0]
          CORS request made for path: /api/Clients from origin: http://localhost:4200 but was ignored because path was not for an allowed IdentityServer CORS endpoint
    
    info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
          Request finished HTTP/1.1 GET http://localhost:5000/api/Clients - - - 401 0 - 152.4238ms

    I also tried to define the client in code like this:

              options.Clients.Add(new Client {
                ClientId = "angularClient",
                ClientName = "JavaScript Client",
                RequireConsent = true,
                AccessTokenType = AccessTokenType.Jwt,
                AllowedGrantTypes = GrantTypes.Implicit,
                AllowAccessTokensViaBrowser = true,
                RedirectUris = { "http://localhost:4200/authentication/login-callback" },
                PostLogoutRedirectUris = { "http://localhost:4200/authentication/logout-callback" },
                AllowedCorsOrigins = { "http://localhost:4200" },
                AllowedScopes = {
                  IdentityServerConstants.StandardScopes.OpenId,
                  IdentityServerConstants.StandardScopes.Profile,
                  IdentityServerConstants.StandardScopes.Email,
                  "api"
                },
    
              });

    But in this case I get Exception:

    System.InvalidOperationException: Can't determine the type for the client 'angularClient'
       at Microsoft.AspNetCore.ApiAuthorization.IdentityServer.DefaultClientRequestParametersProvider.GetClientParameters(HttpContext context, String clientId)

    Can someone please help me?

    Cody Rees
    @noknokcody

    Hey mate, I'm doing a React SPA project and I had the same issues as you a few weeks back. What I found was that Chrome/Firefox/Edge etc.. don't play nicely with CORS over localhost at all. They also don't like non-secure connections. You either need to boot your browser with web security disabled (Use https:// for all your urls) or give your projects some SSL certificates and custom domains (This is what I did for best results).

    To do so...

    Hosts File

    Add these records to your hosts file to setup your custom domains
    (C:\Windows\System32\drivers\etc)

    127.0.0.1 app.yourappname.local    # Angular SPA
    127.0.0.1 api.yourappname.local     # API
    127.0.0.1 auth.yourappname.local  # Identity Server

    make sure you rename all URLS in your project to the new ones.

    App Server

    Download mkcert.exe and add to your PATH

    First time using mkcert you should do

    mkcert.exe -install

    From the App Project root run the following to generate a certificate

    mkcert.exe yourappname.local app.yourappname.local

    Rename/Move the generated cert and key files to .cert/server.crt and .cert/server.key ( You may need to make the folder )

    For the next part, you'll need to configure your local app server to use the new custom domain and SSL certificate. I'm not sure if you're using webpack-dev-server or not (like I am) but for me, it was as easy as adding the following file (.env.local)

    HTTPS=true
    HOST=app.yourappname.local
    SSL_CRT_FILE=.cert/server.crt
    SSL_KEY_FILE=.cert/server.key
    HTTPS_CERT=.cert/server.crt
    HTTPS_KEY=.cert/server.key

    All done, App server is setup for SSL

    Identity Server

    Create a new self-signed certificate (Admin Powershell)

    New-SelfSignedCertificate -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(1) -Subject "auth.yourappname.local" -KeyAlgorithm "RSA" -KeyLength 2048 -HashAlgorithm "SHA256" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage KeyEncipherment -FriendlyName "HTTPS YourAppNameIdentity development certificate" -TextExtension @("2.5.29.19={critical}{text}","2.5.29.37={critical}{text}1.3.6.1.5.5.7.3.1","2.5.29.17={critical}{text}DNS=auth.yourappname.local")

    Take note of the certificate thumbprint.

    Tell IIS Express to use this certificate for our project (Admin CMD)

    "C:\Program Files (x86)\IIS Express\IisExpressAdminCmd.exe" setupSslUrl -url:https://auth.yourappname.local:44384 -CertHash:THUMBPRINT HERE

    Then you need to import this certificate into your "Trusted Root Certificate Authorities" certificate store. There's likely a better way to do this but this worked for me.

    For Chrome you can click the lock button next to the URL > Certificate > Details (Tab) > Copy to File.

    Then you can import by searching "Manage user certificates" > Trusted Root Certification Authorities > Right Click "Certificates" > Import

    Web App

    Create a new self signed certificate (Admin Powershell)

    New-SelfSignedCertificate -NotBefore (Get-Date) -NotAfter (Get-Date).AddYears(1) -Subject "api.yourappname.local" -KeyAlgorithm "RSA" -KeyLength 2048 -HashAlgorithm "SHA256" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage KeyEncipherment -FriendlyName "HTTPS YourAppNameIdentity development certificate" -TextExtension @("2.5.29.19={critical}{text}","2.5.29.37={critical}{text}1.3.6.1.5.5.7.3.1","2.5.29.17={critical}{text}DNS=api.yourappname.local")

    Take note of the certificate thumbprint.

