These are chat archives for IdentityServer/Thinktecture.IdentityServer3

5th
Feb 2015
Dagim Feyessa
@dagimf
Feb 05 2015 08:02
Hi im sorry if this is a very basic question, but i was wondering if there was any configuration or code that i need to add when using the access token validation component in an iis hosted pipeline, when i run it, it always return 401 unauthorized even when i have a correct bearer token.
John Korsnes
@johnkors
Feb 05 2015 08:05
look at @rmatrix comment from 14 hours ago in this chat
Manuel Rauber
@ManuelRauber
Feb 05 2015 08:06
@johnkors Oh, you merged it already. nice! :)
John Korsnes
@johnkors
Feb 05 2015 08:06
@ManuelRauber Green tests! easy peasy!
Manuel Rauber
@ManuelRauber
Feb 05 2015 08:06
Yeah, green is always good gg
John Korsnes
@johnkors
Feb 05 2015 08:07
i'm waiting for a new idsrv nuget, though. there are some missing ids that they added in dev that would be nice if you translated as well :)
Manuel Rauber
@ManuelRauber
Feb 05 2015 08:07
Okay, just ping me, if it is available :)
John Korsnes
@johnkors
Feb 05 2015 08:07
cool, i will!
Manuel Rauber
@ManuelRauber
Feb 05 2015 08:09
btw. Is there any reason why the identifiers in the resource files are lowercase?
John Korsnes
@johnkors
Feb 05 2015 08:10
yeah, there is a bug in idsrv that sends some ids in another casing than the public Ids defined in the t4 template. It's fixed in dev, so I'll change that as soon as I get new idsrv nuget
so runtime, they send something other than the ids they want implementors of ILocalizationService to use
Manuel Rauber
@ManuelRauber
Feb 05 2015 08:11
Ah okay!
Was just curious and found it out when the tests gone red :D
John Korsnes
@johnkors
Feb 05 2015 08:12
Manuel Rauber
@ManuelRauber
Feb 05 2015 08:12
Oh, that’s a bunch of missing translations.
John Korsnes
@johnkors
Feb 05 2015 08:13
"Invalid_scope" is the current public id (in master) , but they send "invalid_scope" runtime. It's fixed in dev of idsrv though : https://github.com/IdentityServer/Thinktecture.IdentityServer3/commit/7cf06b3c3c8eb50c50f66ac1c0be012c8ff0b35d#diff-cd6c9d1af2deea6eb517633bec70bfa5
Manuel Rauber
@ManuelRauber
Feb 05 2015 08:14
So with the new nuget it will be fixed :)
John Korsnes
@johnkors
Feb 05 2015 08:14
yep
After that, I'll remove the .ToLower() support of the contrib proj
it's just confusing
anyhow, even though it shows as missing in my gh-pages, they work runtime as the DefaultLocalizationService handle this (and that is the fallback)
John Korsnes
@johnkors
Feb 05 2015 08:46
deutsche Meldungen bei @ManuelRauber : http://johnkors.github.io/IdentityServer3.Contrib.Localization/#/de-DE (code review by @leastprivilege ? ;) )
Ben Crinion
@B3nCr
Feb 05 2015 09:00
Hi guys
I'm trying to do hybrid authentication but IdentityServer is redirecting back to my application with a HTTP get, I thought it was supposed to post?
John Korsnes
@johnkors
Feb 05 2015 09:01
using fragment?
Ben Crinion
@B3nCr
Feb 05 2015 09:03
Can't see it in the browser
John Korsnes
@johnkors
Feb 05 2015 09:05
well, how do you build your authorize url?
