Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 07:21
    ccvca edited #1331
  • 07:20
    ccvca labeled #1331
  • 07:20
    ccvca opened #1331
  • Sep 21 20:14
    mdmoura commented #1327
  • Sep 21 20:01
    mdmoura commented #1327
  • Sep 21 16:15
    MGrAtQS commented #976
  • Sep 20 07:15
    JauernigIT opened #1330
  • Sep 20 07:15
    JauernigIT labeled #1330
  • Sep 20 04:06
    kinosang commented #1328
  • Sep 20 04:03
    kinosang commented #1328
  • Sep 20 03:56
    ianleeder commented #1328
  • Sep 20 03:14
    kinosang commented #1328
  • Sep 20 00:29
    ianleeder commented #1328
  • Sep 19 23:46
    kevinchalet commented #1328
  • Sep 19 23:36
    kevinchalet commented #1328
  • Sep 19 23:24
    ianleeder commented #1328
  • Sep 19 23:16
    ianleeder commented #1328
  • Sep 19 23:02
    ianleeder commented #1328
  • Sep 17 19:05
    balazsmeszegeto commented #1329
  • Sep 17 18:29
    kevinchalet commented #1329
Syzuna
@Syzuna
ok got it working. so that setup works...
I had to specify a custom introspect url, idk why but it was suggested elsewhere and after that this setup works with ocelot
Marcos Vitali
@marcosvitali:matrix.org
[m]
Hi, I trying to use OpenIdDic in EnableDegradedMode without Entity Framework and without AddIdentityCore, I dont want to use IdentityConstants.ApplicationScheme. That is it possible? For example in Identity Server 4 used IdentityServerUser for HttpContext.SignInAsync directly.
Should I always use AddIdentity?
Yoann BLOSSIER
@yblossier

No worries. Don’t hesitate to sponsor the project to get the sponsors treatment :smile:

And for my issue can I have a suggestion of solution to see if I have to sponsor you or not :smile: ?

qwertti9981
@qwertti9981
For a Visual Studio solution using OpenIddict (was using 2.0.0-rc1-final, now using 3.1.1 packages) that was migrated from .NetCore 2.2 to .NetCore 3.1, the changes now work correctly in development.
However, when I use an Azure DevOps pipeline (which does clean the folder prior to doing a build) to build and push them to our QA environment, the *.exe (or if I use "dotnet {dll_file}") files within the artifacts return the error below.
The error occurs when I test the build artifacts on a development or the QA PC.
I have tried using an agent pool consisting of msbuild installed on the company's dedicated build server as well as a hosted Azure pipeline with the specification "windows-2019".
Both build environments create artifacts that cannot be run, due to the below missing dependency.
The main application and the common API QA projects can be "published to a folder" with Visual Studio and work as expected on the QA server, so the issue seems to only occur when using an Azure build pipeline.
Since I only have only seen this particular issue when upgrading OpenIddict packages, I hope maybe someone else here has seen this issue.
The Error I get when I try to test the build artifacts created by an Azure DevOps pipeline:
C:\Projects\WebApp-5875\Content\C_C\agent_work\2\s\members\Members\Member.API\obj\Release\netcoreapp3.1\PubTmp\Out>member.api.exe
Unhandled exception. System.IO.FileNotFoundException: Could not load file or assembly 'System.Data.SqlClient, Culture=neutral, PublicKeyToken=null'. The system cannot find the file specified.
File name: 'System.Data.SqlClient, Culture=neutral, PublicKeyToken=null'
Kévin Chalet
@kevinchalet
The PublicKeyToken=null seems suspect as MSFT's libraries are almost always strong-named.
Does that repro on .NET Core 2.2 with OpenIddict 3.1.1?
qwertti9981
@qwertti9981
I haven't tried that combination yet. Let me see what .NET Core 2.2 with OpenIddict 3.1.1 does in the Azure DevOps pipeline when it creates the build artifacts.
erielpo
@erielpo

thanks @Syzuna .

But what I want to do still doesn't work for me. I put below the configuration of the example that I want to do.

Ocelot.json:

"Routes": [
{
//Zirku.Api1 https: // localhost: 44342 /
"DownstreamPathTemplate": "/ resource / public",
"DownstreamScheme": "https",
"DownstreamHostAndPorts": [
{
"Host": "localhost",
"Port": "44342"
}
],
"UpstreamPathTemplate": "/ api1",
"UpstreamHttpMethod": ["GET", "POST", "PUT"],
"AuthenticationOptions": {
"AuthenticationProviderKey": "OpenIddict.Validation.AspNetCore",
"AllowedScopes": ["sp: test: api: apigateway: api1: apigateway1"]
}
}
}

Ocelot (Startup.cs)

services.AddAuthentication (options =>
{
options.DefaultScheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
});

services.AddOpenIddict ()
.AddValidation (options =>
{
// Note: the validation handler uses OpenID Connect discovery
// to retrieve the address of the introspection endpoint.
options.SetIssuer ("https: // localhost: 44385 /");

