These are chat archives for IdentityServer/Thinktecture.IdentityServer3

23rd
Jan 2015
James Geall
@jageall
Jan 23 2015 12:10
seems kinda empty in here...
Dominick Baier
@leastprivilege
Jan 23 2015 12:11
we moved to a new organization
James Geall
@jageall
Jan 23 2015 12:11
well you were kind of making a lot of repos
henrikniemann
@henrikniemann
Jan 23 2015 12:12
Ah, missed you guys :-)
Dominick Baier
@leastprivilege
Jan 23 2015 12:12
:) welcome back
James Geall
@jageall
Jan 23 2015 12:13
do you see there being any benefit in me making some of the powershell admin tools for mongo just work with the admin project and take a plugin for the db so it can work across multiple providers?
henrikniemann
@henrikniemann
Jan 23 2015 12:13
I actually have developers at Gitter working on "room has been renamed" kind of functionalty now :-D
James Geall
@jageall
Jan 23 2015 12:14
we use it for deploying scopes and clients, deleting tokens and invoking a setup script, could quite easily work across the ef version i think
henrikniemann
@henrikniemann
Jan 23 2015 12:17
Dominick, there is a bad link to documentation on https://github.com/IdentityServer/Thinktecture.IdentityServer3. Link to Documentation under "Getting Started" is to https://thinktecture.github.io/Thinktecture.IdentityServer.v3.Documentation/. First link under "Overview" is fine though.
John Korsnes
@johnkors
Jan 23 2015 13:38
easy PR :)
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 13:42
:) i was talking with gitter on github. UI toke me to a place where it wanted me to give them access to my private repositories because you relocated :D
Dominick Baier
@leastprivilege
Jan 23 2015 13:48
and? was it worth it :p
John Korsnes
@johnkors
Jan 23 2015 13:53
i thought this was Dom trying to get to all our crappy implementations
Dominick Baier
@leastprivilege
Jan 23 2015 13:54
lol
John Korsnes
@johnkors
Jan 23 2015 14:01
I see a mentioning of using Elastic as a backend for events. Do you use it? Via NEST?
publishing the events as INFO log statements is quite crappy. As we probably won't have INFO in prod.
John Korsnes
@johnkors
Jan 23 2015 14:07
If not, I think we could start working on that and open source it as IdSrv.ElasticEventService. We're already using elastic thru Serilog and the elastic sink.
Dominick Baier
@leastprivilege
Jan 23 2015 14:11
SeriLog
e.g.
LibLog has built-in support for that e.g.
John Korsnes
@johnkors
Jan 23 2015 14:11
yeah, using LibLog as well (for the regular logs)
Dominick Baier
@leastprivilege
Jan 23 2015 14:11
a native elastic search event service would be nice
yes - please work on that :)
John Korsnes
@johnkors
Jan 23 2015 14:12
cool. will do.
Dominick Baier
@leastprivilege
Jan 23 2015 14:12
:thumbsup:
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 14:22
@leastprivilege all I saw was that its github fault that they wanted my repositories :) https://github.com/gitterHQ/gitter/issues/75#issuecomment-71175007
teasers. now i have to see what elastic, serilog is!
John Korsnes
@johnkors
Jan 23 2015 15:05
re Gitter: "fustercluck". Expanding my vocabulary day by day. :)
Brian Donahue
@briandonahue
Jan 23 2015 15:20
So, we were testing getting an access token back with the OWIN middleware, and changed ResponseType = "id_token" to ResponseType = "id_token token" but now some claims, including the name claim are not found in SecurityTokenValidated Identity anymore. Is that an OWIN issue, something we did wrong, or...?
John Korsnes
@johnkors
Jan 23 2015 15:37
@leastprivilege there are no timestamps available on the events (?)
Brian Donahue
@briandonahue
Jan 23 2015 15:45
I vote for EventStore! :-D
briandonahue @briandonahue ducks
Dominick Baier
@leastprivilege
Jan 23 2015 16:17
there are timestamps
@briandonahue when you request a token - the claims are removed from the id_token. The access token in turn has the right scopes to request the claims from the userinfo endpoint
you can also configure the claim to be always in the id token - regardless of the access token.
Brian Donahue
@briandonahue
Jan 23 2015 16:23
@leastprivilege Oh... this is in the idsrv config options? So the choice would be to configure id_token to include the name claim, or to "manually" call the UserInfo endpoint from somewhere like SecurityTokenValidated?