http://identityserver.github.io/Documentation/docs/endpoints/authorization.html
responsemode could be either form_post|fragment
POST / GET
reading the docs, it seems as form_post is supported for implicit flow only
Ben Crinion
@B3nCr
Feb 05 2015 09:08
I'm using the middleware. I don't have a response mode option
John Korsnes
@johnkors
Feb 05 2015 09:08
there's always a way :)
but yeah, as i said. formpost (at least reading the docs) is only supported for implicit flow
in the MS OIDC MW you have the notion of NotificationProperties. There's a RedirectToIdProvider Func you can implement and modify what is sent to idsrv
Ben Crinion
@B3nCr
Feb 05 2015 09:12
This article says you're doing hybrid if you ask for token and any other response such as ID in your response type. http://leastprivilege.com/2014/10/10/openid-connect-hybrid-flow-and-identityserver-v3/
John Korsnes
@johnkors
Feb 05 2015 09:12
at the Func you could modify whatever.. acr_values, idtokenhint.. and the rest of the params to authorize
Ben Crinion
@B3nCr
Feb 05 2015 09:13
Ahh, I see that's the sample the article must be talking about, I was wondering where he got n from in his linq snippet
John Korsnes
@johnkors
Feb 05 2015 09:13
hybrid is code + (id_token or id_token and access)
it's called hybrid because you get some stuff at the front channel (the fragment in the URI) and the rest is fetched via the backchannel using the code
so if you're not using some sort of code in your client, you're not doing hybrid
yeah, the n is from that func in the MS OIDC MW
Ben Crinion
@B3nCr
Feb 05 2015 09:17
Yes, I understand that, I've got an angularjs application and in the past I started the auth from angular using a url crafted by angular, I used a route handler to process the token and use it. I wasn't sure if I was doing it right. I thought maybe I was supposed to ge the token server side, stick it in a local cookie and let angular then grab the token from the cookie and add it to the API HTTP calls
I was just playing with it in the past, to see how identity server worked but didn't get too deep into it and was also using an early beta.
used an angularjs route handler, not a server side route handler.
John Korsnes
@johnkors
Feb 05 2015 09:19
yeah ok. You could get the tokens in a SPA as well, without using any serverside stuff, but then you're talking implicit flow
Ben Crinion
@B3nCr
Feb 05 2015 09:25
I definitely want a hybrid flow, I want the ASP.NET MVC controllers to be authenticated. My question is, should I get the token directly from the fragment using JS or from some "back channel"
John Korsnes
@johnkors
Feb 05 2015 09:28
you could do both
Ben Crinion
@B3nCr
Feb 05 2015 09:30
I'm guessing that's why it's called hybrid, I just wasn't sure if I was exposing myself someway by getting the token in the js. I guess the token is already there in the request for anyone malicious to see. The server side component will have already validated the user is in my local store as a valid user before it serves the JS so I'm not going to call services with a token for some "unknown" users
Dominick Baier
@leastprivilege
Feb 05 2015 09:41
@mryandot yes - open a new issue. close the old one ;)
form_post is supported for both implicit and hybrid
i will push 1.1.0 tomorrow
John Korsnes
@johnkors
Feb 05 2015 09:44
ah, so the docs are out of date re form_post ?
Dominick Baier
@leastprivilege
Feb 05 2015 09:44
send me a PR :p
Ben Crinion
@B3nCr
Feb 05 2015 09:45
@leastprivilege so what's "the" answer. Should I be using the fragment in the JS or should I be setting some cookie and then pulling the token out of a cookie? I'm guessing the latter would be safer
Dominick Baier
@leastprivilege
Feb 05 2015 09:46
you want to trigger the authN from the server?
Ben Crinion
@B3nCr
Feb 05 2015 09:46
@leastprivilege is form post available in the current version or will I have to wait for 1.1.0?
Dominick Baier
@leastprivilege
Feb 05 2015 09:46
no - that's been there since a long time
if you want to start the handshake from the server - use form_post and render the access token into a view
Ben Crinion
@B3nCr
Feb 05 2015 09:46
Yes, I've got a MVC application, I want to authenticate the views as well as use the token from my SPA to call services
Dominick Baier
@leastprivilege
Feb 05 2015 09:46
no cookies harmed
Ben Crinion
@B3nCr
Feb 05 2015 09:47
Okay
What's the workflow when the token expires? Call an endpoint in my server side code, it uses the refresh token to get a new access token, pass that back to the JS using the view you just mentioned?
John Korsnes
@johnkors
Feb 05 2015 12:27
seems legit
DW
@devployment
Feb 05 2015 12:36
Currently trying out ws-fed in a demo MVC app with v3. Looks like it is working in general but I have no Name for User.Identity.Name. Which claim do I have to include to fill the Name property in the ClaimsIdentity? Or am I missing something else here?
John Korsnes
@johnkors
Feb 05 2015 12:38
look for the name claim in the claims list instead?
DW
@devployment
Feb 05 2015 12:43
That's probably the issue. There is no name claim in the claims list
But it is inside the claims for the authenticated InMemoryUser
                Claims = new[]
                {
                    new Claim(Constants.ClaimTypes.Name, "Bob Smith"),
                    new Claim(Constants.ClaimTypes.GivenName, "Bob"),
                    new Claim(Constants.ClaimTypes.FamilyName, "Smith")
                }
Uncut screenshot
John Korsnes
@johnkors
Feb 05 2015 12:46
and your ClaimsPrincipal.Current?
            var principal = ClaimsPrincipal.Current;
            var nameClaim = principal.Claims.FirstOrDefault(c => c.Type == "name"); // or Constants.ClaimTypes.Name
John Korsnes
@johnkors
Feb 05 2015 12:52
are you using claims mappings?