                // https: // localhost: 44385 /
                options.AddAudiences ("apigateway");

                options.UseIntrospection ()
                       .SetClientId ("apigateway")
                       .SetClientSecret ("846B62D0-DEF9-4215-A99D-86E6B8DAB349");



                // Register the System.Net.Http integration.
                options.UseSystemNetHttp ();



                // Register the ASP.NET Core host.
                options.UseAspNetCore ();
            });
qwertti9981
@qwertti9981
image.png
Using .NetCore 2.2 with OpenIddict 3.1.1 works correctly when built with the Azure DevOps pipeline to create build artifacts to test on our QA server. Above is a DIFF of the .NetCore 2.2 and .NetCore 3.1 *.csproj files.
Kévin Chalet
@kevinchalet
Interesting. Any chance you could also try on 5.0?
qwertti9981
@qwertti9981
Yes, I should be able to test it with 5.0. Let me set up a Visual Studio solution and build pipeline to test that combination.
qwertti9981
@qwertti9981
The NuGet version the Azure DevOps QA release pipeline was using was 4.9.1 and I had issues building the .Net 5.0 version - "##[error]The nuget command failed with exit code(1) and error(NU1202: Package Microsoft.EntityFrameworkCore.SqlServer 5.0.10 is not compatible with net50 (.NETFramework,Version=v5.0). Package Microsoft.EntityFrameworkCore.SqlServer 5.0.10 supports: netstandard2.1 (.NETStandard,Version=v2.1)
", etc. Updating the QA release pipeline to use NuGet 5.11.0 allowed the .Net 5.0 version to build, as well as the .NetCore 3.1 with OpenIddict 3.1.1 to build and run correctly. Thanks for the guidance.
I should now be able to tie these build artifacts to Windows Server IIS for testing.
Kévin Chalet
@kevinchalet
:+1:
Killian Hale
@matholum

@kevinchalet - Sorry... I'm not as used to gitter and it seems threads get lost easily here.

In regards to my PR, is there another way to do it with purely a prompt=none setup? I really do not want to have the backend return anything other than data and have all of the UI be on the frontend client.

Also, am I understanding the concern accurately at least? Because I'm not so sure now... lol

Kévin Chalet
@kevinchalet
@matholum honestly, I don't think so.
IMHO and as I said, returning a "view" that loads the SPA's authorization page is the only reasonable option.
Killian Hale
@matholum
@kevinchalet - I guess I'm still trying to learn why that's the only reasonable option... my guess is that the thinking is that prompt=none works for everything except for explicit because that, kind of by definition, is a prompt in and of itself.
Kévin Chalet
@kevinchalet
Add a second client and you'll immediately see why it can't work.
Each time that second application will send an authorization request that requires consent, the Forbid call will force the user agent to go back to the client without ever reaching the SPA.
Killian Hale
@matholum
Ok... i might be following at least a little of what you're saying now.
Kévin Chalet
@kevinchalet
Good :smile:
Killian Hale
@matholum
And sorry... not trying to be difficult... unlike the rest of your feedback, I've struggled to understand the issue and what the path forward is. I'll try to play around with how I thought multiple clients would work in this case and see if I run into what I think you're saying. I'm sure I'll need to reach out again but hopefully it's after having learned more. lol 😝
Kévin Chalet
@kevinchalet
Feel free :smile:
Once you add a tiny console client, it should make things ultra clear.
(you can simply copy an existing client sample)
Killian Hale
@matholum
I'm hoping so... lol🤞🏻Thanks again for all your help ^_^
Kévin Chalet
@kevinchalet
You're welcome :smile:
Kévin Chalet
@kevinchalet
@matholum thinking about it, using MVC controllers might not be the easiest approach: I'm wondering if using a middleware or OpenIddict's events model (HandleAuthorizationRequest) wouldn't be better, as they both allow invoking the rest of the pipeline way more easily, so you could let the app.UseSpa() stuff handle authorization requests that need consent validation.
With a middleware, you'd call await next() for that, with OpenIddict, you'd call context.SkipRequest() (which is what the pass-through mode does)
In this case, the only remaining problem to solve would be flowing the request details between the server and the SPA stuff so that the authorize page can reflect them (typically via hidden inputs)
Kévin Chalet
@kevinchalet
If you still prefer the controller approach, you'll need to do what the SPA middleware does for you by returning the SPA page, most likely using return File(...) or something similar.
Killian Hale
@matholum
@kevinchalet - I finally have a test going with a second client (copied Weytta as suggested) and made a few tweaks. I think I finally get the initial concern but what I'm seeing isn't completely matching up with what you're saying though sadly. When I hit the forbid, I actually get redirected to /Account/Login?ReturnUrl=... and that renders the SPA... the SPA just doesn't have that path routed. I ran into this a while back and I don't think I ever figured out why it uses that path when using GET or how to change it. Even if I have to use that URL, doesn't this mean that I just have to pay attention to the ReturnUrl on the SPA react client?
Guan9Hong
@QuanJingHong
I want to build a web admin app using MVC, which named A, A uses Openiddict to provide login page and token. I Have another web api provides authorization api, which named B. How can B authenticate and get user's information from the token that A provides. A and B use the same Database. Can anyone help me?
dr_cox1911
@dr_cox1911:matrix.org
[m]
@kevinchalet where is the best way for a sponsor to reach out to you for some guidance?
Kévin Chalet
@kevinchalet
Here, on GitHub or depending on the tiers, by email :smile:
Guan9Hong
@QuanJingHong
What is your criteria to grading tiers ?
Kévin Chalet
@kevinchalet
qwertti9981
@qwertti9981

