Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
Kévin Chalet
@kevinchalet
Hi. Is your question related to Owin.Security.OpenIdConnect.Server or general? :smile:
rik coleman
@coleman-rik
@PinpointTownes Microsoft.Owin.Cors
Kévin Chalet
@kevinchalet
Then it has nothing to do with this Gitter room, right?
rik coleman
@coleman-rik
@PinpointTownes I don't know. This is the only Owin/Cors room I could find here.
Kévin Chalet
@kevinchalet
The topic associated with this room is "OpenID Connect/OAuth2 server framework for OWIN/Katana" so it's definitely not the right place.
Consider posting your question there: https://github.com/aspnet/AspNetKatana
rik coleman
@coleman-rik
Well thanks, and sorry for the intrution.
Kévin Chalet
@kevinchalet
No problem :smile:
Aaron Mousavi
@Aaronmsv

Hi! Sorry for bothering but I have a question related to the authorization code flow described here https://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-implementing-the-authorization-code-and-implicit-flows/

I have implemented this, very similar to the code that is described there. I use the Authorize attribute on the Authorize endpoint to make sure the user is logged in before they see the authorization page, but unauthenticated users are not being redirected to the login page, it just returns a 401.

In the debug logs I see this:
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Debug: AuthenticationScheme: Identity.Application was not authenticated.
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Debug: AuthenticationScheme: Identity.External was not authenticated.
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Debug: AuthenticationScheme: Identity.TwoFactorRememberMe was not authenticated.
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Debug: AuthenticationScheme: Identity.TwoFactorUserId was not authenticated.
AspNet.Security.OAuth.Validation.OAuthValidationHandler:Debug: Authentication was skipped because no bearer token was received.
AspNet.Security.OAuth.Validation.OAuthValidationHandler:Debug: AuthenticationScheme: Bearer was not authenticated.
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService:Information: Authorization failed.
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'.
Microsoft.AspNetCore.Mvc.ChallengeResult:Information: Executing ChallengeResult with authentication schemes (Identity.Application, Identity.External, Identity.TwoFactorRememberMe, Identity.TwoFactorUserId, Bearer).
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Information: AuthenticationScheme: Identity.Application was challenged.
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Information: AuthenticationScheme: Identity.External was challenged.
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Information: AuthenticationScheme: Identity.TwoFactorRememberMe was challenged.
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler:Information: AuthenticationScheme: Identity.TwoFactorUserId was challenged.
AspNet.Security.OAuth.Validation.OAuthValidationHandler:Information: AuthenticationScheme: Bearer was challenged.
Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker:Information: Executed action ..Controllers.OAuthController.Authorize (...) in 67.3042ms
Aaron Mousavi
@Aaronmsv
Hmm, seems to be caused by the authentication schemes passed to the authorize attribute
Kévin Chalet
@kevinchalet
Hey @Aaronmsv.
Yeah, it's definitely that. You'll want to use Identity.Application to redirect the user to the login page.
Aaron Mousavi
@Aaronmsv
Hey @PinpointTownes, thanks for they reply. Great article btw!
Kévin Chalet
@kevinchalet
@Aaronmsv to be honest, it's a bit obsolete now (it was written for ASP.NET Core 1.0). I'll see if I can publish a similar series once OpenIddict 3.0 (into which ASOS will be merged) is available.
Aaron Mousavi
@Aaronmsv

That's OK, it was enough to get me started. Combined with the repo on Github I could find most of the things I needed.

There's one thing I haven't fixed yet, and that I have been searching for a while now. I derived from OpenIdConnectServerProvider and have overridden the serialize/deserialize methods so I can store the tokens in our database. However, it seems that at this point the tokens are not generated yet. I'm now generating them manually, but I'd really like to keep using the ones that OIDC generates.

