Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Bobby Karlen
    @BobbyKarlen_twitter
    Hey Everyone, new to gitter. I've been having issues lately with tokens for our app. Currently I moved our .net core application to AKS and have it going to IdentityServer4 in an Azure app service. The client is set up using implicit flow with id_tokens only. If the application replica set is only set to 1 pod there is no issue, however when the application is scaled to more than 1 pod there are bounce backs to identityserver (I'm assuming it is trying to authenticate/authorize the other pod) however it never gets authorized, and generates infinite amounts of nonce cookies until it fails. The weird thing is i had the application working with replica sets over http, but when I switched to https it no longer works. Thoughts?
    Eugenio Favalli
    @eugeniofavalli_twitter
    what if I host a SPA together with its APIs (same host/port), should I register 2 clients?
    berlaga
    @berlaga

    May be somebody can help me. I'm stuck. I'm new to IdentityServer and following examples I created a sample IdentityServer. I have a following definition for ApiResources and Client:

    public static IEnumerable<ApiResource> GetAPIs()
            {
                return new List<ApiResource> { 
                    new ApiResource("api1", "My API"),
                    new ApiResource(){
                        Scopes = new List <Scope>() { 
                            new Scope() { Name ="api2:read", DisplayName = "API2 read only" },
                            new Scope() { Name ="api2:write", DisplayName = "API2 read / write" }
                        }
    
                    }
                };
            }
    
    
            public static IEnumerable<Client> GetClients()
            {
                return new List<Client> { 
                    new Client(){ 
                        ClientId = "cnt1", 
                        AllowedGrantTypes = GrantTypes.ClientCredentials,
                        ClientSecrets = { new Secret ("secret".Sha256()) },
                        AllowedScopes = { "api2:read", "api2:write", "api1" }
                    } 
                };
            }

    When I call from client:

        var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
                {
                    Address = disco.TokenEndpoint,
                    ClientId = "cnt1",
                    ClientSecret = "secret",
    
                    Scope = "api2:read"
                });
    I get a valid response.
    But, in my API project, only if I set Audience to "api1" validation goes through.
    If I try "api2:read" or"api2:write" I get: Bearer was not authenticated. Failure message: IDX10214: Audience validation failed.
    Any help is greatly appreciated.
    This is how my API service is configured:
         public void ConfigureServices(IServiceCollection services)
            {
                services.AddControllers();
    
                //Initialize JWT Authentication
                services.AddAuthentication(o =>
                {
                    o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                    o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
    
                }).AddJwtBearer(o =>
                {
                    o.Authority = "https://localhost:44344";
                    o.RequireHttpsMetadata = false;
                    o.Audience = "api2:read";
    
                });
    
            }
    Nick Cuthbert
    @ncthbrt

    Hi there, running into a bit of stumbling block, trying to create an API endpoint that builds a custom view model for the consent screen, and I need to get a particular claim that was issued in the previous login step, this claim is an id that is needed to retrieve a set of additional resources that the user can choose to add as extra claims to the token.

    For the life of me can't figure out how to grab the existing claims

    berlaga
    @berlaga
    Nevermind, I got it :)
    Nick Cuthbert
    @ncthbrt
    So did I!
    berlaga
    @berlaga
    :)
    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab
    Hi guys, I'm running a specific User/Party service separately from identityserver4, and would like to register a user in the User/Party service when a user is registered in identityserver4 (or on log in). Either by HTTP request or by an MQ. What are my options for plugging into the registration / login flow in identityserver4?
    Paul McNamara
    @mackie1001
    The short answer is you can do anything you like to a degree since identityserver4 doesn't dictate how users are created, authenticated or managed
    Patryk Buda
    @Coldplayer1995
    Hi guys I have a problem with API -> Identity server connection on the backend. The problem saying Unable to obtain configuration from: 'http://8x.14x.xx.13x:62562/.well-known/openid-configuration' the link will be accessible by browser any idea why the connection there is failing ? I am not using any http yet is deployed on the IIS and is working on different IIS do you have any clue what kind of IIS option can cause that ?
    Paul McNamara
    @mackie1001
    It may require HTTPS for metadata by default, there should be an option to disable that that you can use in dev environments
    Patryk Buda
    @Coldplayer1995
                o.Authority = "http://localhost:44344";
                o.RequireHttpsMetadata = false;
    This is set like that so there is no requirement.Is that possible that IIS doing some weird stuff on its side
    vishak os
    @vichu28_twitter
    Can someone help with guideline on what happens in the process:
    1. When a .Net MVC Web API validate the bearer token using identityserverbearertokenauthentication middleware.
      1.1. I would like to know the process that's happening in the background. I wan't to enable logging during this process but i'm not sure on configuring the logging for the Identity Model library.
      Any help will be highly appreciated.,
    clintsinger
    @clintsinger
    I have a project that consists of an Angular SPA, NGINX Reverse Proxy and a number of services in docker and I am struggling to get the disconnect of external DNS names and internal docker DNS names to work together ID4. Specifically, I have a JWT token that I pass to an API service and it is supposed to authenticate with ID4 in the internal network which has a different name. For example, the authority might be https://auth.external.com but internally that same service might actually be http://auth.internal. When the API service looks for the discovery endpoint it is going to the external address but fails. Is there some way to intercept the query for the discovery document so that it is directed to the internal address but still keep the external address as the authority ?
    clintsinger
    @clintsinger
    I should point out that I am using the PublicOrigin so outside access doesn't seem to be an issue. The problem is just between internal services that also have to talk to that same server.
    MdeBruin
    @MdeBruin93
    @vichu28_twitter You'll need to enable logging in your identity server instance. Identity Server is validating the access token and returns an ok with the claimsprincipal in the HttpContext
    clintsinger
    @clintsinger
    More to my question above, I have found IdentityServer/IdentityServer4#1623 on github which seems to address the same problem but appears to be based off of obsolete guidance. Anyone know if there is updated guidance on this?
    Paul McNamara
    @mackie1001
    Is it possible to create an internal alias using the same name as external?
    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab

