These are chat archives for IdentityServer/Thinktecture.IdentityServer3

30th
Jan 2015
Brock Allen
@brockallen
Jan 30 2015 01:41
@iltera our localization support is via the interface -- you'd have to put the .resx in your own project (not in idsvr)
Brian Donahue
@briandonahue
Jan 30 2015 02:59
I see a weird sporadic issue where I have a valid session cookie at a client app (MVC/OWIN OIDC Middleware) after authenticating via idsrv and it will still force a round trip redirect to idsrv again sometimes, seemingly after a small amount of inactivity. I know this is really an OWIN issue, just wondering if anyone’s seen it. If this app is hosted in IIS, but using the OWIN cookies auth, could it be a DataProtection issue if I’m possibly getting pushed to another machine in the farm? I am not using the custom cert-based dataprotection in this specific instance, because I thought it wasn’t needed in IIS, just self-hosted.
(i.e. I am using the shared cert-based data protector in idsrv, but not at the client, which is also load-balanced, but lives in IIS, and used to use machine key to share cookie data)
Richard Bennett
@dealproc
Jan 30 2015 09:45
are most folks building their User's management portal bits within the same web application as Identity Server with v3?
John Korsnes
@johnkors
Jan 30 2015 09:49
we're not
Richard Bennett
@dealproc
Jan 30 2015 09:49
how are you organizing?
so like, login.{domain}.{tld} for idsrv - only?
John Korsnes
@johnkors
Jan 30 2015 09:50
we have an MVC app for everything that is not idsrv, and then we host idsrv as a virtual path at /core in it's own pure owin app
Richard Bennett
@dealproc
Jan 30 2015 09:50
all within a single web project
John Korsnes
@johnkors
Jan 30 2015 09:50
no, two
Richard Bennett
@dealproc
Jan 30 2015 09:50
ah
John Korsnes
@johnkors
Jan 30 2015 09:51

login.mydomain.com (main app, profile edit, register page) : MVC app
login.mydomain.com/core (idsrv) : pure OWIN

Hosting as one azure website

Richard Bennett
@dealproc
Jan 30 2015 09:51
that's what i just asked about
John Korsnes
@johnkors
Jan 30 2015 09:52
yeah, but they are two seperate Web Applications (not one). So two projects in our sln
Richard Bennett
@dealproc
Jan 30 2015 09:52
gotcha
have a year+ old project that's on IdSrv v2 and everything else was hacked into place... working on scrubbing it up, and was trying to get a bearing on where i should go
John Korsnes
@johnkors
Jan 30 2015 09:56
yeah, but really it's up to you. You could put everything into one if you want. We just experienced a bit of hassle with the Katana mw and MVC related to cookies, så decided to do the divide.
Richard Bennett
@dealproc
Jan 30 2015 09:58
yea
i had 1 for a "customer" portal, one for a "management" portal, then IdSrv v2; Auth Srv v1; and an "api" project
trying to cleanup/consolidate
H.İlter AKSENCER
@iltera
Jan 30 2015 11:03
@brockallen I put the resource folder in my idsrv project. Made the neccessary translations. Bu everything is in English, still. What should I do in order to make idsrv look for the custom resx files?
Brian Donahue
@briandonahue
Jan 30 2015 11:55
@johnkors Thanks, I am going to look into that deeper. In your issue, you said you are using OWIN “code flow?” Is that a different middleware/option? I thought it used implicit flow? That’s what I’m using.
John Korsnes
@johnkors
Jan 30 2015 12:05
no, we're just using the authorization code flow instead of implicit
same Mw
or to be precise, hybrid flow
Brian Donahue
@briandonahue
Jan 30 2015 12:05
oh, I’m probably just dumb and haven’t looked at that since I set it up :) Any advantages (in terms of less bugs!?) with code flow?
John Korsnes
@johnkors
Jan 30 2015 12:06
the MW from MS does not support code flow
implicit does not allow refresh tokens
we need to refresh the access tokens
also, the access tokens are not sent via the front channel, but fetched in the back channel (serverside)
Brian Donahue
@briandonahue
Jan 30 2015 12:07
Gotcha. Sounds like more issues in a load-balanced env :P
John Korsnes
@johnkors
Jan 30 2015 12:08
not really
Brian Donahue
@briandonahue
Jan 30 2015 12:09
well, if it does back channel for the access tokens, how does it match up to user?
