These are chat archives for IdentityServer/Thinktecture.IdentityServer3

25th
Feb 2015
Brock Allen
@brockallen
Feb 25 2015 03:01
@feanz your access token can be used to hit the user profile endpoint to get the identity info
Wbmstrmjb
@Wbmstrmjb
Feb 25 2015 06:16
Any downside to making RequireSSL = false, putting behind a load balancer with SSL, and running over http between LB and servers?
Brock Allen
@brockallen
Feb 25 2015 14:16
well, plaintext and no server authN for part of the network activity from LB to server.... shrug
Brandt Wright
@BrandtWright
Feb 25 2015 14:50
Authentication Issue

I am playing with the Getting Started walkthrough located here

I am configuring my OWIN startup as directed by the walkthrough but when I tap a controller with an Authorize attribute a System.Security.Authentication.AuthenticationException (The remote certificate is invalid according to the validation procedure) is thrown.

I am not sure why or what is going on here. I have configured IdentityServer3 to use the idsrg3test.pfx file (as instructed) but its still a no-go.

Any advice would be greatly appreciated. I have a stack trace if anyone is interested. My Owin startup looks like this:

public class Startup
{
     public void Configuration(IAppBuilder app)
    {
        app

            .Map("/identity", idsrvApp => idsrvApp.UseIdentityServer(new IdentityServerOptions
            {
                SiteName = "Embedded IdentityServer",
                SigningCertificate = LoadCertificate(),

                Factory = InMemoryFactory.Create(
                    users  : Users.Get(),
                    clients: Clients.Get(),
                    scopes : Thinktecture.IdentityServer.Core.Models.StandardScopes.All)
            }))

            .UseCookieAuthentication(new CookieAuthenticationOptions{ AuthenticationType = "Cookies"})

            .UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                Authority = "https://localhost:44300/identity",
                ClientId = "mvc",
                RedirectUri = "https://localhost:44300/",
                ResponseType = "id_token",

                SignInAsAuthenticationType = "Cookies"
            });
    }

     private static X509Certificate2 LoadCertificate()
     {
         var baseDirectory = AppDomain.CurrentDomain.BaseDirectory;
         var path = string.Format(@"{0}bin\idsrv3test.pfx", baseDirectory);
         return new X509Certificate2(path, "idsrv3test");
     }
}
Michel van den Berg
@promontis
Feb 25 2015 14:52
Is the actual .pdf file there? In the bin dir
Brandt Wright
@BrandtWright
Feb 25 2015 14:52
Yep. It's there.
Michel van den Berg
@promontis
Feb 25 2015 14:53
I meant to say .pfx file lol
Brandt Wright
@BrandtWright
Feb 25 2015 14:53
Yeah, I knew what you meant :smile:
Michel van den Berg
@promontis
Feb 25 2015 14:54
ok.. just something that I would check first
Got a log?
Logging shows a lot of info
Brandt Wright
@BrandtWright
Feb 25 2015 14:56
No log. There isn't much going on. The default MVC website starts up and runs fine. The error is thrown when I click the About link on the default MVC website homepage (which links to the about action on the home controller which is decorated with an authorize attribute). That's when things go kablewie. I do have a stack trace. But thats about it.
My first impression was that I was missing something fairly obvious but I have been through all the options and configuration (being a fairly simple example there is not much there to go through). But alas, I can't figure out for the life of me what I am missing.
Michel van den Berg
@promontis
Feb 25 2015 15:00
mmm... the code you are showing sets up an idsrv3 instance on /identity
then you set authentication of the MVC site to UseOpenIdConnectAuthentication
notice the https
and notice the port
I don't see anything wrong with the setup (but Brock or Dominick might differ)
personally, I would look into https or the port
Brandt Wright
@BrandtWright
Feb 25 2015 15:03
On the call to Map?
Michel van den Berg
@promontis
Feb 25 2015 15:04
properties of you mvc app
is it set to 44300
Brandt Wright
@BrandtWright
Feb 25 2015 15:04
Oh, gotcha. Yes, it is.
Michel van den Berg
@promontis
Feb 25 2015 15:04
and is it https
Brandt Wright
@BrandtWright
Feb 25 2015 15:04
The "SSL URL" is, yes.
The "SSL_URL" property of the MVC project is set to https://localhost:44300/
Michel van den Berg
@promontis
Feb 25 2015 15:05
ok
Brandt Wright
@BrandtWright
Feb 25 2015 15:06
Spent half a day yesterday wracking my brain and trying to get this to run but no luck.
Michel van den Berg
@promontis
Feb 25 2015 15:06
can you access the endpoint?
note the url
and port
running locally?
Brandt Wright
@BrandtWright
Feb 25 2015 15:09
Yep. I see the same thing. Not formatted so nicely buy yes.
Michel van den Berg
@promontis
Feb 25 2015 15:09
ok great
The stack trace looks like this:

[AuthenticationException: The remote certificate is invalid according to the validation procedure.]
System.Net.TlsStream.EndWrite(IAsyncResult asyncResult) +230
System.Net.PooledStream.EndWrite(IAsyncResult asyncResult) +13
System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar) +116

[WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.]
System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +6454322
System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar) +64

[HttpRequestException: An error occurred while sending the request.]
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__0.MoveNext() +453

[IOException: Unable to get document from: https://localhost:44300/identity/.well-known/openid-configuration]
Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d0.MoveNext() +830
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
Microsoft.IdentityModel.Protocols.<GetAsync>d
0.MoveNext() +512
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() +1332

