Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 00:21
    kevinchalet commented #1497
  • 00:12
    timbze edited #1503
  • 00:12
    timbze opened #1503
  • 00:12
    timbze labeled #1503
  • Aug 12 21:41
    Thodor12 closed #1497
  • Aug 12 21:40
    Thodor12 commented #1497
  • Aug 12 21:40
    Thodor12 commented #1497
  • Aug 12 21:40
    Thodor12 commented #1497
  • Aug 12 20:49
    kevinchalet commented #1497
  • Aug 12 20:38
    kevinchalet commented #1497
  • Aug 12 19:26
    Thodor12 commented #1497
  • Aug 12 19:19
    Thodor12 commented #1497
  • Aug 10 18:32
    kevinchalet commented #1497
  • Aug 10 18:28
    Thodor12 commented #1497
  • Aug 10 18:28
    Thodor12 commented #1497
  • Aug 10 18:08
    Thodor12 commented #1497
  • Aug 10 18:06
    Thodor12 commented #1497
  • Aug 10 14:52
    Thodor12 commented #1497
  • Aug 10 14:40
    kevinchalet commented #1497
  • Aug 10 13:57
    Thodor12 commented #1497
EddieDemon
@EddieDemon

How can I protect introspection? There's no bypass function for it

Its protected by the endpoint permissions assigned to the client, eg ept:introspection

So only the client with its secret can access the EP?

gustavdw
@gustavdw

How can I protect introspection? There's no bypass function for it

Its protected by the endpoint permissions assigned to the client, eg ept:introspection

So only the client with its secret can access the EP?
If its a confidential client, yes

Paul Toft Duizer
@duizer
Hello. I am trying to setup OpenIddict so that when "userinfo_token" is in the list of scopes, then the result from the token endpoint will return a JWT token for "userinfo_token". This is similar to when adding "openid" in list of scopes, then token endpoint returns "id_token". Is it possible to configure this for "userinfo_token"?
Kévin Chalet
@kevinchalet
Hi. No, it's not possible (at least not natively). Why would you return a userinfo token when you can store what you need in the id_token?
Paul Toft Duizer
@duizer
I am creating a mock of an existing OIDC provider. The mock is to be used during development. But the existing OIDC provider is returning the userinfo_token as part of the response from the token endpoint. I cannot find any arguments in their documentation for why they are using this approach.
Simon Opelt
@sopelt
Hi, for a owin/katana/legacy/asp.net project we are looking for ways to support validation of reference tokens from IdentityServer via introspection ... given that this is just a temporary solution we were wondering if we could utilize openiddict validation as this seems to still support .net 4.x and legacy dotnet ;) Any pointers are appreciated.
mvitalibull
@mvitalibull
hi, ive installed my product in production and i have this exception when consume de api
"ExceptionMessage": "IDX20803: Unable to obtain configuration from: 'System.String'.",
"HandlerName": "OpenIddict.Validation.OpenIddictValidationHandlers+ValidateIdentityModelToken",
"EventName": "OpenIddict.Validation.OpenIddictValidationEvents+ProcessAuthenticationContext",
"SourceContext": "OpenIddict.Validation.OpenIddictValidationDispatcher",
i am lost, in dev and test doesnt happens
any idea?
naoomihk
@naoomihk
Hi, i am looking for a revoke or set a access token expire. I know you said only refresh token is revokable in 2016. Is it still valid today?
Robert Khou Chanphakeo
@robertkhou
@kevinchalet there are no examples of Xamarin mobile app? https://github.com/openiddict/openiddict-samples
Kévin Chalet
@kevinchalet
@robertkhou nope, but I'm evaluating options for built-in MAUI support in the new OpenIddict client: https://github.com/openiddict/openiddict-core/issues/1387#issuecomment-1173959166
At this point, the demand is sadly too low to make that worth it.
Or maybe as part of a paid extension?
Robert Khou Chanphakeo
@robertkhou
I think advanced features such as an "admin UI" would be a paid extension.
Kévin Chalet
@kevinchalet
We'll see. The time and money investment for this thing is fairly high - e.g a mac would be needed to test on macOS Catalyst - so it's definitely something that will require either an external contribution from a company interested in helping maintain it in the long term or some funding.
naoomihk
@naoomihk
Sorry for asking again. Revocation of research token is still
Sorry for asking again, is revocation of aceess token is still not implemented due to performance reason?
MikeRM2
@MikeRM2

I am having an issue with logging out of the application while it is on the IIS Machine. This does not happen on my development end, so I am trying to determine why and where I could have something to say this didn't happen.