“RTFM” is an appropriate response, I am just thinking out loud :) Haven’t really started for the day yet in GMT-5 :)
John Korsnes
@johnkors
Jan 30 2015 12:11
you ask for scopes to be included
Brian Donahue
@briandonahue
Jan 30 2015 12:12
I’m just unfamiliar with how the back channel stuff works, but I’m sure it’s a matter of 5 minutes of reading for me to get a dangerous, limited understanding :)
John Korsnes
@johnkors
Jan 30 2015 12:13
the meaning of back channel is just what you do in your server side code, like in a MVC controller
or middleware in this case
the http is server to server
Brian Donahue
@briandonahue
Jan 30 2015 12:14
Right. Sorry, what I am trying to envision is the process of when it reaches out, how it then matches up to current user and/or caches. I’m sure it’s just more cookie stuff?
John Korsnes
@johnkors
Jan 30 2015 12:15
so the current user is defined by the id_token, right? if you ask for "id_token code" instead (this is hybrid), you'll get code you can exchange it on the backchannel for an accesstoken on behalf of that user.
Brian Donahue
@briandonahue
Jan 30 2015 12:16
then does it stick it in a cookie or session or something, or does it do that every time it’s needed?
John Korsnes
@johnkors
Jan 30 2015 12:16
if you see what this code has internally in idsrv, you'll notice it has a SubjectId property: https://github.com/IdentityServer/Thinktecture.IdentityServer3/blob/master/source/Core/Models/AuthorizationCode.cs
well, in a load balanced env you always need to have a backing store of some sorts. We use mongodb
Brian Donahue
@briandonahue
Jan 30 2015 12:16
Right, that is what I was getting at :)
Thanks!
are you using mongo for session-type stuff w/expiration somehow? I have thought about that, then thought redis was better suited, but we aren’t ready to introduce redis
(we already have mongo in use for some things)
John Korsnes
@johnkors
Jan 30 2015 12:19
yeah, if you need LB, you would look at implementing all the *Store's.
Brian Donahue
@briandonahue
Jan 30 2015 12:20
got it. Thanks again for the info :)
John Korsnes
@johnkors
Jan 30 2015 12:23
It's a bit hidden, but there are some comments here about what you should implement for prod scenarios: http://identityserver.github.io/Documentation/docs/configuration/serviceFactory.html
H.İlter AKSENCER
@iltera
Jan 30 2015 12:25
guys, can you help me with the localization?
Brian Donahue
@briandonahue
Jan 30 2015 12:25
@iltera I’m sorry, but I haven’t touched it. I am spoiled with internal users in a single country :)
H.İlter AKSENCER
@iltera
Jan 30 2015 12:27
@briandonahue thanks for the answer. Actually, I am not looking for a total localization support. Just to translate what's on the screen :)
John Korsnes
@johnkors
Jan 30 2015 12:32
there's also an open source implementation of mongodb as a backing store, but I guess you've seen that
Brian Donahue
@briandonahue
Jan 30 2015 12:32
ah. I speak English passably, and French poorly :)
@johnkors not sure I have… I’ve been using implicit for day one. As of this moment, I don’t need access tokens in these apps, but that might change soon. Is there a link to it in the docs somewhere?
John Korsnes
@johnkors
Jan 30 2015 12:33
yep
Brian Donahue
@briandonahue
Jan 30 2015 12:33
oh wait, I think I am mixing concerns here. You are talking about idsrv stores - I am using EF there, which is fine for now
John Korsnes
@johnkors
Jan 30 2015 12:33
ah
sure
Brian Donahue
@briandonahue
Jan 30 2015 12:34
My questions were specifically on the clients, with the OWIN MW, I just was trying to wrap my head around hybrid vs. implicit and how the cookies/token storage works in the client (load balanced)
John Korsnes
@johnkors
Jan 30 2015 12:35
@iltera Have you implemented the ILocalizationService interface?
Brian Donahue
@briandonahue
Jan 30 2015 12:37
like I said, my first guess on why I keep getting redirected to idsrv was that maybe I need shared data protection (I thought I was told machine keys work in IIS still with OWIN, but I could be forgetting). So I was wondering if I should add the same custom X509 DataProtector in clients that I am already using in idsrv
John Korsnes
@johnkors
Jan 30 2015 12:38
yeah, i wouldn't know. I don't have a use case where I need my clients to use data protection
H.İlter AKSENCER
@iltera
Jan 30 2015 13:19
@johnkors No, I guess I couldn't figure out that one
How can I implement ILocalizationService on my host project?
John Korsnes
@johnkors
Jan 30 2015 13:48
create an implementation of that interface and register it
Brock Allen
@brockallen
Jan 30 2015 14:10
@iltera the point if the localization interface if for you to do it all yourself. it's not intended for you to modify the resx "stuff" within idsvr. our default implementation doesn't use the localized resx files
John Korsnes
@johnkors
Jan 30 2015 14:13
it would be nice though, to have some way to iterate over all messageids available.
Brock Allen
@brockallen
Jan 30 2015 14:14
use reflection on the MessageIds class -- that's the point of that class. that's all that class has
John Korsnes
@johnkors
Jan 30 2015 14:14
yeah, reflection works, but yeah. It's reflection :)
if a specific messageid is moved from that class to anothermessageids.cs, that reflection mechanism wouldn't catch it.
