Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Mehdi Payervand
    @mehdipayervand
    or to send it via SMS
    Diego Bustamante
    @diegohb
    :question: opinion poll: what's going to be a better alternative to id4server -> A) Azure AAD B2C or B) Keycloak ?
    Kevin Kallberg
    @kkallberg
    I have a fairly heavy SPA that I am securing with IdentityServer4. Let's say I have app.mydomain.com serving the SPA and identity.mydomain.com is where IdentityServer4 lives. Currently we encourage users to navigate to apps.mydomain.com, where the SPA is loaded, then once loaded the user is redirected to identity.mydomain.com for interactive login. Upon successful login, the user is then redirected back to the SPA at apps.mydomain.com, where they have to wait for the application to load a second time. I'm looking for a way to get out of loading the SPA twice. One thought we had was to instead encourage users to begin at identity.mydomain.com, skipping the first SPA load. However, upon successful login, what now? The user needs the token to access the SPA. What are we overlooking? This seems like it should be doable. Any suggestions would be much appreciated. Thanks!
    Cody Rees
    @noknokcody

    @kkallberg I'm not too sure what tech stacks your using but assuming you're using React / Angular / Next or something like that you could have a few options. Although without knowing exactly what your production environment is like some of these may not apply.

    I'd say possibly the easiest method would be to bundle a second piece of javascript along with your SPA that runs parallel to your app. This piece would solely be responsible for checking the request URI for a token and redirecting away to the identity server if it doesn't exist. This would allow you to pre-fire the redirect even before your SPA is loaded. Then when you're redirected back, your app will load as normal.

    You could also reduce the number of redirects by using silent auth and storing the renewal token in a cookie (Maybe someone else could comment on the security of using this token this way).

    Another solution is to do the same above but at a server level. Without knowing what server you're using to serve the SPA it's hard to give any exact instructions but if your spa is served using nginx / apache you could configure your htaccess/.conf files to do the same behavior as above. Check the URL for the token parameter, if it doesn't exist (or a renewal cookie for silent auth doesn't exist), redirect to identity server first. If your server doesn't support either of these technologies, you could achieve the same results using a nginx based reverse proxy or possibly even writing a custom solution for whatever server you're using.

    Good luck!

    greengumby
    @greengumby
    Hi, running into an issue for an internal application that is using "Azure App Proxy" to route working from home users to the internally facing website whereby IdentityServer4 is issuing the tokens. Internally everything works as expected however externally when authenticating I can see a Authorization token is created however the connect/userinfo endpoint responds with a 403 and the Logs have written "No Access Token Found" Any suggestions would be much appreciated. Thanks!
    Riccardo Becker
    @riccardobecker_twitter
    hi all, is there a way to show a <img src="path to external image on public blob storage"...> from an external on the login page?
    Kaustav Chakraborty
    @caustav
    When I am using password grant type how to have userid as a claim in the generated JWT token ?
    florin86
    @florin86:matrix.org
    [m]
    Hello, I'm getting the error " Cookie was not authenticated. Failure message: Unprotected ticket failure" this is happening under load balanced traffic with Identity being split in Authentication/Authorization service and User management service. This error occurs on the management service on the authentication process. Is this a data protection issue? Is there an example how to configure this having two services, in case this would be the issue ?
    Robert Karlsson
    @Robban1980
    @florin86:matrix.org its a data protection issue, you are using different keys on your different instances. You need to use a distributed store for your keys
    Navid Shokri
    @navid-dada
    @florin86:matrix.org this is the link that I used to cluster my identityserver https://github.com/IdentityServer/IdentityServer4/issues/2205#issuecomment-424253606
    Anand Jaisy
    @anandjaisy

    In the development mode, the client Angular application is running on HTTP. After successfully logging
    when redirect back to the application it keeps reloading again. This is because of HTTP, however, if I change the Node
    application to the HTTPS everything is working. Does anyone know how to allow HTTP

    I have setup CORS as well

    app.UseCors("CorsPolicy");