  1. I select the Logout button on the client.
  2. The client redirects to the logoutcontroller in the api/openiddict.
  3. I call the following code in the controller:

        `SignOut(
            authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
            properties: new AuthenticationProperties
            {
                RedirectUri = "/"
            });`
  4. I am redirected to the client where I run the following:

        `await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); 
         Response.Cookies.Delete(".AspNetCore.Identity.Application");
    
         _logger.LogInformation("successfully logged out");
         return RedirectToPage("/Index");`
  5. I am redirected back to the index page.

  6. I then select Login and am brought back into the application without going to the Login page.

    It is bypassing the login page since it challenges OpenIddict and says ok, there is a good token here. Again I cannot replicate this in the development environment, but on the IIS server I can.

Gunnar
@gunnim

Hello good people, I'm trying to integrate openiddict as an oauth solution for the umbraco cms member logins. I have created my authorize controller that calls the umbraco services to verify member credentials and then issues openiddict scheme bearer tokens.

What i'm missing however is something akin to hooking into succesful completion of the authorize attribute w/ openiddictvalidation scheme, in which i would populate the session with umbraco member data

I can't find a specific event for this in the openiddict validation library, I also tried creating my own scheme and extending the OpenIddictValidationAspNetCoreHandler, but my HandleRequestAsync method is not called (no override option, only "new")
Gunnar
@gunnim
overriding HandleAuthenticateAsync seems more useful but if there's a better way i'd love to hear it !
Jamie Bonnett
@jbonnett92
@gunnim If you find out please let me know, as I am about to do this soon!
@kevinchalet What is best practice for scaling horizontally?
Gunnar
@gunnim
@jbonnett92 i got it working but for some reason I have to call "_memberManager.GetCurrentMemberAsync" from my custom auth handler before calling the same method in my controller. some magic seems to happen in the middleware pipeline that otherwise leaves the umbraco member identity missing from session
1 reply
@MikeRM2 return SignOut(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme) doesn't flush anything server-side (neither cookies nor tokens). You need some custom code to delete your cookies, as you did client-side.
@gunnim yo. ProcessAuthentication(Context) is the event to use in that case (it's the event called under the hood by ASP.NET Core's authentication operation).
James Hancock
@JohnGalt1717
Stupid question, but how does one get the HandleAuthorizationRequestContext or similar (i.e. the client id etc.) from a login page (or any other mvc page). Especially I need the client_id that was pushed into the /authorize endpoint from the client in the login page.
James Hancock
@JohnGalt1717
GetOpenIddictServerRequest is null coming from the ChallengeAsync
AilunP
@AilunP
Hello, how do I enable reference access token to store the token payloads in the DB?
Troy Parkinson
@trousyt
@JohnGal The OpenIddict samples parse the redirect URI from the query string which should contain the original request parameters to the authorize endpoint if redirected to the login page from there
PabloRomero12
@PabloRomero12
Hi, I'm getting a big problem, I need to include the refresh_token on the redirect_uri, I added the offline_access scope, when I test on a API call I get the refresh_token, but I cannot find a way to do it on the redirect_uri
muhammad basit shoab malik
@mbasitshoaib:matrix.org
[m]
Hi, I am using ocelot api gateway to authenticate the request and pass the claims to the underlying micro services. So far i am able to get the access_token as well as the id_token. Is there a way i can introspect the id_token so that the claims from both of the token can be sent to the microservices?
Chihab HAJJI
@chihabhajji
hi, for the context of my final year internship i implemented an IAMaaS system using openiddict, tested it with public clients and client creds and all, now i need a demo with 2LO (Two Legged OAuth) so i can demonstrate that two tenants applications can communicate with eachother and are protected by the set scopes, now the thing is, i have no idea how to implement such thing (i want something minimal like the WeatherForecast demo), can someone give me some pointers on how i might do such a thing? thank you
Kévin Chalet
@kevinchalet
Hey @chihabhajji. Take a look at the authorization code flow samples in https://github.com/openiddict/openiddict-samples.
Chihab HAJJI
@chihabhajji
image.png
merci kévin, unrelated, is this a common error when using PKCE ?
28 replies
Jamie Bonnett
@jbonnett92
@kevinchalet This may come in handy if you need to test things https://github.com/PortSwigger/oauth-scan
1 reply
Troy Parkinson
@trousyt
access-token-claims.png
Hi there, I'm seeing some unusual claims in my access tokens. I know the oi_ prefixed claims are used internally and AFAIK shouldn't end up in an access or ID token sent to the client. I even have code when assigning my claims to a destination to filter these out but they still appear. I'm seeing the ones in the attached screenshot. Is this normal?
Troy Parkinson
@trousyt
Nevermind, think I got my answer here: openiddict/openiddict-core#1127... These scopes are added during token validation.
nhumby
@nhumby