Brock Allen
@brockallen
Jan 30 2015 14:19
well, like i said -- that's the point of that class. it's meant to provide "one place" to look for those messages
but you want the IDs as an array?
there's a T4 there -- that's how that class is created. maybe we could change it to add the array
John Korsnes
@johnkors
Jan 30 2015 14:21
yeah, it would be a bit more explicit with an array. Then I write a unit test that could iterate over that array and verify that I've translated all Ids. And that this also holds if I upgrade to vNext of idsrv some time later and you added another message. Then this test would tell me I have a new property to translate.
i know i can do this with reflection as well, but then I don't know if you create another SomeOtherMessageIds. later on for instance that I also need to reflect over.
John Korsnes
@johnkors
Jan 30 2015 14:28
In short, "How can I make sure that I've translated all Idsrv messages for all Ids after an upgrade" is what I'm trying to solve. :)
Brock Allen
@brockallen
Jan 30 2015 15:35
so yea, if it's in a unit test then i'd say use reflection :P
John Korsnes
@johnkors
Jan 30 2015 15:41
yep, but then I'd have to trust you guys not creating another .cs file containing Ids
i trust no-one! :D
not even my reflectionbased unit test
Dominick Baier
@leastprivilege
Jan 30 2015 15:41
Wanna work for us?
John Korsnes
@johnkors
Jan 30 2015 15:42
i thought you'd never ask
Dominick Baier
@leastprivilege
Jan 30 2015 15:42
That's the attitude we need :)
John Korsnes
@johnkors
Jan 30 2015 15:42
:D
H.İlter AKSENCER
@iltera
Jan 30 2015 15:57
Sorry to bump in to your business arrangements :) But I really need help about how to translate these messages. I looked at the ILocalizationService and ILocalizationServiceExtension classes as @johnkors suggested. But it took me nowhere. I am really a stranger to the t4 templating stuff. It would be nice if you guys added a simple Localization sample in the Samples project. At least, can you guide me where to start, or provide some steps at least? I can open a question issue thread in github for others to see too.
Gary Lumsden
@gjlumsden
Jan 30 2015 16:00
Hi all. Can anyone tell me if it is possible to host the identity server within the same application as the web api that is being secured? When I try to do so, the app.UseIdentityServerBearerTokenAuthentication(...) line hangs then fails because it cannot access the meta-data endpoint. Which makes sense, since the application hasn't finished starting up!
Dominick Baier
@leastprivilege
Jan 30 2015 16:01
@iltera Open an issue
John Korsnes
@johnkors
Jan 30 2015 16:02
@iltera Here's a quick and dirty version: https://gist.github.com/johnkors/528d2d2a8a5d46d4857d
Dominick Baier
@leastprivilege
Jan 30 2015 16:03
@gjlumsden there is a race condition right now. You could switch to using the token validation endpoint for the time being
Gary Lumsden
@gjlumsden
Jan 30 2015 16:04
Ok. I'll give that a go. That's the ValidationMode, right?
Dominick Baier
@leastprivilege
Jan 30 2015 16:04
Yes
Gary Lumsden
@gjlumsden
Jan 30 2015 16:05
Thank you very much. Most appreciated
John Korsnes
@johnkors
Jan 30 2015 16:07
Here's a thought. A contrib project with all translations
H.İlter AKSENCER
@iltera
Jan 30 2015 16:08
I like the sound of that :)
John Korsnes
@johnkors
Jan 30 2015 16:08
dein Email ausgefüllen wurden muss
H.İlter AKSENCER
@iltera
Jan 30 2015 16:09
@johnkors thank you for the answer. I will give that code a look
Aha! The DefaultLocalizationService class was what I should have looked for. If you knew how dumb I feel right now!.. Anyways, I will open an issue immediately for others to not waste time on that one.
John Korsnes
@johnkors
Jan 30 2015 16:12
what's the issue?
H.İlter AKSENCER
@iltera
Jan 30 2015 16:13
About localization, as @leastprivilege said, I will open an issue in github. Except that, no issues :P
Dominick Baier
@leastprivilege
Jan 30 2015 16:14
The contrib project is a great idea.
John Korsnes
@johnkors
Jan 30 2015 16:14
you don't need the DefaultLocalizationService class. You just need to implement the ILocalizationService interface. The one I showed you just uses the default local service as a fallback for the stuff we haven't (and won't) translate. Like the stuff that never is shown to the user. We prefer that to be in english.
Dominick Baier
@leastprivilege
Jan 30 2015 16:14
Do you want to start that?
John Korsnes
@johnkors
Jan 30 2015 16:14
sure.