    And in the client setting the allowed CORS are as below

    image.png
    Chihab HAJJI
    @chihabhajji
    does someone have a minimal demo with two legged OAuth (2LO) please ?
    ashuvviet
    @ashuvviet
    we have SPA application on react using oidc-client js and Identity server 4. the issue here is to implement session idling, e.g. if user is idle for 2hr then application should log out. we have autoslient = true on oidc client side and identity server 4 using SlidingRefreshTokenLifetime but we are not sure how to achive session idling but max session works for us as we have absoluteRefreshtokenLifeTime set..
    Tuncay Cem Uzun
    @tuncaycemuzun:matrix.org
    [m]
    hi,
    the project runs smoothly on local but when I work with Docker 'admin-api.skoruba.local' returns 404. What is the problem?
    Edin Jašarević
    @jasarsoft
    Hi everyone!
    Abdallah Hassnat
    @Ahassnat
    Hi everyone!
    Cody Rees
    @noknokcody
    @sharonmary:matrix.org everyone here is a security nerd. You're fishing in the wrong pond mate.
    chrisrestall
    @chrisrestall
    using Duende identityServer with AspNet core identity authentication and serverSide session. We have a client using the duende BFF and are trying to get sliding expiration to work. The server session table doesn't seem to update "renew" when refreshing the client page. sliding is set on BFF side and IdentityServer side. How does BFF inform IdentityServer to renew the session. If we log directly into the identity server, sliding works fine
    mmk90
    @mmk90:matrix.org
    [m]
    hi
    I want to have a password/username login and fingerprint login in identity server but i don't know how to do it can you help me?
    chrisrestall
    @chrisrestall

    Having issues with Sliding cookies with identityServer. Lets say we have authentication cookie set to expire on identityserver at 1 hour - sliding = true. A client application that uses IdentityServer has an auth cookie is set to 30 minutes, sliding = true. The client application can slide it's cookie every > 15 minutes keeping the user logged in on the client application. However that does not sync back on identityServer side. After 1 hour the session there is effectively ended regardless of the client's sliding. The client will continue to work until it's cookie expires > 30 minutes if no sliding there happens..

    The only time a slide on identityserver seems to happen is when the client cookie expires BEFORE the identityserver cookie. In that case, the client logs back in a again, a call to authorize, slides the identityserver cookie. Maybe thinking about this wrong, but expected that when a client cookie slides, this also calls to identityserver to slide that cookie as well (if > 1/2 the expry time).

    Dane Watson
    @deedubb83_twitter
    Hello. newbie question. Asp.net 6, IDS4, with an MVC webapp. I want to have oidc do the authentication, but I want the MVC application to have ApplicationUser available for every page in context. Which example should I look at?
    1 reply
    Terje Sandstrom
    @OsirisTerje
    I'm upgrading from earlier versions of IdentityModel, and cant find out where the "AddUserAccessTokenClient" method has gone. Also looks like "IdentityModel.AspNetCore" has been archieved - what is supposed to replace that one ?
    1 reply
    claraaudbtc
    @claraaudbtc:matrix.org
    [m]
    Win up to $1000 in crypto trading when you invest with just the minimum of $100.
    Signup and start investing your crypto with.
    💎NO STRESS
    💎NO REFERRAL NEEDED!!
    💎NO REGISTRATION FEE!!
    https://t.me/+fg0XTHR8CAo4Y2Fk
    https://t.me/+fg0XTHR8CAo4Y2Fk
    iamandymcinnes
    @iamandymcinnes
    Hi I wondered if anyone can point me in the right direction... I'm trying to run Ids4 in kubernetes but I'm struggling to get the discovery document to have the external urls display rather than the internal ones, and also same issue with https if I have my SSL managed on the gateway ingress controller (agic).
    vishalaj1
    @vishalaj1
    Hi All, We are using IdentityServer4 , Cert-manager, Kubernetes setup. When using IdentityServer4 admin page we get this error. "unable to obtain configuration from well-known/openid-configuration". We do not get the same error on other pages but only on Identity4 admin. Anybody has faced same issue?
    Navid Shokri
    @navid-dada
    Hi All, I am working with identity server 4 and I am trying to use claim-based authorization. (this means I will attach all the role permissions to my token) it works great but there is one problem and that is the size of .AspNetCore.Identity.Application cookie. It seems that it will contain all the information inserted into my token as well. So there is multiple questions:
    1- why do we need this cookie?
    2- which data are stored in this cookie? and are all of these data are necessary?
    3- is there any way to override the cookie generator and just putting required claims?
    Johnny Camby
    @CambyJohnny_twitter
    Hi , i really need help regarding a client " Redirect Loop" that later results into "Bad Request - Request Too Long - HTTP Error 400. The size of the request headers is too long."
    in my scenario only one user can login properly and the others can't. Hence " HTTP Error 400. The size of the request headers is too long."
    vishalaj1
    @vishalaj1

    Hi All, We are using IdentityServer4 , Cert-manager, Kubernetes setup. When using IdentityServer4 admin page we get this error. "unable to obtain configuration from well-known/openid-configuration". We do not get the same error on other pages but only on Identity4 admin. Anybody has faced same issue?

    Hi All,

    We identified the root cause. It was because https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

    We added this preferredChain: "ISRG Root X1" in Issuer.

    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
    name: letsencrypt-isrgx1
    spec:
    acme:
    email: an@email.com
    server: https://acme-v02.api.letsencrypt.org/directory
    preferredChain: "ISRG Root X1"

    Hope it helps to anyone having same problem!!

    Regards,
    Vishal

    anshulrts
    @anshulrts

    Hello,

    I have really simple query.

