IdentityServer/IdentityServer4

OpenID Connect and OAuth 2.0 middleware for ASP.NET Core

Emil99x

@Emil99x

@waywardcode no i was able to sort out my issue , i had invalid redirect issue, .. the problem i was trying to solve is like this ,

we have 3 IDS (actually one but with different domains ) login.a.com,login.b.com , login.c.com and one of our application we have which uses login.a.com need to access some of data in other application which uses login.b.com and login.c.com ... since those are in different domains , user have to sign in again . But what i did was add login.a.com as external provider to applications uses (login.b.com , login.c.com) . so use is already signin with external provider and i can take use into application without prompting login ...
@waywardcode if you have different idea on this i really like to hear that as well .. but any way thanks lot for replying for my question :)

slst19

@slst19

Is anyone online?

Anand Jaisy

@anandjaisy

https://stackoverflow.com/questions/72139300/claims-added-from-profile-service-not-included-in-asp-net-core-6-identity-with-d

Cody Rees

@noknokcody

Hey there,
I'm trying to protect an API using Client Credentials alone. I've followed the instructions here to a tee https://docs.identityserver.io/en/latest/quickstarts/1_client_credentials.html

I'm getting the following error though:

Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

My identity server also implements a custom profile service for a different API so I'm wondering if they're clashing somehow. Any help would be super appreciated

Cody Rees

@noknokcody

After looking into it a bit further it appears that User.Claims is empty. Currently the client is being loaded dynamically with claims attached. Is it unusual that these aren't being loaded to User ?

Cody Rees

@noknokcody

Figured it out. Swashbuckle wasn't configured correctly so it wasn't adding the token to the header. I was thrown off by the error message not realising it was a token issue.

alqadri-prog

@alqadri-prog

Hello everyone, I'm working on ids4 and I need to add custom user claims from another data source like API. Anyone has an idea?

Cody Rees

@noknokcody

@alqadri-prog You could try adding a custom ProfileService

public class MyProfileService : IProfileService {

    public MyProfileService( ... ) {
        ...
    }

    public async Task GetProfileDataAsync(ProfileDataRequestContext context) {
        // Get user / subject id 
        var subject = context.Subject.GetSubjectId();
        var user = myDataService.getUser( subject ); 

        if( user != null ) { 
            // Query your api service
            var claims = await myAPIService.fetchClaims( subject )

            // Set claims
            context.IssuedClaims = claims
        }
    }

    public async Task IsActiveAsync(IsActiveContext context) {
        var subject = context.Subject.GetSubjectId();
        var user = myDataService.getUser( subject ); 
        context.IsActive = user != null;
    }

}

Then in your startup

services.AddIdentityServer(....)
                .AddProfileService<MyProfileService>()

Ahmed Badawi

@ahmed-i-badawi

Hello all
i have an issue related to admin ui on docker environment using ngnix
on redirection to /signin-oidc atfer login auth is successffull
any idea ?

AuthenticationScheme: Cookies signed in.
[15:14:59 INF] Request finished HTTP/1.0 POST http://{ip}/signin-oidc application/x-www-form-urlencoded 590 - 302 0 - 540.6799ms
[15:14:59 DBG] Connection id "0HMHS0NA62L58" disconnecting.
[15:14:59 DBG] Connection id "0HMHS0NA62L58" stopped.
[15:14:59 DBG] Connection id "0HMHS0NA62L58" sending FIN because: "The Socket transport's send loop completed gracefully."
[15:15:01 DBG] Connection id "0HMHS0NA62L59" accepted.
[15:15:01 DBG] Connection id "0HMHS0NA62L59" started.
[15:15:01 INF] Request starting HTTP/1.0 GET http://{ip}/signin-oidc - -
[15:15:01 DBG] The request path /signin-oidc does not match a supported file type
[15:15:01 DBG] No candidates found for the request path '/signin-oidc'
[15:15:01 DBG] Request did not match any endpoints
[15:15:01 WRN] .AspNetCore.Correlation. state property not found.
[15:15:01 INF] Error from RemoteAuthentication: Correlation failed..
[15:15:01 ERR] An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
---> System.Exception: Correlation failed.
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.CspMiddleware.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
[15:15:01 INF] Request finished HTTP/1.0 GET http://{ip}/signin-oidc - - - 500 - text/html;+charset=utf-8 38.5731ms
[15:15:01 DBG] Connection id "0HMHS0NA62L59" disconnecting.
[15:15:01 DBG] Connection id "0HMHS0NA62L59" stopped.
[15:15:01 DBG] Connection id "0HMHS0NA62L59" sending FIN because: "The Socket transport's send loop completed gracefully."