DW
@devployment
Feb 05 2015 12:54
No.
                new RelyingParty
                {
                    Name = "ADFSEnabledApp",
                    Enabled = true,
                    Realm = "urn:localrp",
                    ReplyUrl = "http://localhost:52373/",
                    TokenType = "urn:oasis:names:tc:SAML:1.0:assertion"
                }
John Korsnes
@johnkors
Feb 05 2015 12:57
try this at the top of your startup.cs
i haven't tried the ADFS-stuff of idsrv, so "better call Saul"
DW
@devployment
Feb 05 2015 13:00
The claims mapping was the right tip. Had to add claim mappings as shown here
Thought no explicit mapping would be needed. Have to understand why this is needed. But at least it works now.
Next step. Make it federate with Office365.
Just in case somebody knows how. Every help is appreciated. :smile:
John Korsnes
@johnkors
Feb 05 2015 13:02
it's a .NET thing. .NET has it own definitions, so instead of just "name", they use something like these urls: https://github.com/IdentityServer/Thinktecture.IdentityServer3/blob/master/source/Core/Configuration/Hosting/ClaimMap.cs
or MS thing. I think.
DW
@devployment
Feb 05 2015 13:05
@johnkors Ok. But I thought creating the claim with Constants.ClaimTypes.Name should be sufficient to "map" it. But maybe not.
John Korsnes
@johnkors
Feb 05 2015 13:10
on both idsrv and rp
henrikniemann
@henrikniemann
Feb 05 2015 14:11
Hi all, I need to message a service bus from idserver when a user authenticates (LocalLoginSuccess event i suppose?). I am pretty sure I saw sample at some point, or maybe we covered it during the NDC London workshop? Right now I cannot seem to figure out where to look. Any pointers?
John Korsnes
@johnkors
Feb 05 2015 14:11
EventService?
there's the IEventService you may implement and register your own. The default just writes to whatever log you have set it to.
henrikniemann
@henrikniemann
Feb 05 2015 14:29
It seems too much? Maybe I'm over-complicating things...
John Korsnes
@johnkors
Feb 05 2015 14:30
it's not really that much.. it's one method
henrikniemann
@henrikniemann
Feb 05 2015 14:30
Yes, I just added a custom event service. I'll give it a go. Tak, John.
John Korsnes
@johnkors
Feb 05 2015 14:32
værsågod! :)
henrikniemann
@henrikniemann
Feb 05 2015 14:43
I know what happened. I was looking for OpenIdConnectAuthenticationNotifications from the OIDC middleware in idserver. Brain might need a break now.
Ben Crinion
@B3nCr
Feb 05 2015 15:19
If I've got a token on my server side code, and I want to expose it to my SPA in a view like @leastprivilege mentioned earlier am I not exposed to XSRF, the attacker can just get the token via the view which is authenticated using a cooke
John Korsnes
@johnkors
Feb 05 2015 15:21
isn't that the same problem as if someone gets hold of any authentication cookie?
henrikniemann
@henrikniemann
Feb 05 2015 15:23
Authentication cookie should be "http only". Access token would be given to SPA like any other piece of data, right?
John Korsnes
@johnkors
Feb 05 2015 15:27
if you're using the cookie owin middleware, the cookie is httpOnly by default
Ben Crinion
@B3nCr
Feb 05 2015 15:31
I'm not sure what you mean. Yes if someone gets the access token it's compromised, that's the end. But to try and prevent someone getting the access token I can a. not use the fragment response type
so that the token isn't in the URL portion 302 that goes across from idsvr to my client
so now I've got a token on my server and I need it in my browser, I can add it to a cookie that only my js can get access to
John Korsnes
@johnkors
Feb 05 2015 15:33
if that was the case, why do we have implicit flow allowing access_tokens at the fragment at all? just asking, I don't know the answer :D
Ben Crinion
@B3nCr
Feb 05 2015 15:33
or I can expose it in a MVC view which my JS presumable HTTP GET or HTTP POSTs
I guess because security is always a trade off with usability. We need implicit clients, so we try and limit their exposure by only issuing them short lived tokens.