    Tell IIS Express to use this certificate for our project (Admin CMD)

    "C:\Program Files (x86)\IIS Express\IisExpressAdminCmd.exe" setupSslUrl -url:https://api.yourappname.local:44323 -CertHash:THUMBPRINT HERE

    Then you need to import this certificate into your "Trusted Root Certificate Authorities" certificate store. There's likely a better way to do this but this worked for me.

    For Chrome you can click the lock button next to the URL > Certificate > Details (Tab) > Copy to File.

    Then you can import by searching "Manage user certificates" > Trusted Root Certification Authorities > Right Click "Certificates" > Import.

    @syky27 Lastly, make sure you update all your urls in all projects to use (https) and the new domains :)
    Cody Rees
    @noknokcody

    @syky27 One last step sorry, before you tell IIS Express to use that certificate you need to change the App URL on each of your projects (Project Properties > Debug > App URL), enable SSL.

    Make sure you use that SSL URL for all of your URLs including the (Admin CMDs).

    "C:\Program Files (x86)\IIS Express\IisExpressAdminCmd.exe" setupSslUrl -url:YOUR_SSL_URL_HERE -CertHash:THUMBPRINT HERE
    zhengdaoit
    @zhengdaoit
    hi
    karthiksiva555
    @karthiksiva555

    Hi Everyone, I need some help with Machine-to-Machine authorization. I am trying to call an API (API2) from another API (API1) with the help of client credentials flow. Is it possible to grant access to only some parts of API2? both are ASP.NET Core APIs.

    To give some context, When making call from API1 to API2, I am currently using a service account that decides what parts of API2 are allowed access. The service account is created and configured (with roles) in API2 and shared with API1 ahead.

    I am trying to achieve this same with oAuth's client credential flow but I could not find any information on restricted access inside API. I believe ApiScopes won't work in this case.

    Could you let me know if restricted API access is possible in client credentials flow? or can this be achieved in any other flow?

    Craig Freeman
    @Craig939393_twitter

    Hi Everyone, I need some help with Machine-to-Machine authorization. I am trying to call an API (API2) from another API (API1) with the help of client credentials flow. Is it possible to grant access to only some parts of API2? both are ASP.NET Core APIs.

    To give some context, When making call from API1 to API2, I am currently using a service account that decides what parts of API2 are allowed access. The service account is created and configured (with roles) in API2 and shared with API1 ahead.

    I am trying to achieve this same with oAuth's client credential flow but I could not find any information on restricted access inside API. I believe ApiScopes won't work in this case.

    Could you let me know if restricted API access is possible in client credentials flow? or can this be achieved in any other flow?

    You can do that using resource scopes

    karthiksiva555
    @karthiksiva555
    @Craig939393_twitter thanks for taking a look. You are right about Api Scopes, but the current system has a lot of roles (very granular) that we don't want to migrate all of them to Identity Server yet. So we are trying to use a service account in API2 that maps to a client/user in IDS. We were able to achieve this by adding a custom claim to the access token. When API2 gets a request with an access token, the custom claim is used to find out associated service account and sets ClaimsPrincipalUser to that account.
    Suraj Nair
    @suraj_rtistiq_gitlab
    Hi Everyone,
    I am trying to add the IssuedAt Claim to my JWT Token.
    But when the token is generated, the "iat" claim is not coming.
    Below is the code snippet
    var claims = new List<Claim>
    {
    new Claim(JwtClaimTypes.Id, user.Id.ToString()),
    new Claim(JwtClaimTypes.Email, user.Email),
    new Claim(JwtClaimTypes.Name, user.UserName),
    new Claim(JwtClaimTypes.IssuedAt, DateTime.UtcNow.ToEpochTime().ToString(), ClaimValueTypes.Integer64),
    };
    Please help
    deivyd321
    @deivyd321
    Hi, everyone. I would appreciate if you take a look into my question: https://stackoverflow.com/questions/70160945/asp-net-core-api-openid-connect-authentication-with-jwt-token-using-identitymode #identitymodel
    Alex McCool
    @amccool
    Hi, I have idsvr4v3 in a k8s cluster. I'm using the k8s service DNS to set the authority for the resource apps. works great for client creds. However when a browser OIDC challenge comes in for a UI resource app (hybrid), the app following exactly whats its told by the well-known.config and redirects to the internal k8s service DNS endpoint. Can I use the same idsvr4 endpoint for both client-cred and hybrid? do I need to dynamically write the well-known config based on the resource app?