PavelKochkin2

@PavelKochkin2

Good day. I set up my Identity client to make a request to Signout endpoint (It's called "front channel logout" in identity terms) after logging out from Identity app.

The request contains sid(session id) and iss (request initiator). Example: /api/sso-signout?sid=kR7iyKn1DMJOBPAlP3U8Mw&iss=https://identity.dev.com/login

The problem is that we do Signout thru HttpContext, but we do not have the required context to do the logout as the request is done from different domain(Identity in this case), and user has another httpContext in our application(in a nutshell: when we do the Signout request from identity we have no clue who to signout on a server)

Paul McNamara

@mackie1001

@PavelKochkin2 probably best to use back channel logout in that situation

Then you can trigger it in any context and not be reliant on it being a browser-based user interaction

it also gets around the strict third party cookie problem which renders front channel useless if using multiple domains

It works well but relies on a bit more work being done by the client - i.e. manipulating backend session storage or maintaining a session ID blacklist

mtishad

@mtishad

Hi Guys, i am new here. this might have been brought up here already but I am struggling with this logout action.

I have IdentityServer4 .net core app and have a .net 6 MVC client trying to logout

this is my client

new Client
{
ClientId = "localc3tools",
ClientName = "Local C3 Tools",
ClientSecrets = { new Secret(Constants.Current.C3ToolsClientSecret.Sha256()) },
RequireConsent = false,
RequirePkce = false,
IdentityTokenLifetime = 300,
AccessTokenLifetime = 3600,
AllowedGrantTypes = GrantTypes.Hybrid,
AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AllowAccessTokensViaBrowser = true,
AlwaysSendClientClaims = true,
Enabled = true,
AllowedScopes = {
IdentityServerConstants.StandardScopes.OpenId,
"profile",
"constantconnecttoolapi",
"roles",
"user_profile"
},
RedirectUris = new List<string>
{
Constants.Current.LocalC3ToolsClient + "/signin-oidc"
},
PostLogoutRedirectUris = new List<string>
{
Constants.Current.LocalC3ToolsClient + "/signout-callback-oidc"
},
FrontChannelLogoutUri = Constants.Current.LocalC3ToolsClient + "/signout-callback-oidc"
},

logout method in IdentityServer4 app

  [HttpPost]
    [ValidateAntiForgeryToken]
    public async Task<IActionResult> Logout(LogoutInputModel model)
    {
        // build a model so the logged out page knows what to display
        var vm = await new AccountHelper(_interaction, _clientStore).BuildLoggedOutViewModelAsync(model.LogoutId);

        if (User?.Identity.IsAuthenticated == true)
        {
            // delete local authentication cookie
            await HttpContext.SignOutAsync();
        }

        return View("LoggedOut", vm);
    }

just trying to hit it from my mvcclient app

i have tried different stuff but here is my logout method in my mvcclient app

 [Route("Logout")]
    [HttpGet]
    public async Task Logout()
    {
        try
        {
            await HttpContext.SignOutAsync();
            //var client = new HttpClient();
            //var tokenResponse = await HttpContext.GetTokenAsync("access_token");
            //client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", tokenResponse);
            //var url = _appSettings.IdentityServerUri + "Account/Logout";
            //string param = $"LogoutId={tokenResponse}";
            ////HttpContent content = new StringContent(param, Encoding.UTF8, "application/json");
            //var response = client.GetAsync(url+param);
        }
        catch (Exception e)
        {

        }
    }

thanks in advance

Paul McNamara

@mackie1001

For logout you need to just redirect to the end_session_endpoint defined in the discovery doc

I forget exactly what the standard middleware does but it may handle it for you

The spec is here: https://openid.net/specs/openid-connect-session-1_0-17.html#RPLogout

The actual URL by default will be https://{IDP}/connect/endsession

Mehdi Payervand

@mehdipayervand

Hi everbody

I want to send OTP that will be compare in LoginWith2fa action in email, How can I access or generate it?

Mehdi Payervand

@mehdipayervand

or to send it via SMS

Diego Bustamante

@diegohb

:question: opinion poll: what's going to be a better alternative to id4server -> A) Azure AAD B2C or B) Keycloak ?

Kevin Kallberg

@kkallberg

I have a fairly heavy SPA that I am securing with IdentityServer4. Let's say I have app.mydomain.com serving the SPA and identity.mydomain.com is where IdentityServer4 lives. Currently we encourage users to navigate to apps.mydomain.com, where the SPA is loaded, then once loaded the user is redirected to identity.mydomain.com for interactive login. Upon successful login, the user is then redirected back to the SPA at apps.mydomain.com, where they have to wait for the application to load a second time. I'm looking for a way to get out of loading the SPA twice. One thought we had was to instead encourage users to begin at identity.mydomain.com, skipping the first SPA load. However, upon successful login, what now? The user needs the token to access the SPA. What are we overlooking? This seems like it should be doable. Any suggestions would be much appreciated. Thanks!

