These are chat archives for IdentityServer/Thinktecture.IdentityServer3

9th
Feb 2015
H.─░lter AKSENCER
@iltera
Feb 09 2015 09:07
Dead silence for three days! It really was a weekend like holiday, for the most of us :smile:
John Korsnes
@johnkors
Feb 09 2015 10:11
@leastprivilege Does the invalid refresh token have to be an error log? Warn instead?
Dominick Baier
@leastprivilege
Feb 09 2015 10:40
don't know
maybe warning is fine. open an issue please ;)
John Korsnes
@johnkors
Feb 09 2015 11:16
done! what was wrong with the gh-pages for localization contrib, btw?
Alberto Leon
@AlbertoLeon
Feb 09 2015 11:20
Hi guys
Could I pass the response_mode in an implicity url?
Dominick Baier
@leastprivilege
Feb 09 2015 11:22
??
Alberto Leon
@AlbertoLeon
Feb 09 2015 11:27
response mode could be query or fragment
by defaults it is fragment with the "#"
I want the "?"
I would like to know if from the client I could set what response mode I like
if I intruced "response_mode=query" I'll obtain an error message "the response type is not supported"
I has a problem with Ruby to identify a user logged in Thinktecture IdentityServer
So I want to get from the query the access token
but Thinktecture IdentityServer adds a "#" insetad a "?"
Loc Tan Vo
@loctanvo
Feb 09 2015 11:32
@AlbertoLeon it's for security reason
Dominick Baier
@leastprivilege
Feb 09 2015 11:32
you cannot send a token via query
either fragment or form post
yes - security issue
Alberto Leon
@AlbertoLeon
Feb 09 2015 11:33
Do you know a gem in Ruby to identify a user logged in Thinktecture IdentityServer?
anyone implemented this integration?
Dominick Baier
@leastprivilege
Feb 09 2015 11:34
it is standard open id connect
OIDC does not allow tokens via query
John Korsnes
@johnkors
Feb 09 2015 11:34
it's in the .well-known/openid-configuration though, @leastprivilege
Dominick Baier
@leastprivilege
Feb 09 2015 11:34
sure - the mode is allowed
but not for implicit
John Korsnes
@johnkors
Feb 09 2015 11:34
ah
Dominick Baier
@leastprivilege
Feb 09 2015 11:34
only for code
John Korsnes
@johnkors
Feb 09 2015 11:36
@AlbertoLeon only used the ruby-jwt gem, but no openid connect gems
Alberto Leon
@AlbertoLeon
Feb 09 2015 11:45
Thanks
Alberto Leon
@AlbertoLeon
Feb 09 2015 12:06
all runs ok with ruby-jwt and the response_mode form
thanks
henrikniemann
@henrikniemann
Feb 09 2015 12:28
@AlbertoLeon Take a look at https://github.com/nov/openid_connect
ZodiacZA
@ZodiacZA
Feb 09 2015 13:58
Hi all, I am trying to setup the identity server. However, upon running I keep getting a runtime exception "RequireSslMiddleware.cs" not found.
I did all the tutorials and didn't encounter this error before and see no mention of it looking back.
Can't find anything online about this issue. I see that in the codebase for ThinkTecture.IdentityServer3 a file "RequireSslMiddleware.cs" exists in Core.
John Korsnes
@johnkors
Feb 09 2015 14:01
version 1.1.0 of the NuGet?
ZodiacZA
@ZodiacZA
Feb 09 2015 14:01
Reinstalled all the packages to no avail. Any suggestions/ideas will be greatly appreciated!
Yeah
John Korsnes
@johnkors
Feb 09 2015 14:02
strange, no issues with it here
ZodiacZA
@ZodiacZA
Feb 09 2015 14:03
Packages Installed:
  • Thinktecture.IdentityServer3 1.1.0
  • Thinktecture.IdentityServer3.AspNetIdentity 1.0.0
  • Thinktecture.IdentityServer3.EntityFramework 1.0.0
I have it installed on other projects without issues as well, so it doesn't seem to be a package issue.