Dominick Baier
@leastprivilege
Jan 23 2015 16:23
yes
and no - on the scope config
Brian Donahue
@briandonahue
Jan 23 2015 16:24
ok, taking a look, thanks!
Brian Donahue
@briandonahue
Jan 23 2015 16:30
so, it looks like all scopes have an "IncludeAllClaimsForUser" boolean. If I set this to true on on the profile scope, will that include all the claims I set in my custom user service?
Dominick Baier
@leastprivilege
Jan 23 2015 16:31
RTFM :p
Brian Donahue
@briandonahue
Jan 23 2015 16:31
which manual? the scopes page in the docs? I just was, but maybe I missed something
Dominick Baier
@leastprivilege
Jan 23 2015 16:32
it means that all claims of the user will be included in the token
Brian Donahue
@briandonahue
Jan 23 2015 16:32
I guess what I'm saying, is it sounds like what I need, but just curious if the profile scope is the right one to set it on :)
ok, I get it. nm :-D
ok, I don't get it :-D So, if profile scope includes name claim and others, and I set IncludeAllClaimsForUser to true, does that mean all claims in the profile scope, or all arbitrary claims I set in my user service? I would assume it means "If enabled, all claims from this scope for the user will be included in the token?"
Anyway, I will test it :)
Dominick Baier
@leastprivilege
Jan 23 2015 16:38
it means all claims - as opposed to explicit scope claims
Brian Donahue
@briandonahue
Jan 23 2015 16:39
Oh. That would probably be fine for my case, but then I'm still confused how to configure the name claim to be in the id_token. Is that the open_id scope, and I add the claim there?
Dominick Baier
@leastprivilege
Jan 23 2015 16:40
briandonahue @briandonahue retreats back into his cave
Brian Donahue
@briandonahue
Jan 23 2015 16:42
ClaimsRule :worried:
Dominick Baier
@leastprivilege
Jan 23 2015 16:44
??
Brian Donahue
@briandonahue
Jan 23 2015 16:44
"ClaimsRule
Rule for determining which claims should be included in the token (this is implementation specific)"
I missed that
Dominick Baier
@leastprivilege
Jan 23 2015 16:45
this is not implemented
Brian Donahue
@briandonahue
Jan 23 2015 16:45
HA
Gary Lumsden
@gjlumsden
Jan 23 2015 16:45
AlwaysIncludeInIdToken is what you're looking for, I think.
Dominick Baier
@leastprivilege
Jan 23 2015 16:45
i think so too
Gary Lumsden
@gjlumsden
Jan 23 2015 16:45
On the ScopeClaim.
Brian Donahue
@briandonahue
Jan 23 2015 16:47
OK. Granted, I should have read the whole page, but that's a lot of options to not understand :-D Someday when I feel I understand what the heck I'm doing I am going to try to blog and/or contribute to docs for brainless folks like me :-D
I was fixating on scope config, not the lower level for claim :-\
Dominick Baier
@leastprivilege
Jan 23 2015 16:48
is your load balancing working btw?
Brian Donahue
@briandonahue
Jan 23 2015 16:49
yes! Seems fine. Still not thrilled with the OWIN nonce options, but it's good enough for now
(the whole multiple nonce cookies vs. one nonce cookie to rule them all approaches)
Dominick Baier
@leastprivilege
Jan 23 2015 16:50
but thats unrelated
you can blame MS for that
Brian Donahue
@briandonahue
Jan 23 2015 16:50
entirely
yeah. seems like they are kind of punting on it for now.
Brian Donahue
@briandonahue
Jan 23 2015 16:58
Is there a handy hook to recreate the idsrv tables with EF from a changed config? I have not used EF much.
Manuel Rauber
@ManuelRauber
Jan 23 2015 16:59
Currently you have to empty the client table to repopulate it.
Brian Donahue
@briandonahue
Jan 23 2015 17:00
ah
Frans Lytzen
@flytzen
Jan 23 2015 17:09
Looking at writing some middle ware to supprt IdP initiated SSO to IdentityServer. One thing I'm currently not sure about is; I ideally need to call IUserService.AuthenticateExternalAsync(ExternalIdentity externalUser, SignInMessage message). Is there a way to get an instance of IUserService from my code?