Hi folks. I've had an enforced 3 1/2 month break from learning OpenIddict due to quite a dramatic life event. I'm back at it now and looking at the latest stable Mortis client and server. The samples work great on localhost:44349 and localhost:44378. I then tried creating local IIS applications localhost/MortisClient2 and localhost/MortisServer2. I've changed all the relevant URL's in the code that I can find, but I still keep getting this error when MortisClient2 hits the authorize endpoint on MortisServer2:
error:invalid_request
error_description:The specified 'redirect_uri' is not valid for this client application.
error_uri:https://documentation.openiddict.com/errors/ID2043

The request is:
https://localhost/MortisServer2/connect/authorize?client_id=mvc&redirect_uri=https%3A%2F%2Flocalhost%2FMortisClient2%2Fsignin-local&response_type=code&scope=openid%20email%20profile&nonce=0CpR7Gyc1ooaibQu1enrniTMbz9v43ftJX-gQw2bdbE&code_challenge=sc4jhvemMo17s3WDz46D4DTeVCN94iCHcZkqDPYn7-4&code_challenge_method=S256&state=z4FKc827kkJPPhkvhLgKrJBZCwaxPovao0msyZIXsrA

The changes I've made to MortisClient are:
AuthenticationController.cs
line 28 changed to: [OpenIddictClientOwinConstants.Properties.Issuer] = "https://localhost/MortisServer2"
line 34 changed to: RedirectUri = "https://localhost/MortisClient2/signin-local"
HomeController.cs
line 33 changed to: using var request = new HttpRequestMessage(HttpMethod.Get, "https://localhost/MortisServer2/api/message");
Startup.cs
line 75 changed to: options.SetRedirectionEndpointUris("https://localhost/MortisClient2/signin-local");
line 92 changed to: Issuer = new Uri("https://localhost/MortisServer2", UriKind.Absolute),
line 96 changed to: RedirectUri = new Uri("https://localhost/MortisClient2/signin-local", UriKind.Absolute),

Changes I've made to MortisServer are:
Startup.cs
line 73 changed to: new Uri("https://localhost/MortisClient2/signin-local")

Both web.configs have only been changed to set a new connection string to a DB. Any idea why this isn't working or what I've missed out in changing?

Kévin Chalet
@kevinchalet
Hey @nhumby. Sorry to hear that.
Are you sure the changes are reflected in your DB? If the client entry was created before you updated the values, the client registration in the DB might not use the correct redirect_uri.
1 reply
elfico
@elfico

Hello everyone, having issues with getting phone number from scopes. I have made update to the OpenIdDictApplications table to include the scope for phone.
Here is the entry in the database:

["ept:authorization","ept:logout","ept:token","gt:authorization_code","gt:refresh_token","rst:code","scp:email","scp:profile","scp:roles","scp:phone"]

In the code, I declared the scopes as

  scope: 'openid profile email roles phone',

But when I run the application, I get the following error:

error:invalid_scope
error_description:The specified 'scope' is invalid.
error_uri:https://documentation.openiddict.com/errors/ID2052

The client is a react application.

Kévin Chalet
@kevinchalet
Hey. You forgot to register one of the scopes (either statically using options.RegisterScopes() or dynamically using IOpenIddictScopeManager.CreateAsync()).
2 replies
nhumby
@nhumby
Hi! Is there a guide on how to add an additional client / relying party to the Mortis server? I want to see if I can get my own hello world web app (.net 4.8 not core) to authenticate against the Mortis server. I see how the "mvc" client db entry is created if missing in the Startup.cs but I'm not sure how some of the fields in the dbo.OpenIddictApplications table are populated or what their meaning is, ie ConcurrencyToken, Properties, Type.
seven
@seventychi
Hi, I am new with OpenIdDict (use IdentityServer before), I'd like to know is there any sample about seperate backend and frontend. Backend with .NetCore API and OpenIdDict, Frontend is a vue.js SPA website contain a login page (Authorization Code Flow)