    Hi guys,

    I have a specific requirement for logins. It is like so, a user goes to a website/login site like this:

    https://hostname.com/sales/KOPR9

    Where KOPR9 would be a hash of the ID of a specific identityserver user. IdentityServer4 should then return a token for that user.

    Is this an extension grant that I need to create?

    Paul Smith
    @eratos
    @clintsinger Sorry it's not helpful, but I just thought I'd give you a "Me too" - I haven't found a good solution to the internal vs external naming problem for the Identity Server connection in a suite of docker images. I wish there was a handy guide for this scenario because I suspect it's a common use case and it's an issue that trips you up quite early on in identity server use.
    Paul McNamara
    @mackie1001
    @ragnarbr_gitlab so in effect a magic link that can bypass normal authentication?
    You could implement an extension grant that is callable from said website I'd have thought. How would said link be generated in the first place? Do they need to be single-use?
    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab
    @mackie1001 - It could be used forever. This will be used in conjunction with IP whitelisting.
    The link is generated once and passed to the users
    Identityserver4 just needs to be able to take it, verify it (just see that it exists in aspnet_users), and generate a token
    This could be implemented as an extension grant?
    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab
    ``` public async Task ValidateAsync(ExtensionGrantValidationContext context)
    {
    var magicLink = context.Request.Raw.Get("magic_link");
            if (string.IsNullOrEmpty(magicLink))
            {
                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
                return;
            }
    
            string userId = "";
    
            try
            {
                userId = GuidEncoder.Decode(magicLink).ToString();
            } 
            catch(FormatException ex) // Incorrect encoding
            {
                context.Result = new GrantValidationResult(TokenRequestErrors.UnauthorizedClient);
                return;
            }
    
            var user = await _userManager.Users.FirstOrDefaultAsync(u => u.Id == userId);
    
            if (user == null)
            {
                context.Result = new GrantValidationResult(TokenRequestErrors.UnauthorizedClient);
                return;
            }
    
            context.Result = new GrantValidationResult(userId, GrantType);
            return; 
        }```
    This is what I've done for it. Shame about the formatting. :)
    The GuidEncoder is just to shorten the aspnet_user Id to 22 characters.
    Charlie
    @stg609
    Hi, guys. What's the correct way to remove the claim type mapping when I use RequestClientCredentialsTokenAsync?
            var tokenResponse = await _httpClient.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
            {
                Address = disco.TokenEndpoint,
    
                ClientId = _identitySettings.ClientId,
                ClientSecret = _identitySettings.ClientSecret,
                Scope = "api1"
            });
    Harry Pfleger
    @iwhp_gitlab
    Is it possible to have IdentityServer 4 running behind a Microsoft WAP (Web Application Proxy). I ran into a 503 (service unavailable)?
    Paul McNamara
    @mackie1001
    @ragnarbr_gitlab the lack security in the solution is probably outside the scope of this channel, but it troubles me ;)
    toddtsic
    @toddtsic
    Anyone free to give a hand with Angular 8 ==> IS4 code + PKCE question?
    Raymond Bergen
    @FreeFrags137_twitter
    in identityserver3 we had a scope store which implements IScopeStore, i see in the idsrv 4 docs that it should still be there yet i cant seem to find how to set it up could someone point me in the right direction https://dbsphinxtest.readthedocs.io/en/latest/start/scopes.html
    Raymond Bergen
    @FreeFrags137_twitter
    in my log i get the following error Invalid scope: "openid" but i cant seem to find the place where i set the scopes i implemented IResourceStore and set breakpoints in each of its functions. those are never hit so i think i must look elsewhere
    Raymond Bergen
    @FreeFrags137_twitter
    ok i realized the link i posted was not the official docs :S
    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab
    @mackie1001 I don't disagree. But this is for users with a very limited scope and will not give them privileged access.
    Victorio Berra
    @VictorioBerra
    Does anyone have their own free version of something like this? https://www.identityserver.com/products/keymanagement
    Seems like it would be trivial to implement, especially for almost 4K a year.
    You just need to generate a key every so often, add to DB, and then remove an old one.
    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab

    I have a SPA frontend that is hosted on a separate domain from the IdentityServer instance and I'm getting the following in Chrome: "A cookie associated with a cross-site resource at https://myidentityserverdomain.com was set without the SameSite attribute."

    This is for the authorization code flow I believe where the server is returning Set-Cookie without SameSite=None. Does anyone know the proper way to fix this?

    Ragnar Borgþór Ragnarsson
    @ragnarbr_gitlab
    services.ConfigureApplicationCookie with options.Cookie.SameSite = SameSiteMode.None doesn't seem to add it to the Set-Cookie header. (Done in the IdentityServer startup)