I could do some horrible stuff with static variables in startup.cs but wondered if there is a clean way?
Dominick Baier
@leastprivilege
Jan 23 2015 17:12
i don't think there is a clean way right now to do this until we support Idp initiated natively - plz open an issue and describe the feature and how you would ideally implement it
Frans Lytzen
@flytzen
Jan 23 2015 17:13
Will do - I thought I'd ask before I start writing the sample code to go with the issue ;)
FWIW, I think I got all the principles sorted so will knock up some sample code for it next
Dominick Baier
@leastprivilege
Jan 23 2015 17:14
we can add that to core - but right now we are tieing down RTM on monday
Frans Lytzen
@flytzen
Jan 23 2015 17:14
Wow, cool!
Didnt realise it was that close
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 17:46
" to supprt IdP initiated SSO to IdentityServer." what exactly does that mean :) i cant see the big picture :(
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 17:54
i got first feedback from my boss on the user login/signup flows i did. A powerpoinst filled with screenshoots from facebook :) He didnt really like that he had to type in password on idsrv
Dominick Baier
@leastprivilege
Jan 23 2015 18:05
Open an issue - describing exactly what you want - scenario etc
that's all we can do right now.
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 18:05
ahh ye, sorry. it was not ment as critisim
Dominick Baier
@leastprivilege
Jan 23 2015 18:05
after monday we can start prioritizing features for upcoming versions
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 18:06
but from prior i understood it as the oidc spec dont have a solution that allows me to let uesrs promt their info on our main page. We talked about I could do it with acr_values
Dominick Baier
@leastprivilege
Jan 23 2015 18:07
i can't remember - open an issue if you want to start discussing it (in a way it is documented)
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 18:08
okay i will create one. i saw some other people who talked about similar stuff and wanting to embed idsrv as iframe. guess its a solution to similar problem.
Me complaining to sunall for them asking for "update profile" and "post on your behalf" scopes on twitter resulted in them providing me a video on how I can disable them doign so after I have given them permission :) hmm fishy!
Frans Lytzen
@flytzen
Jan 23 2015 18:08
@s093294 yes, essentially that. My bigger picture is here: http://stackoverflow.com/questions/28033806/idp-initiated-login-with-thinktecture-identityserver-v3
But, essentially, it is quite common (I am told) in the SAML world to start with the IdP and push the assertions to the RP unsolicited. I am working on getting that to work with IdSrv in the middle.
I have got a working prototype now, it turned out to be quite simple in the end - its just the way I have to access IdSrv internals that are a bit ugly.
Been a great opportunity to really get to know IdSrv :)
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 18:09
saml is old shool :) hopefully i wont need to understand it
Frans Lytzen
@flytzen
Jan 23 2015 18:09
LOL - luckily KentorIT handles the understanding of SAML :)
Old school indeed, but huge installed base
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 18:10
ye i know :) more ment like i really avoid legacy stuff. Past two jobs been about creating cutting edge platform/services on azure. sofar there been very little legacy stuff, which is nice
Frans Lytzen
@flytzen
Jan 23 2015 18:11
Aye, me too - building all new stuff on Azure. But lots of corp clients and all of a sudden getting a deluge of requests to enable login with their internal Oracle systems etc, so having to all of a sudden learn ancient technology. Such is life.
good news is, with IdSrv in the middle, my apps just talk OIDC and can ignore all the other stuff
Poul Kjeldager Sørensen
@s093294
Jan 23 2015 18:15
thats true. sounds like a good use case
created an issue @leastprivilege : IdentityServer/Thinktecture.IdentityServer3#809
let me know if the message is not clear
Brian Donahue
@briandonahue
Jan 23 2015 18:30
In my legacy auth code, I had been using a custom Principal with specific methods for domain specific claims (before I knew what claims were), such as user.CanAccessOffice(id), or such. @leastprivilege says that custom principals aren't really worth it, and I can totally see that point but I am wondering if anyone has any thoughts for those type of convenience methods on a ClaimsPrincipal. Would you just use extension methods?
Dominick Baier
@leastprivilege
Jan 23 2015 18:45
use extension methods on ClaimsPrincipal
Brian Donahue
@briandonahue
Jan 23 2015 18:57
OK. That was what I was leaning toward, thanks
Brian Donahue
@briandonahue
Jan 23 2015 19:03
One thing is, some of the older stuff uses Page.User, which is an IPrincipal not ClaimsPrincipal... I could ensure IPrincipal is a ClaimsPrincipal in the extension methods... does that make sense?
