Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Feb 27 16:24
    kevinchalet labeled #917
  • Feb 27 15:19
    kevinchalet closed #918
  • Feb 27 15:19
    kevinchalet commented #918
  • Feb 27 15:09
    kevinchalet labeled #918
  • Feb 27 15:09
    kevinchalet commented #918
  • Feb 27 15:07
    kevinchalet commented #918
  • Feb 27 14:56
    kinosang opened #918
  • Feb 26 15:00
    kevinchalet commented #917
  • Feb 26 14:56
    NetTecture closed #917
  • Feb 26 14:56
    NetTecture commented #917
  • Feb 26 12:44
    kevinchalet commented #917
  • Feb 26 11:53
    NetTecture commented #917
  • Feb 26 08:45
    Tsjerno commented #916
  • Feb 25 16:54
    kevinchalet labeled #917
  • Feb 25 16:52
    kevinchalet commented #917
  • Feb 25 15:43
    NetTecture opened #917
  • Feb 25 14:20
    kevinchalet commented #916
  • Feb 25 08:41
    Tsjerno commented #916
  • Feb 24 14:16
    kevinchalet commented #916
  • Feb 24 14:08
    kevinchalet labeled #916
damccull
@damccull
So not to compare various kinds of fruit, but IdentityServer4 has a ton of options you have-to/can set on various kinds of registered clients. In openiddict I see only the RedirectUris, the clientsecret, and clientid. I like the simplicity, but is there anything I might need with the more advanced crap? Does openiddict support that extra stuff under the hood and it's just not in the examples?
Kévin Chalet
@kevinchalet
Keeping it not "too complicated" is 100% deliberate. We do expose a few options already, but if you need more advanced things, the events model will allow you to do whatever you want with a few lines of code.
It's a different approach, but you should be able to achieve whatever you want to do.
If you have a concrete example of an option you miss, I'm all ears :smile:
damccull
@damccull
I don't miss anything yet, lol. I just have been experimenting with identity server 4 and they have pretty darn good docs, but it seems like a lot of extra stuff to set up a specific client. I just wondered if all that extra was gaining me anything... Like security or something.
Kévin Chalet
@kevinchalet
It gives you... options :smile:
I try to avoid adding client properties because it becomes quickly noisy (even in the DB, as you have to introduce new columns for them)
damccull
@damccull
Cool. I'mma stick with the basics if I can get openiddict running this time :) I feel much more prepared than I did when I tried this a couple years back.
Kévin Chalet
@kevinchalet
Hahaha :smile:
damccull
@damccull
@PinpointTownes OpenIddictServerBuilder.UseMvc() doesn't seem to exist anymore in 3.0. Is this, or similar, still needed for Code auth?
Kévin Chalet
@kevinchalet
I haven’t ported this stuff. It used to register the MVC binders for OpenIdConnectRequest but that was a quite confusing pattern so I decided to remove it.
damccull
@damccull
Sweet. Think I might have skipped it by using the MVC sample in the dev branch anyways
new question @PinpointTownes. When I add a new migration for OpenIddict it's using IdentityUser instead of my derived ApplicationUser in the migrations, but I can't figure out why. There are no references to IdentityUser anywhere in my code. Am I missing an explicit config with OpenIddict somewhere?
Kévin Chalet
@kevinchalet
OpenIddict doesn’t use Identity at all, so it’s definitely not related :smile:
You either have an issue with your DbContext class or the generic arguments of your services.AddIdentity<>() call are incorrect.
damccull
@damccull
Hmm.
Thanks. let me look around more.
At least now I can rule out openiddict and go in the right direction lol
Kévin Chalet
@kevinchalet
:smile:
damccull
@damccull
Wow I'm dumb. I left the <ApplicationUser> part off of IdentityDbContext<ApplicationUser> in my dbcontext
Kévin Chalet
@kevinchalet
:laughing:
damccull
@damccull
I'm doing unsupported things...like using razor pages as my endpoints. I don't expect much support on it, but would you know why return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme); is returning the sign-in page html instead of a token or redirect to the token endpoint?
Kévin Chalet
@kevinchalet
The token endpoint is an API endpoint, for which Razor Pages are not exactly "good candidates" :smile:
Now, why it does that, no idea.
damccull
@damccull
I know, but I can't figure out how to make razor pages and an mvc controller share the same base route lol :D
Hmm...I wonder if it's the 'authorize' attribute. Lemme check.
Definitely that attribute. Sweet now a new problem that's probably also razor pages related lol
damccull
@damccull
I fixed it! :D
Lesson learned: Don't put [Authorize] on your token endpoint, and ensure you're not using antiforgery verification tokens on it either lol
Kévin Chalet
@kevinchalet
Haha, yeah :smile:
damccull
@damccull
So device flow: The device goes to the /device endpoint to get the code info it needs to present to the user. User visits the /verify endpoint and clicks Yes...now how does the device know that's happened and get the token?
Kévin Chalet
@kevinchalet
Polling. Repeated token requests until the user validates the demand.
damccull
@damccull
to the tokens endpoint? With what parameters, my friend?
Kévin Chalet
@kevinchalet
The ones defined in the spec :smile:
damccull
@damccull
I shall find this spec. Standby.
OpenIddict handles device requests for you, but you’ll need to handle verification and token requests by providing custom actions.
Don’t hesitate to take a look at the MVC server sample.
damccull
@damccull
is urn:ietf:params:oauth:grant-type:device_code a standard for device code? Like do I use that for the grant type always?
Kévin Chalet
@kevinchalet
It is.
damccull
@damccull
Ok cool
it's a totally confusing string lol
Kévin Chalet
@kevinchalet
Hehe yeah :smile:
damccull
@damccull
Wow. this thing works perfectly.
Only thing I can't seem to find: On https://www.oauth.com/oauth2-servers/device-flow/token-request/ it says there's a polling interval. Where is that sent to me so I know when to poll next or how often?
Oh, i see. The spec says wait 5 seconds if none is provided.
Got it. I assume it's provided in the token endpoint response then
Kévin Chalet
@kevinchalet
Before each new request,
the client MUST wait at least the number of seconds specified by
the "interval" parameter of the device authorization response (see
Section 3.2), or 5 seconds if none was provided, and respect any
increase in the polling interval required by the "slow_down"
error.
damccull
@damccull
noice thanks man
does openiddict generate the interval or is that something I'd have to mod in to my app?