John Korsnes
@johnkors
Feb 09 2015 14:04
check your references
Thinktecture.IdentityServer3.AspNetIdentity has a package dep. towards Thinktecture.Identitymodel (where the RequireSSL middleware is located). In idsrv, it's not as a dependency, but ILmerged
ZodiacZA
@ZodiacZA
Feb 09 2015 14:10
Thanks, adding that package now and testing again.
John Korsnes
@johnkors
Feb 09 2015 14:10
well, it should come as an effect of installing AspNetIdentity..
you shouldn't have to install it manually
since it's a package dep
ZodiacZA
@ZodiacZA
Feb 09 2015 14:11
Yeah, it pulled IdentityModel.Core but not IdentityModel itself.
John Korsnes
@johnkors
Feb 09 2015 14:11
ah, i was talking about core
it's not in core?
ZodiacZA
@ZodiacZA
Feb 09 2015 14:14
Doesn't look like it.
Could it be that I have IdentityServer3 version 1.1.0 whereas my IdentityServer3.AspNetIdentity is version 1.0.0?
John Korsnes
@johnkors
Feb 09 2015 14:18
hm, don't think so.. guessing nuget provided you with an assembly redirect in your web.config
ZodiacZA
@ZodiacZA
Feb 09 2015 14:29
Going to try re-install everything again.
John Korsnes
@johnkors
Feb 09 2015 14:33
yeah, the RequireSslMiddleware is internalized in idsrv, so it should be available
idsrv doesn't use the RequireSslMiddleware of IdentityModel as I first thought. It has it's own impl
ZodiacZA
@ZodiacZA
Feb 09 2015 15:36
Okay, I'm an idiot. The reason for the "RequireSSlMiddleware.cs not found" was because an exception was being thrown from that file and obviously VS couldn't open it as it is a dll.
Apologies... been a long day.
So the actual exception is a "System.Security.Cryptography.CrytographicException" - "Error occurred during a cryptographic operation."
I have started a new project from fresh and am redoing this tutorial: http://identityserver.github.io/Documentation/docs/overview/mvcGettingStarted.html
Alberto Leon
@AlbertoLeon
Feb 09 2015 15:39
Any one can help me with signing certificates?
Do you know any tutorial / doc?
sorry
signing tokens
I saw Microsoft JWT don't allow this...
but Base64 is not sufficient...
ZodiacZA
@ZodiacZA
Feb 09 2015 15:40
Just did the "Adding a protected resource and showing claims" section, when I encountered this issue. I tested and the certificate (the one you gave on your github) is being read in fine.
ZodiacZA
@ZodiacZA
Feb 09 2015 16:12
I just suppressed the exception and it seems to work fine
Not sure what that was about
Brock Allen
@brockallen
Feb 09 2015 17:14
@AlbertoLeon all JWT tokens from IdSvr are signed.
@ZodiacZA i'm guessing your IdSvr process' identity didn't have read access to the cert private key
Alberto Leon
@AlbertoLeon
Feb 09 2015 17:15
So... why I don't need to decrypt with a key in jwt.io or in a resource webapi site?
Brock Allen
@brockallen
Feb 09 2015 17:20
because signing is different than encryption
Alberto Leon
@AlbertoLeon
Feb 09 2015 17:23
ok...
and what about encryption?
why a security / authentication / authorization flows doesn't include encryption?
Brock Allen
@brockallen
Feb 09 2015 17:25
the MSFT JWT handler doesn't support encryption for JWTs. not sure if it ever will, but that's not terribly important because you will be using SSL for all the network calls. the only benefit from encryption on the JWT is to prevent the end-user from knowing the contents. for access tokens you can prevent that by using a reference token.
Brock Allen
@brockallen
Feb 09 2015 18:57
hmm, what was your concern @AlbertoLeon ?
and come to think of it, reference tokens won't provide you that protection anyway. so scratch that.