by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 22 2015 17:45
    Build #10272 passed
  • Jan 22 2015 17:04
    Build #10271 passed
  • Jan 21 2015 21:27
    Build #10270 passed
  • Jan 21 2015 20:24
    Build #10269 passed
  • Jan 21 2015 20:17
    Build #10268 passed
  • Jan 21 2015 20:09
    Build #10267 passed
  • Jan 20 2015 23:18
    Build #10266 passed
  • Jan 20 2015 19:06
    Build #10265 passed
  • Jan 20 2015 18:38
    Build #10264 passed
  • Jan 20 2015 18:31
    Build #10263 passed
  • Jan 20 2015 03:38
    Build #10262 passed
  • Jan 20 2015 03:06
    Build #10261 passed
  • Jan 19 2015 18:02
    Build #10260 passed
  • Jan 18 2015 10:52
    Build #10259 passed
  • Jan 18 2015 10:38
    Build #10258 passed
  • Jan 18 2015 10:27
    Build #10257 passed
  • Jan 18 2015 10:15
    Build #10256 passed
  • Jan 17 2015 20:43
    Build #10255 passed
  • Jan 17 2015 20:32
    Build #10254 passed
  • Jan 17 2015 20:24
    Build #10251 passed
John Korsnes
@johnkors
to get in id from a trusted source. trusted being the key point for validation
Poul Kjeldager Sørensen
@s093294
is it important that the idtoken is validated for you app? Again. one more rest call, thats not really much traffic
John Korsnes
@johnkors
i agree, and we will use the idsrv idtoken validation endpoint if google does not provide an api for validating asynchronous signed x509 jwts. But it's worth investigating to see if there is
Poul Kjeldager Sørensen
@s093294
jep, would do it if the framework is there for doing so.
John Korsnes
@johnkors

3.2.2.11. ID Token Validation

When using the Implicit Flow, the contents of the ID Token MUST be validated in the same manner as for the Authorization Code Flow, as defined in Section 3.1.3.7, with the exception of the differences specified in this section.

The Client MUST validate the signature of the ID Token according to JWS [JWS] using the algorithm specified in the alg Header Parameter of the JOSE Header.
The value of the nonce Claim MUST be checked to verify that it is the same value as the one that was sent in the Authentication Request. The Client SHOULD check the nonce value for replay attacks. The precise method for detecting replay attacks is Client specific.

but it might be that google don't care about implicit flow
Brock Allen
@brockallen
@danda1man if those are passed, then the logout prompt is bypassed.
Poul Kjeldager Sørensen
@s093294
i havent been able to get that working lately brock. it was working on RC but after using myget feed i still get asked if i want to logout. (i need to check the logs if there is any indication of why there)
Brock Allen
@brockallen
@fatagun OAuth2 is not an authentication protocol: http://oauth.net/articles/authentication/
@johnkors token validation is important -- what if i install your app on my phone and then fool it into accepting an incorrect token. it's my phone, so i can control the network and fuzz the params.
well, i guess really all input validation is important :)
for a JS based app, the TokenManager library that we're working on will validate the id_token. that JS lib is in the OAuth2JS sample
John Korsnes
@johnkors
yep. told our android devs to use the identitytokenvalidation endpoint in addition to googles audience/issuer validation
Brock Allen
@brockallen
yep, that works
John Korsnes
@johnkors
From Googles docs: "This document describes how to perform the server flow for authenticating the user. The implicit flow is significantly more complicated because of security risks in handling and using tokens on the client side. If you need to implement an implicit flow, we highly recommend using Google+ Sign-In."
Brock Allen
@brockallen
@s093294 i was just running the OAuthJS sample yesterday -- it passed the is_token_hint to signout and it bypasses the prompt
so i'd suggest looking at that traffic and comparing. also, check the logs -- they should say why your token is not good
Poul Kjeldager Sørensen
@s093294
ye i am looking into it
John Korsnes
@johnkors
does that work even if the id_token is expired?
Poul Kjeldager Sørensen
@s093294
if you have time, please read what i wrote about oidc middleware above and azure ad. would be nice to get a second oppinion if you have a sample configured with azure ad laying around
Brock Allen
@brockallen
yes. the expiration validation is skipped.
John Korsnes
@johnkors
ok
Brock Allen
@brockallen
@s093294 i tried to read it but didn't follow it.
i'll look again (after coffee. brb)
Poul Kjeldager Sørensen
@s093294
ye. Btw, i found out why my logout promt failed :D
guess what :) an incorrect tailing slash!
John Korsnes
@johnkors
:)
Poul Kjeldager Sørensen
@s093294
up until now i have agreed with +- 1 errors being most common error in programming!
not any more
Brock Allen
@brockallen
ok, i still don't understand which question is which. so what's the question/problem.
Poul Kjeldager Sørensen
@s093294
adding the following to your oidc options
            //TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters{               
            //   ValidateIssuer = false,                 
            //},
then when returning from external provider, the signin id is missing
everything works when commented out like above
i will fork latest and setup a test environment to debug it myself in the weekend, was just if you had a sample and environment already setup to verify the behavior
Brock Allen
@brockallen
no, we just have the samples
James Geall
@jageall
do you guys have plans to ship the oidc js token bits as a nuget package at some point?
the ones in the oauthjs sample
John Korsnes
@johnkors
bower!
;)
queue package manager flame war
Poul Kjeldager Sørensen
@s093294
@brockallen One idea I had was that maybe the oidc middleware inspects the post coming back on /callback and messes up the state paramter. Thats the only thing I could come to think of.
or nvm that theres no post on /callback
Brock Allen
@brockallen
yes, at some point the TokenManager will get shipped somewhere.
Poul Kjeldager Sørensen
@s093294
:)
fedEx shipping
printed and mailed!
James Geall
@jageall
cheers
John Korsnes
@johnkors
i actually worked on a project once where a developer didn't like source control and emailed code instead. So fedex is not that far off.. :S
Dan Johnson
@danjohnso
@brockallen Oh I see, the "Do you want to log out" page is skipped. I don't see anything in the OAuth2 spec about the logout process, is there a reason the post logout uri couldn't be the destination instead of the loggedOut page afterwards?