These are chat archives for IdentityServer/Thinktecture.IdentityServer3

12th
Feb 2015
James Geall
@jageall
Feb 12 2015 08:24
update: I am able to reproduce on our rig, but not using the latest samples. I am upgrading everything to 1.1.1 to see if that makes any difference.
James Geall
@jageall
Feb 12 2015 13:02
got it, for some reason the idsrvr session cookie is missing
probably something we are doing, I'll check through again
Dominick Baier
@leastprivilege
Feb 12 2015 16:44
What was the solution to the invalid nonce problem?
I am having this problem now as well - but can't figure out what the problem is.
I have a another host where it is working fine
John Korsnes
@johnkors
Feb 12 2015 16:45
OIDC MS MW?
Dominick Baier
@leastprivilege
Feb 12 2015 16:47
yes
John Korsnes
@johnkors
Feb 12 2015 16:47
Kentor?
Dominick Baier
@leastprivilege
Feb 12 2015 16:47
can't remember
John Korsnes
@johnkors
Feb 12 2015 16:48
That mw from Kentor being the CookieSaver..
Dominick Baier
@leastprivilege
Feb 12 2015 16:48
sure
but i have a cookie
it is just expecting a different nonce
and i can't see why
John Korsnes
@johnkors
Feb 12 2015 16:51
would give Kentor a go. I haven't experienced any issues with the OIDC MS MW since.. nonce or redirect loops
Dominick Baier
@leastprivilege
Feb 12 2015 16:51
but this is conjunction with system.web
we have no system.web
John Korsnes
@johnkors
Feb 12 2015 16:52
ah, not using any system.web
scratch that then
same effect in all browsers as well? incognito?
just to rule out the cookie issue for sure, i was thinking
Dominick Baier
@leastprivilege
Feb 12 2015 16:56
investigating
James Geall
@jageall
Feb 12 2015 17:42
is there anyway to set "remember me" to true for preauthentication scenarios?
Brock Allen
@brockallen
Feb 12 2015 17:51
@jageall elaborate?
James Geall
@jageall
Feb 12 2015 19:11
we have a reset password function that has the option of keeping you signed in. we are currently setting a cookie when this is done successfully and picking it up in preauthenticate which works fine, except there is a checkbox so the use can choose to be remembered (similar to the normal login process. I suspect it should be following the partial signin process, but i have not quite got my head around that yet
Brock Allen
@brockallen
Feb 12 2015 19:16
well, preauthN doesn't show anything, so the user doesn't have a chance to tick the checkbox. i wonder if your reset page should instead have it (and then you can put the value in the cookie).
James Geall
@jageall
Feb 12 2015 19:17
i did that
so the remember me is in the cookie from the reset page, but i can't see what to do with it next
Brock Allen
@brockallen
Feb 12 2015 19:18
ah i see what you mean
James Geall
@jageall
Feb 12 2015 19:19
it looks like the only way remember me can be set is through the UI, as it is the only code path I can see it being set by
Brock Allen
@brockallen
Feb 12 2015 19:19
right, you're correct
hmm, and you don't want it set globally
James Geall
@jageall
Feb 12 2015 19:20
not quite sure what you mean by that
Brock Allen
@brockallen
Feb 12 2015 19:21
there's a global flag for that
James Geall
@jageall
Feb 12 2015 19:21
do you mean on for everyone all the time?
Brock Allen
@brockallen
Feb 12 2015 19:21
but it always sets a persistent cookie
right
James Geall
@jageall
Feb 12 2015 19:21
yeah, don't want to do that
Brock Allen
@brockallen
Feb 12 2015 19:21
so yea, the only thing i can see might be to add it to the AuthenticateResult for an upcoming release
James Geall
@jageall
Feb 12 2015 19:22
that would help, do you want a PR?
or more time to think about it? :)
Brock Allen
@brockallen
Feb 12 2015 19:24
that's a tricky area given all the ways we get into that method
so open an issue, at least
James Geall
@jageall
Feb 12 2015 19:24
will do
Brock Allen
@brockallen
Feb 12 2015 19:25
the thing to consider is that for the normal login, the user could check the checkbox but also the AuthenticateResult might have a value
so i'd have to think about what rules we'd want to deal with conflicting values
and perhaps it's too complicated, so then we might not want to allow it
so that's why i'm not ready for a PR
those are the things to consider
mryandot
@mryandot
Feb 12 2015 20:51
I'm trying to get IdentityServer3 up in IIS. It works fine in IIS Express, and I've set the RAMMFAR option, but I get a page rendering things like {{model.currentUser}}. If I try to go directly to one of the asset urls (e.g. /auth/assets/styles.min.css), it returns a 401 error. Anyone have any thoughts that might save me some digging? :)
Brock Allen
@brockallen
Feb 12 2015 20:51
do you have anonymous enabled in IIS?
mryandot
@mryandot
Feb 12 2015 20:52
Anonymous Authentication is enabled.
I wonder if it's the pass-through authentication. When I test I get a green light for authentication, but for authorization is says it can't find the file path...
Brock Allen
@brockallen
Feb 12 2015 20:54
401 sounds odd to me
you should get 404
so it sounds like something authorization related... but you have anon enabled.
so hard to say
sounds like something else is happening
mryandot
@mryandot
Feb 12 2015 21:05
Ugh...apparently I need to read up on IIS configuration a bit more. It was configured to use pass-through authentication. Setting the "Connect As..." to the application pool user made everything work, but it seems that really shouldn't be necessary. Guess I have some reading to do...
mryandot
@mryandot
Feb 12 2015 21:22
Okay...the files are on a UNC-mapped network drive. I had to set the identity for the anonymous user.
Brock Allen
@brockallen
Feb 12 2015 21:23
the hosting app is on a UNC?
the 401 makes more sense now... though not sure why you got the initial HTML but not the embedded assets (since you were already reading the binary to execute it)
mryandot
@mryandot
Feb 12 2015 21:24
Yeah, the servers are load-balanced and use a network share to support common files and configration(s).
Yeah, that still confuses me too...
Brock Allen
@brockallen
Feb 12 2015 21:25
anyway, working now?
mryandot
@mryandot
Feb 12 2015 21:26
I'll read more later and see if I can figure it out...for now I just want to get the test instance working. Now I'm trying to figure out why I'm getting unauthorized when using the "Call Service" button in the WPF Implicit project in the Clients sample solution. I'm guessing it's my client configuration...it works when I run it locally.
mryandot
@mryandot
Feb 12 2015 21:51
Odd...if I set WPF Implicit Client as the startup project and have SampleAspNetWebApi set to always start when debugging, I get tokens just fine but the web api rejects them. If I debug SampleAspNetWebApi and just run the WpfClient.exe on its own, everything works. I think the gremlins are getting restless. ;)