Brian Donahue
@briandonahue
Jan 23 2015 19:16
nm, was hoping by avoiding using a custom principal I could avoid casting, but it seems that's what is needed in asp.net pages (cast to ClaimsPrincipal)
Dominick Baier
@leastprivilege
Jan 23 2015 19:45
create the ext methods for IPrincipal and cast internally
Brian Donahue
@briandonahue
Jan 23 2015 19:51
yeah. either way it's duplication. I created a ToClaimsPrincipal extension that blows up if it can't cast :)
David Christiansen
@DavidChristiansen
Jan 23 2015 21:07
Hi @leastprivilege - Is there an 'official' fix for the querystring being too long issue we spoke about a couple of weeks back
Dominick Baier
@leastprivilege
Jan 23 2015 21:08
sure - less claims
or use reference tokens
David Christiansen
@DavidChristiansen
Jan 23 2015 21:08
badum tish
Dominick Baier
@leastprivilege
Jan 23 2015 21:08
can't remember the details though
David Christiansen
@DavidChristiansen
Jan 23 2015 21:08
So i am requesting openid profile offline_access as the scope
(and id_token token)
Dominick Baier
@leastprivilege
Jan 23 2015 21:12
ok
looks good to me though
i am pretty sure thats what the sample client in our repo does as well
David Christiansen
@DavidChristiansen
Jan 23 2015 21:12
yup
Dominick Baier
@leastprivilege
Jan 23 2015 21:12
and it is working
David Christiansen
@DavidChristiansen
Jan 23 2015 21:13
but in this case the claims coming back are 'too big'
too long
I've advised they need to adjust them but I think they are using the google identifier - which from memory is mahoosive
this is in a windows phone app
and the error is that is comes back as a "User Cancel"
because the length causes things to bork
Dominick Baier
@leastprivilege
Jan 23 2015 21:17
sorry - don't know
David Christiansen
@DavidChristiansen
Jan 23 2015 21:18
thats alright bro
i'll figure something out
or just go drink beer
(sounds a better option)
Dominick Baier
@leastprivilege
Jan 23 2015 21:18
it does
i am preparing the RTM build for monday
so have a pint on me
David Christiansen
@DavidChristiansen
Jan 23 2015 21:38
Cool news
how much do you think it will differ from the current master
Dominick Baier
@leastprivilege
Jan 23 2015 21:38
a lot of course :p
David Christiansen
@DavidChristiansen
Jan 23 2015 21:39
wots the worst that could happen ;)
Dominick Baier
@leastprivilege
Jan 23 2015 21:40
dunno. now is your chance to try it and give feedback before monday ;)
forget those beers
David Christiansen
@DavidChristiansen
Jan 23 2015 21:40
:P
im on master right now
you wanna me to mix it up and switch to dev ?
just for the lolz
Dominick Baier
@leastprivilege
Jan 23 2015 21:41
sure
David Christiansen
@DavidChristiansen
Jan 23 2015 21:44
WHA!! :shipit:
James Geall
@jageall
Jan 23 2015 23:09
well if it differs a lot, i may need that free software gif you tweeted...
not looking it's friday night
David Christiansen
@DavidChristiansen
Jan 23 2015 23:10
The last weekend before RTM http://i.imgur.com/qoaOiRD.gif
James Geall
@jageall
Jan 23 2015 23:10
my eyes!
also.... true
David Christiansen
@DavidChristiansen
Jan 23 2015 23:10
@jageall running dev here - works like a boss
James Geall
@jageall
Jan 23 2015 23:12
just because i believe you went to vilnius purely to get a marmite covered pork fillet masquerading as a steak, does not mean i forgive flashing lights without beer
David Christiansen
@DavidChristiansen
Jan 23 2015 23:12
:)
I am still recovering from that
James Geall
@jageall
Jan 23 2015 23:13
i require beer
2300 is too late to finish work
David Christiansen
@DavidChristiansen
Jan 23 2015 23:13
meh, the fun has but started
James Geall
@jageall
Jan 23 2015 23:21
at least these days in the uk finishing at 2300 on a friday is before the pub shuts