Cody Rees

@noknokcody

@kkallberg I'm not too sure what tech stacks your using but assuming you're using React / Angular / Next or something like that you could have a few options. Although without knowing exactly what your production environment is like some of these may not apply.

I'd say possibly the easiest method would be to bundle a second piece of javascript along with your SPA that runs parallel to your app. This piece would solely be responsible for checking the request URI for a token and redirecting away to the identity server if it doesn't exist. This would allow you to pre-fire the redirect even before your SPA is loaded. Then when you're redirected back, your app will load as normal.

You could also reduce the number of redirects by using silent auth and storing the renewal token in a cookie (Maybe someone else could comment on the security of using this token this way).

Another solution is to do the same above but at a server level. Without knowing what server you're using to serve the SPA it's hard to give any exact instructions but if your spa is served using nginx / apache you could configure your htaccess/.conf files to do the same behavior as above. Check the URL for the token parameter, if it doesn't exist (or a renewal cookie for silent auth doesn't exist), redirect to identity server first. If your server doesn't support either of these technologies, you could achieve the same results using a nginx based reverse proxy or possibly even writing a custom solution for whatever server you're using.

Good luck!

greengumby

@greengumby

Hi, running into an issue for an internal application that is using "Azure App Proxy" to route working from home users to the internally facing website whereby IdentityServer4 is issuing the tokens. Internally everything works as expected however externally when authenticating I can see a Authorization token is created however the connect/userinfo endpoint responds with a 403 and the Logs have written "No Access Token Found" Any suggestions would be much appreciated. Thanks!

Riccardo Becker

@riccardobecker_twitter

hi all, is there a way to show a <img src="path to external image on public blob storage"...> from an external on the login page?

Kaustav Chakraborty

@caustav

When I am using password grant type how to have userid as a claim in the generated JWT token ?

florin86

@florin86:matrix.org

[m]

Hello, I'm getting the error " Cookie was not authenticated. Failure message: Unprotected ticket failure" this is happening under load balanced traffic with Identity being split in Authentication/Authorization service and User management service. This error occurs on the management service on the authentication process. Is this a data protection issue? Is there an example how to configure this having two services, in case this would be the issue ?

Robert Karlsson

@Robban1980

@florin86:matrix.org its a data protection issue, you are using different keys on your different instances. You need to use a distributed store for your keys

Navid Shokri

@navid-dada

@florin86:matrix.org this is the link that I used to cluster my identityserver https://github.com/IdentityServer/IdentityServer4/issues/2205#issuecomment-424253606

Anand Jaisy

@anandjaisy

In the development mode, the client Angular application is running on HTTP. After successfully logging
when redirect back to the application it keeps reloading again. This is because of HTTP, however, if I change the Node
application to the HTTPS everything is working. Does anyone know how to allow HTTP

I have setup CORS as well

app.UseCors("CorsPolicy");

And in the client setting the allowed CORS are as below

Chihab HAJJI

@chihabhajji

does someone have a minimal demo with two legged OAuth (2LO) please ?

ashuvviet

@ashuvviet

we have SPA application on react using oidc-client js and Identity server 4. the issue here is to implement session idling, e.g. if user is idle for 2hr then application should log out. we have autoslient = true on oidc client side and identity server 4 using SlidingRefreshTokenLifetime but we are not sure how to achive session idling but max session works for us as we have absoluteRefreshtokenLifeTime set..

Tuncay Cem Uzun

@tuncaycemuzun:matrix.org

[m]

hi,
the project runs smoothly on local but when I work with Docker 'admin-api.skoruba.local' returns 404. What is the problem?

Edin Jašarević

@jasarsoft

Hi everyone!

Abdallah Hassnat

@Ahassnat

Hi everyone!

Cody Rees

@noknokcody

@sharonmary:matrix.org everyone here is a security nerd. You're fishing in the wrong pond mate.

chrisrestall

@chrisrestall

using Duende identityServer with AspNet core identity authentication and serverSide session. We have a client using the duende BFF and are trying to get sliding expiration to work. The server session table doesn't seem to update "renew" when refreshing the client page. sliding is set on BFF side and IdentityServer side. How does BFF inform IdentityServer to renew the session. If we log directly into the identity server, sliding works fine

mmk90

@mmk90:matrix.org

[m]

hi
I want to have a password/username login and fingerprint login in identity server but i don't know how to do it can you help me?

Where communities thrive

People

Repo info

Activity