jikkujj
@jikkujj
Hi Kevin. i was wondering how to get to the screen from which i can trigger a sign in
Figured it out. Just had to set mvc client as the startup project in visual studio
jikkujj
@jikkujj
Another question. What is agood way to make sure javascript knows that the user is logged out when using oidc? My approach was to store the username in localstorage after successfully authentication. Then came to mind the question as to how to ensure the frontend doesnt indicate the username, when the user's session with the oidc provider has ended.
Kévin Chalet
@kevinchalet
You can implement and use silent authorization requests in iframes: if you get a login_required error, the user is logged out.
Take a look at the server sample in the OpenIddict 3.0 repo to see how the server part is implemented.
jikkujj
@jikkujj
Thanks
So would we need to keep sending authorization requtests in a loop to determine if user session has expired?
Kévin Chalet
@kevinchalet
Yes. If it's a problem for you, you can still implement session management yourself: https://openid.net/specs/openid-connect-session-1_0.html
It's not something OpenIddict or ASOS current implements so you're pretty much on your own.
mirza21
@mirza21
Hi Kevin
I want to configure signing keys for my jwt validation
my applicaiton is server as well as hosting api
server must run to download metadata from url to configure JWT
is it possible to configure muy JWT signing keys in startup class when opendidict is configured
Siarhei Filipau
@sfilippov
sorry for bothering but what is the nuget package includes OpenIddictContext definition? I use OpenId 2.0.1
Kévin Chalet
@kevinchalet
Good Lord, this type was removed at least 4 years ago :smile:
Inherit from DbContext (or IdentityDbContext if you use Identity) and use that instead: https://github.com/openiddict/openiddict-samples/blob/dev/samples/CodeFlow/AuthorizationServer/Startup.cs#L35-L38
Siarhei Filipau
@sfilippov
Tnank you, @kevinchalet !
Siarhei Filipau
@sfilippov
@kevinchalet , how I can catch authorization code processing? I send response_type=code in first step and get code from server, second part I send that code with response_type=token but I get "The specified authorization code is invalid" from ASOS. I can't check code manually
I don't get in AuthorizationProvider.HandleTokenRequest
Kévin Chalet
@kevinchalet
You're likely doing very weird things, because you're not supposed to send response_type=token but grant_type=authorization_code in the token request.
Siarhei Filipau
@sfilippov
yes, I send grant_type=authorization_code on second step
Kévin Chalet
@kevinchalet
Did you take a look at the logs?
Anything interesting?
Siarhei Filipau
@sfilippov
looks like data format is not suitable for code, can
't unprotect, looking into it
Siarhei Filipau
@sfilippov
@kevinchalet , can I use authorization code flow for using code from Authentificator mobile app?
Kévin Chalet
@kevinchalet
The code flow can definitely be used with 2FA. But you can't use the 2FA "code" provided by the authenticator app as an OIDC "code", obviously.
Kévin Chalet
@kevinchalet
@/all FYI, OpenIddict 3.0 beta1 was released yesterday. Don't miss the important announcement regarding the support of ASOS and the aspnet-contrib validation/introspection middleware at the end of this blog post: https://kevinchalet.com/2020/06/11/introducing-openiddict-3-0-beta1/
Roger Spring
@rspringAya

Does anyone know anything about the serialization rules around OpenIdConnectResponse (or SignInResult) and how the properties are transformed to snake case in the JSON response despite our Newtonsoft settings for camel case? ContractResolver = new CamelCasePropertyNamesContractResolver()

I've been trying to get the swagger doc to pick up on the snake casing for endpoints returning these types, but to no avail, it thinks it will return camel case. For example:

"OpenIdConnectResponse": {
      "allOf": [
        {
          "$ref": "#/definitions/OpenIdConnectMessage"
        },
        {
          "type": "object",
          "description": "Represents a generic OpenID Connect response.",
          "properties": {
            "accessToken": {
              "type": "string",
              "description": "Gets or sets the \"access_token\" parameter."
            },
...
            "expiresIn": {
              "type": "integer",
              "description": "Gets or sets the \"expires_in\" parameter.",
              "format": "int64"
            },
...
Kévin Chalet
@kevinchalet
@rspringAya FYI, AspNet.Security.OpenIdConnect.Server is no longer supported.
Roger Spring
@rspringAya
Thanks @kevinchalet
Craig Freeman
@Craig939393_twitter
Could anyone explain to me the difference between PKCE and OpenidConnect hybrid flow please? Is hybrid literally just PKCE but you get an id token spat out at the same time as an authorization code?
Kévin Chalet
@kevinchalet
JSYK, ASOS (to which this Gitter room was dedicated) was merged into OpenIddict and is no longer supported. You may want to post your future questions there: https://gitter.im/openiddict/openiddict-core