[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://localhost:44300/identity/.well-known/openid-configuration'.]
Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d3.MoveNext() +2226
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
Microsoft.Owin.Security.OpenIdConnect.<ApplyResponseChallengeAsync>d
c.MoveNext() +1048
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Security.Infrastructure.<ApplyResponseCoreAsync>db.MoveNext() +447
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Security.Infrastructure.<ApplyResponseAsync>d
8.MoveNext() +440
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Security.Infrastructure.<TeardownAsync>d5.MoveNext() +266
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Security.Infrastructure.<Invoke>d
0.MoveNext() +1174
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
System.Runtime.CompilerServices.TaskAwaiter.GetResult() +21
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +287
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task

try removing the authorize filter
on the controller method
see if you can navigate
I think it's something with the certificate
Brandt Wright
@BrandtWright
Feb 25 2015 15:14
I can navigate fine without the Authorization attribute on the action.
The certificate (well pfx file) I lifted from the IdentityServer github site (as instructed by the walkthrough @ https://identityserver.github.io/Documentation/docs/overview/mvcGettingStarted.html
Michel van den Berg
@promontis
Feb 25 2015 15:17
mmm...
so weird
Brandt Wright
@BrandtWright
Feb 25 2015 15:17
Yes, very strange. The walkthrough is clear and straitforward. Not much going on. I am sure I followed all the steps to the "T" but still cant get this working.
Michel van den Berg
@promontis
Feb 25 2015 15:19
Do note the message: WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel
there seems to be a lot of troubles with that on the internet
I think it is PC related
configuration of certificates
the blogpost I referred to also talks about it
perhaps you could follow his steps
Brock Allen
@brockallen
Feb 25 2015 15:21
the remote cert is invalid -- that means your SSL cert is not trusted
Brandt Wright
@BrandtWright
Feb 25 2015 15:21
I am not using the cert store however. Just the raw pfx file. I would expect that to just work.
Brock Allen
@brockallen
Feb 25 2015 15:21
you need to setup SSL correctly -- the MVC app can't trust the metadata endpoint if the SSL cert isn't trusted
no, i mean SSL -- that's a different cert.
Brandt Wright
@BrandtWright
Feb 25 2015 15:22
Which SSL cert?
Brock Allen
@brockallen
Feb 25 2015 15:22
if you have a PS sub, check Dom's video on setting up IIS and SSL
two certs: one for SSL (that's configured in IIS), and one for signing (that's the one configured in IdSvr3)
for the MVC app to trust tokens from IdSvr, the MVC app makes a HTTP request (backchannel) to IdSvr's metadata endpoint. If that's configured as HTTPS then the SSL cert needs to be trusted.
it should be HTTPS, mind you (the only time it might not is in dev)
Brandt Wright
@BrandtWright
Feb 25 2015 15:24
Ah. I am running the site in IIS Express under debug mode in visual studio 2013. Maybe that is why.
Brock Allen
@brockallen
Feb 25 2015 15:25
hmm... normally IIS Express does the right stuff to make its SSL cert trusted
in fact, i think that's what we use for all of our IIS hosted samples
Michel van den Berg
@promontis
Feb 25 2015 15:26
I've noticed IIS express doesn't do this in some cases
I've added the SSL cert manually
Michel van den Berg
@promontis
Feb 25 2015 15:31
Ugh... I hate AspNetIdentity.... the claimsvalue column is nullable, but when I leave it null and try to load the data it breaks
Thumann
@Thumann
Feb 25 2015 15:34
Hi, I'm hosting Identity server from my web api project. and I'm now trying to authorize my mvc5 site to use the site. I get redirected to http://localhost/identity/login?signin=4e1b22d9dc4e240af0bba4e57c601154 but none of the inputfields are shown.. ?! I get the headline and the title 'Login'.. then nothing
Michel van den Berg
@promontis
Feb 25 2015 15:35

RAMMFAR

One last thing, please don't forget to add RAMMFAR to your web.config, otherwise some of our embedded assets will not be loaded correctly by IIS:

<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
</system.webServer>

Thumann
@Thumann
Feb 25 2015 15:35
I i visit https://localhost/identity/permissions i get directed to the same login page.. (different guid naturally) and everything is shown.. !
Michel van den Berg
@promontis
Feb 25 2015 15:36
is rammfar enabled?
otherwise, no idea :)
Thumann
@Thumann
Feb 25 2015 15:36
I have it enabled yes :-/
If i inspect the page source.. i see the fields are there.. weird
Michel van den Berg
@promontis
Feb 25 2015 15:37
css issue?
Thumann
@Thumann
Feb 25 2015 15:38
perhaps. but .. why? page renders perfectly with the other guid
Michel van den Berg
@promontis
Feb 25 2015 15:39
i have no idea... do you see anything weird in the log?
Thumann
@Thumann
Feb 25 2015 15:43
first one is the no show
Manuel Rauber
@ManuelRauber
Feb 25 2015 15:44
Have you checked the dev tools? Maybe it’s an JS error
Thumann
@Thumann
Feb 25 2015 15:48
firefox and chrome show no errors
Thumann
@Thumann
Feb 25 2015 16:00
For scopes i used the entityframework providers. And set them up manually in the db. I might have something misconfigured there. Anyone care to share all the required values for the openid scope ?
I have name = 'openid' and type = '0', shownindiscoverydocument=true, enabled = true
the rest of the options are blank
Thumann
@Thumann
Feb 25 2015 16:10
grrr! infuriating
Michael Schulz
@mschulz531
Feb 25 2015 22:26
is there a package for the IdentityServer WsFederation plugin?
(nuget)
why, yes, there is, thank you for asking :\
Thumann
@Thumann
Feb 25 2015 22:42
Any of the newcomers have any ideas regarding my issue? still getting hidden login form :(