    Is IdentityServer4 version4.1.2 compatible with IdentityModel version4.4?

    I know IdentityModel should be IDS agnostic, but just want to see that we don't need to do any tweak to make it work, correct?

    Ophir Oren
    @developer82

    I'm using IdentityServer4 and I have implemented implicit flow using the demo UI. My client is using the consent screen and I have a case where I need to add some additional parameters to the token after consent. In consent controller POST action:

    Is there a way to get the current token? I see that there is a state parameter sent to the controller and passed around with each call. Since the token is created after login, I'm guessing IS4 is using this state to keep the token somewhere in memory. Is there a way for me to retrieve it?
    How can I modify the token and add additional claims to it at the consent POST action?

    rhlspherex
    @rhlspherex
    Hi Guys, I am trying to find a solution for concurrent login issue in Identity server. For eg . if user logs in into 2 browsers at the same time then he should get logged out from the first one, any suggestion is helpful, thanks
    Saman Pirooz
    @Digisaman
    I have IdentityServer & AdminUI installed, trying to get a token with ClientCredentials, I get invalid_scope error, but the scope exists!! what can cause this?
    greengumby
    @greengumby
    Recently updated to .NET 6 and ID4 (4.1.2) and I notice that if I use http no token is returned from the login procedure however if I switch to https it all works correctly. Has http been deprecated?
    Jeff Baker
    @RacerDelux

    So I am trying to get global logouts working on my app. I have two MVC apps both setup up to use the oidc protocol. For grant types, it is set to hybrid.
    When logging out I redirect to the EndSessionEndpoint with no params (I have no clue how to get the id_token_hint, doesn't seem to be in the user profile or my redirect endpoint).

    The EndSessionEndpoint automagically creates a logoutId and redirects to my logout page. There I can click the logout button and that does a post request. This is where it seems to just not work. I call GetLogoutContextAsync. It has the client id, but no redirect URL. In addition, my identity context does not have me logged in.

    Not sure where to go from here if anybody has any pointers.

    linxiao
    @jevonsflash
    hi guys
    Okan
    @okanMU
    hello
    Gradyn Wursten
    @GNUGradyn
    I am going crazy trying to figure this out. Where the heck is the code for the /connect/token endpoint
    it doesnt even show up in the endpoint explorer in rider
    I'm trying to troubleshoot an issue with JWTs but i am having trouble even figuring out where the code for the endpoint is so I can trace back the issue
    Jucimário Santana da Silva
    @Jucimario
    I have an AngularJs project with the AspNet Core 2.2 API, how do I make the API authenticate in Microsoft 365?
    Gourav-Sparkt
    @gourav-sparkt
    Hi, I am stuck on invalid_grant issue.
    login is working fine
    after logout its randomly giving above error.
    client setting: auth with pkce
    authority: '[URL]',
    client_id: 'Console',
    redirect_uri: '[URL]/auth-callback',
    post_logout_redirect_uri: '[URL]/logout-callback',
    silent_redirect_uri:'[URL]/auth-callback',
    response_type: "code",
    scope: 'openid profile roles offline_access'
    DaveBorka
    @TrEgZor
    Hi All, Could someone help me I totally lost. The current issue is I need to provide a login page with identity server. The login page has one purpose, to authenticate the username/password. The issue is the provided credentials are the windows AD or Local account credentials. Is it possible to authenticate the user by triggering windows AD or SAM in order to validate the username/password. What is having in my mind I can use the Logon native method which tries to login with the credentials. Did anyone faced with this problem?
    Tore Nestenius
    @tndata
    @GNUGradyn The code it asks for is the Authorization code that is returned to you after the user has successfulle authenticated and given consent to the scopes.
    @greengumby HTTPS is a requrirement nowdays, not due to IdentityServer, but due to the samesite cookie attribute that browsers implemented for a year or two ago. For OpenID-Connect to work, you are forced to use HTTPS and samesite=none;secure when you set the cookies.
    @RacerDelux To get the id_token_hint, you need to save your Id-token and pass it to IdentityServer during logout. Dominick talks about in this video that he released yesterday https://www.youtube.com/watch?v=sRb0UfLeOVw
    @Digisaman Do check the logs in IdentityServer, why the scopes fails. What scopes are you asking for?
    Tore Nestenius
    @tndata
    @anandjaisy HTTPS is a requrirement nowdays, not due to IdentityServer, but due to the samesite cookie attribute that browsers implemented for a year or two ago. For OpenID-Connect to work, you are forced to use HTTPS and samesite=none;secure when you set the cookies.

    I have just published a new blog post titled:

    IdentityResource vs. ApiResource vs. ApiScope
    https://nestenius.se/2023/02/02/identityserver-identityresource-vs-apiresource-vs-apiscope/

    Any feedback is appreciated!