These are chat archives for IdentityServer/Thinktecture.IdentityServer3

4th
Feb 2015
John Korsnes
@johnkors
Feb 04 2015 00:51
why isn't there a retire.js for NuGet?
the angular version used in idsrv is amongst the ones listed with known vulns by retire.js, but i guess idsrv does not fulfil the criterias for being exposed to that vuln..?
John Korsnes
@johnkors
Feb 04 2015 00:57
http://bekk.github.io/retire.js/ <-- links to what issues that version of angular have
Brock Allen
@brockallen
Feb 04 2015 00:58
dunno -- i can look into that.
we didn't go to 1.3 because for some reason CSP wasn't working in 1.3, despite ng-csp
John Korsnes
@johnkors
Feb 04 2015 01:10

the other one related to sorting of arrays don't apply, unless the idsrv angular apps do any form of sorting? or direct calls to parse? not sure.

angular/angular.js@b39e1d4

Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 14:36
Hi, I have set the alwaysInclude to true, ( ScopeClaim(claim, alwaysInclude: true) ) but the email & e mail_verified claims are not getting included in the access_token? but the scope is... anything I am missing? they are included in the identity_token?
John Korsnes
@johnkors
Feb 04 2015 14:41
use that access_token towards the userinfo endpoint
John Korsnes
@johnkors
Feb 04 2015 14:46
or create a scope that is of type resource similar to the builtin identity scope "email"
Scope.ScopeType = ScopeType.Resource
call it something else than "email" though. Maybe "email-resource"
and of course add that to the list of scopes you want back to your RP when fetching tokens
John Korsnes
@johnkors
Feb 04 2015 14:52
i'm not sure if you can get the claims the email identity scope has also in the access token without defining another resource scope that has the same claim set as the identity token @leastprivilege ?
what flow are you using?
Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 15:24
@johnkors code flow?
John Korsnes
@johnkors
Feb 04 2015 15:29
do you need it both in the id_token and the access token, or just in the access token?
Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 15:37
both..
John Korsnes
@johnkors
Feb 04 2015 15:41
then I can only think of two solutions. Either create a duplicate scope called email-resource with ScopeType.Resource, and ask for that as well as the built in identity email scope ("email email-resource").
or use the access token to ask the userinfo endpoint and get it that way
why do you you need it in the access token btw?
Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 15:49
the resoure server needs to send a email to the user only if the user email is verified...
John Korsnes
@johnkors
Feb 04 2015 15:50
you've created an email API?
Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 15:56
In this case API need to know about the email, getting it from the identity information held in the idsrv rather than duplicating it made more sense.
John Korsnes
@johnkors
Feb 04 2015 15:56
yep
maybe there is one other solution i just realized..
your api already has some kind of resource scope that you use?
or not?
John Korsnes
@johnkors
Feb 04 2015 16:01
if you do, you can just add "email" and "email_verified" to the set of claims in that scope, and mark them as AlwaysIncludeInIdToken = true
just tested, and that seems to do the trick
Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 16:03
Cheers. Will give that a go..
John Korsnes
@johnkors
Feb 04 2015 16:07
so pure code flow? i guess you're not using the MS OpenId Connect mw then?
Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 16:09
Yes. The api uses the Thinktecture.IdentityModel.Owin.ResourceAuthorization
John Korsnes
@johnkors
Feb 04 2015 16:11
but your client fetching tokens i mean
Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 16:12
yes, uses the manual approch
John Korsnes
@johnkors
Feb 04 2015 16:13
may I ask why? experienced any issues with it?
except that it doesn't support pure code flow..
:)
Prasanna Krishnamoorthy
@prasanna981
Feb 04 2015 16:15
purly that it does not support it fully, we have used it for hybrid flow
John Korsnes
@johnkors
Feb 04 2015 16:16
yeah, we use hybrid, and the mw. but then only reason for doing hybrid being that it doesn't support it !
(it = code)
Ross Pellegrino
@rmatrix
Feb 04 2015 18:01

Hi Brock, I have a couple of questions. I have a relying party application that is using.

I'm using the following code where the client is set as Flow = ClientCredentials. On the RP side, I have the following configuration:

// accept access tokens from identityserver and require a scope of 'rp_app'
        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "https://localhost:44333/ids",
            ValidationMode = ValidationMode.Local,
            RequiredScopes = new[] { "rp_app" },

        });

Q1. If I use ValidationMode = ValidationMode.Local, does the AccessTokenValidation library check the Authority id server every so often when retrieving the public signing key? The reason why I'm asking is I'm worried that the Authority id server may install a new signing cert.

Q2. Is it possible in the RP to intercept how Identities/Claims principles are created? I don't see where I can provide my hook. I know this is possible using the OpenIdConnectAuthenticationNotifications.

Thanks
Ross

mryandot
@mryandot
Feb 04 2015 18:02
@brockallen Found it. I'll post an issue when I get back from my next interruption. It's in ClaimListExtensions.GetValue -- used by the UserInfo endpoint via ToClaimsDictionary; it doesn't check the value type when getting the Value to return, so everything besides address is returned as a string.
John Korsnes
@johnkors
Feb 04 2015 18:54
Not sure, but I believe there was talk of supporting rolling certs
I think local mode gets the cert thumbprint once a day
Dominick Baier
@leastprivilege
Feb 04 2015 19:00
we check the metadata once per hour
John Korsnes
@johnkors
Feb 04 2015 19:47
once every 24h, isn't it?
Dominick Baier
@leastprivilege
Feb 04 2015 19:49
oh ;)
i think thats a bug
John Korsnes
@johnkors
Feb 04 2015 19:49
:)
Dominick Baier
@leastprivilege
Feb 04 2015 19:49
that said i am not entirely happy with the MW
i might re-write it from scratch in 2.0.0
mryandot
@mryandot
Feb 04 2015 22:40
@leastprivilege Do you want #872 left open for the issue I added (address is different), or would you like that in a new issue? The original issue is resolved, with some understanding on limitations. :)
John Korsnes
@johnkors
Feb 04 2015 22:44
it's actually the only claim that is defined to be a JSON object.. good catch