.NetCore 3.1 with OpenIddict 3.1.1 Visual Studio solution migrated from .NetCore 2.2:

I am trying to read and apply a string list of allowable JWT issuers (from a configuration file, so they are not hardcoded in startup.cs) to access a separate (but on the same PC) API project.

"appsettings.json" changes
(using data from the JWT "iss" section to allow certain issuers to access API, so they are not hardcoded in startup.cs):
"ValidJWTIssuers": {
"URLs": [
"https://localhost:5050/",
"https://localhost:5051/"
]}

"startup.cs", "ConfigureServices(IServiceCollection services)" method
services.AddOpenIddict()
.AddServer(options =>
{
List<string> validIssuers = Configuration.GetSection("ValidJWTIssuers:URLs").Get<List<string>>();
foreach (string v in validIssuers)
{
validIssuers.Add(v);
}
options.Configure(o => o.TokenValidationParameters.ValidIssuers = validIssuers);
})
.AddCore(options =>
...

Results in the API project's "Program.cs":
public static IWebHost BuildWebHost(string[] args) =>
WebHost.CreateDefaultBuilder(args)
.UseStartup<Startup>()
.Build();
}

gives the following:
Exception Unhandled
System.InvalidOperationException: 'Collection was modified; enumeration operation may not execute.'
This exception was originally thrown at this call stack:
System.ThrowHelper.ThrowInvalidOperationException_InvalidOperation_EnumFailedVersion() in ThrowHelper.cs
System.Collections.Generic.List<T>.Enumerator.MoveNext() in List.cs
M.API.Startup.ConfigureServices.AnonymousMethod5_3(Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder) in Startup.cs
Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(Microsoft.Extensions.DependencyInjection.OpenIddictBuilder, System.Action<Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder>) in OpenIddictServerExtensions.cs
M.API.Startup.ConfigureServices(Microsoft.Extensions.DependencyInjection.IServiceCollection) in Startup.cs
Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(object, Microsoft.Extensions.DependencyInjection.IServiceCollection) in ConfigureServicesBuilder.cs
Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke.
Startup|0(Microsoft.Extensions.DependencyInjection.IServiceCollection) in ConfigureServicesBuilder.cs
Microsoft.AspNetCore.Hosting.StartupLoader.ConfigureServicesDelegateBuilder<TContainerBuilder>.BuildStartupServicesFilterPipeline.RunPipeline|0(Microsoft.Extensions.DependencyInjection.IServiceCollection)
Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(object, Microsoft.Extensions.DependencyInjection.IServiceCollection)
Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Build.AnonymousMethod
0(Microsoft.Extensions.DependencyInjection.IServiceCollection) in ConfigureServicesBuilder.cs
...
[Call Stack Truncated]

If I hardcode and add each JWT issuer into startup.cs, I do not have this issue. Is there a flag I need to set for OpenIddictCore to wait until all validIssuers are added to the enumerable?
validIssuers.Add("https://localhost:5050/");
validIssuers.Add("https://localhost:5051/");

Marcos Vitali
@marcosvitali:matrix.org
[m]
Hi, Iam Sorry, I Still blocked.
Iam trying to migrate my IS4 code to OpendIdDic, but there nothing similar to IdentityServerUser in the examples.
I would be very happy if someone could help me thanks :)
```cs
        AuthenticationProperties props = null;
        // issue authentication cookie with subject ID and username
        var isuser = new IdentityServerUser(userId)
        {
            DisplayName = model.Username
        };

        await HttpContext.SignInAsync(isuser, props);```
Marcos Vitali
@marcosvitali:matrix.org
[m]
mmm I understand, In OpendIdDict theno authentication, so I can implement
```cs
        services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
            .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
            {
                options.LoginPath = "/signin";
            });```
without implement identity, that is right?
Marcos Vitali
@marcosvitali:matrix.org
[m]
So, for full customization, I need to use EnableDegradedMode, No Identity, and implement my own IOpenIddictApplicationManager, IOpenIddictAuthorizationManager, IOpenIddictScopeManager. mmh a lot of work.