Dominick Baier
@leastprivilege
Jan 30 2015 16:15
Cool
John Korsnes
@johnkors
Jan 30 2015 16:15
but, about that - wouldn't we need a parameter in the GetString method that takes a locale? could be default using the embedded stuff
Dominick Baier
@leastprivilege
Jan 30 2015 16:16
The naming of the event sink is spot on. Shows up exactly right in the search results
John Korsnes
@johnkors
Jan 30 2015 16:16
cool
Dominick Baier
@leastprivilege
Jan 30 2015 16:17
Open an issue for that. Currently collecting other breaking changes
John Korsnes
@johnkors
Jan 30 2015 16:17
yep, could make it a non-breaking though. Overload
Dominick Baier
@leastprivilege
Jan 30 2015 16:17
Right. Open an issue to discuss
John Korsnes
@johnkors
Jan 30 2015 16:17
sure. will do
Dominick Baier
@leastprivilege
Jan 30 2015 16:18
Thanks!
Gary Lumsden
@gjlumsden
Jan 30 2015 16:52
@leastprivilege changing the ValidationMode worked perfectly, thanks.
John Korsnes
@johnkors
Jan 30 2015 19:29
lol, i just found a bug in idsrvs default localizationservice
by trying to create the contrib localization project tests
John Korsnes
@johnkors
Jan 30 2015 20:09
oh, no bug. It was just an unused MessageId in IdSrv.
Brock Allen
@brockallen
Jan 30 2015 20:43
that message is is used :)
invalid_scope?
John Korsnes
@johnkors
Jan 30 2015 20:43
w00t
search for usages!
or, I searched for usages rather
:)
Brock Allen
@brockallen
Jan 30 2015 20:43
try passing an invalid scope from a client -- it's used
John Korsnes
@johnkors
Jan 30 2015 20:44
but I think there might be two "invalid_scope" constants
Brock Allen
@brockallen
Jan 30 2015 20:44
the reason i know is that i did the same thing about a month ago -- i noticed it wasn't used and i removed it. and then realized we needed it :)
John Korsnes
@johnkors
Jan 30 2015 20:44
one is for localization and one is another.. don't remember
ah okay,
Brock Allen
@brockallen
Jan 30 2015 20:44
oh, possibly -- i'll go check it
we didn't pass a locale param to the localization service by design
it's up to the service implementation to decide what the local should be
John Korsnes
@johnkors
Jan 30 2015 20:46
yep, sure. I've implemented a contrib project for that
Brock Allen
@brockallen
Jan 30 2015 20:46
either based upon browser setting, or something else
some clients have one locale based upon deployment -- so a locale param wouldn't be appropriate
John Korsnes
@johnkors
Jan 30 2015 20:47
yeah, sure.
So something like this ?
Brock Allen
@brockallen
Jan 30 2015 20:48
looks like a good start
John Korsnes
@johnkors
Jan 30 2015 20:49
adding more is simply adding more resx-files I was thinking
but I got a failing test for that Invalid_scope id when using the defaultlocalizationservice (i use the default when setting no locale on options)
Brock Allen
@brockallen
Jan 30 2015 20:52
i see
yea... well, that one is used at runtime -- if you look at the usage, the API is passed a value from the error in the authorization request
John Korsnes
@johnkors
Jan 30 2015 20:54
hmm
okay
Brock Allen
@brockallen
Jan 30 2015 20:55
IOW< the id is from one of the error constants
John Korsnes
@johnkors
Jan 30 2015 20:57
so this property may be removed then I guess.. Thinktecture.IdentityServer.Core.Resources.Invalid_scope
Brock Allen
@brockallen
Jan 30 2015 20:57
technically, yes. but the t4 wouldn't know how to do that
John Korsnes
@johnkors
Jan 30 2015 20:57
ah okay. I'll omit that from being required for each language then
oh, no. It's required. But it's not using the same property!
there's a difference in casing between the two.
Brock Allen
@brockallen
Jan 30 2015 20:59
right -- i saw that in the PR. that i was going to look into
it should be lower case, IIRC
since that's the error
John Korsnes
@johnkors
Jan 30 2015 20:59
ah, right. Now i'm following my own PR and your explanation :)
I believe the same goes for Unsupported_response_type (?)
actually these 3
defaultlocalizationtests.PNG
Brian Donahue
@briandonahue
Jan 30 2015 21:04
Can anyone in here shed any light on how OWIN might totally botch a StructureMap container’s instances that are configured to HttpContext scope?
John Korsnes
@johnkors
Jan 30 2015 21:05
my test just initially stopped at the first error, so didn't find all of them before now
John Korsnes
@johnkors
Jan 30 2015 21:12
those 3 have lowercased ids in the resx, but have uppercase values in the T4. I guess that's the mismatch