The most secure system isn't connected to a network, but it's not much use. Etc
henrikniemann
@henrikniemann
Feb 05 2015 15:35
Disconnected, powered off AND with no batteries for BIOS and stuff :-)
Ben Crinion
@B3nCr
Feb 05 2015 15:35
Exactly. So I'm still struggling, although I think if I just use an anti-XSRF token on my "token view" then I'll be golden
John Korsnes
@johnkors
Feb 05 2015 15:36
yeah, that was my thought as well..
Ben Crinion
@B3nCr
Feb 05 2015 15:36
Really I'm sending up the bat light to @leastprivilege or @brockallen to confirm or deny
John Korsnes
@johnkors
Feb 05 2015 15:43
"Additionally, we do not want to include the random token in HTTP GET as this can cause the tokens to be leaked."
so I guess POST would be the appropriate measure
Ben Crinion
@B3nCr
Feb 05 2015 15:48
Hmm, that's interesting. Angular adds the XSRF token to a HTTP header, do they get encrypted by TLS or would that be exposed to man in the middle?
Where does it say that?
John Korsnes
@johnkors
Feb 05 2015 15:50
you talking about the default views?
Ben Crinion
@B3nCr
Feb 05 2015 15:50
Que?
John Korsnes
@johnkors
Feb 05 2015 15:50
are you using the default views of idsrv? the embedded?
Ben Crinion
@B3nCr
Feb 05 2015 15:51
Yes
Why is that relevant?
John Korsnes
@johnkors
Feb 05 2015 15:52
so, the xsrf.value is generated in idsrvs viewservice, not only in angular
Ben Crinion
@B3nCr
Feb 05 2015 15:52
I'm talking about local XSRF, not between me and IDsvr, between the browser hosting my app and my server serving the same app
John Korsnes
@johnkors
Feb 05 2015 15:52
ah, ok
according to OWASP, the value should be either in a header or the body
if I remember correctly
Ben Crinion
@B3nCr
Feb 05 2015 15:53
Yeah, angularjs adds it to a header, they talk about GET requests but they actually mean putting the XSRF token in the url.
as get requests have headers too
John Korsnes
@johnkors
Feb 05 2015 15:55
Poul Kjeldager Sørensen
@s093294
Feb 05 2015 16:17
@leastprivilege , what you think about moving https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/master/source/Owin.ResourceAuthorization.WebApi/HttpRequestMessageExtensions.cs#L54 into Thinktecture.IdentityModel.Owin.ResourceAuthorization instead ?
mryandot
@mryandot
Feb 05 2015 19:35
@leastprivilege Not that you won't get email anyway, but I've closed #872 and moved the address issue to #879
Matt Heffernan
@mattheffernan
Feb 05 2015 21:35
@leastprivilege great presentation at NDC, at the end you mentioned change status to figure out if a token has expired/revoked. Since polling causes latency and extra server hops it seems like a great solution. I've been looking around and was not able to find much of how to put together an implementation of that, fb even recommends dong polling to find out if a token has expired and or get a new token. Any help down the right path would be appreciated.
Brock Allen
@brockallen
Feb 05 2015 21:37
@mattheffernan which kind of token do you mean -- access token?
Matt Heffernan
@mattheffernan
Feb 05 2015 21:43
yeah
js client, using angular, my current hack to get the expiration date of the token based on the user's clock is to do: new Date() + ((exp - nbf) * 1000);
but feels dirty and your solution with the iframes seemed to cover all fronts
Brock Allen
@brockallen
Feb 05 2015 21:50
yes, you have to do the math relative to the client app.
or you can wait for the API to return 401
but our token mgr does try to help you out with that
Matt Heffernan
@mattheffernan
Feb 05 2015 21:54
waiting for the 401 was my old route, but with multiple controllers on a single page you could get several 401's and it seemed messy.
Brock Allen
@brockallen
Feb 05 2015 21:55
sure
well, maybe the token mgr will help. feel free to open issues with feedback or suggestions -- it's still a work in progress.
Matt Heffernan
@mattheffernan
Feb 05 2015 21:58
i thought I knew what the token mgr was but i think i'm mistaken... its not Thinktecture.IdentityServer3.AccessTokenValidation is it?
Brock Allen
@brockallen
Feb 05 2015 22:02
oh no -- it's js library being used by one of the JS samples
Matt Heffernan
@mattheffernan
Feb 05 2015 22:02
ok i'll take a look, thx
Brock Allen
@brockallen
Feb 05 2015 22:02
i guess we were miscommunicating