These are chat archives for IdentityServer/Thinktecture.IdentityServer3

2nd
Mar 2015
Loc Tan Vo
@loctanvo
Mar 02 2015 13:09
@brockallen just wondering about the state of CorsPolicy...right now, there is a AllowedCorsOrigins on the Client, but it looks like this is only in use in the InMemoryCorsPolicyService. So if we are not specifying anything, the DefaultCorsPolicyService is in use, which in turns will use what's specified on IdentityServerOptions. Am I right? (thinking about the latest release, not dev)
Brock Allen
@brockallen
Mar 02 2015 14:15
@loctanvo so the CorsPolicy had some changes in 1.2. the old config still works, but can be superseded by configuring the new ICorsPolicyService.
If you want to use the new AllowedCorsOrigins from the Client, then you need to configure the cors policy service and use the InMem impl or the new impl from EF.
Loc Tan Vo
@loctanvo
Mar 02 2015 14:17
I see, then I've understood things correctly, thanks for clarifying
there is a task on removing the IdentityServerOptions.CorsPolicy, does it mean that the DefaultCorsPolicyService will be using the Client.AllowedCorsOrigins after than? (Or the InMem will be the default?) just curious
Brock Allen
@brockallen
Mar 02 2015 14:19
not sure. that will be in v2 which means breaking changes. this might be one of those breaking changes.
feel free to add to that issue with any feedback or concerns
cgoboncan-ebsi
@cgoboncan-ebsi
Mar 02 2015 17:33
Hi all, is it possible to embed the idsrv login screen in an iframe? we're trying to use idsrv as our identityprovider for our applications, but want to retain our current login flow, which is users land on the app's login page and enter their credentials there.
Brock Allen
@brockallen
Mar 02 2015 17:49
no, we use XFO to do framebusting. this is for security reasons.
cgoboncan-ebsi
@cgoboncan-ebsi
Mar 02 2015 17:57
thanks for the response. are there any options that would allow us to keep our current login page?
our clients customize their login screen and the extra step of clicking on a login button to send them to the idsrv login page will be a hard sell for us to the business team
Brock Allen
@brockallen
Mar 02 2015 18:08
you could use resource owner flow, but you're missing out on the whole point of SSO if you use it
cgoboncan-ebsi
@cgoboncan-ebsi
Mar 02 2015 19:43
Thanks Brock. We're transitioning from our custom-built authorization and authentication to OAuth2 and OpenId Connect. Our first goal is to swap out our backend systems without impacting the user experience and then move our frontend applications to oidc. When we move our frontend applications to something more modern, we'll be able to take advantage of SSO and the good stuff you've built into idsrv
Aaron Powell
@aaronpowell
Mar 02 2015 22:45
What options are there to regenerate an oauth token for a user when something about them changes?
Scenario - user logs into application via implicit flow and gets a profile containing them name and email. They go to their user management screen and change their email. The profile they had is now invalid as it contains their old email address, but that's all part of the jwt. How would you update that/force an update on that?
Is the only way to do it log them out and back in?
I'm building the profile in a custom user service's GetProfileDataAsync method