by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 22 2015 17:45
    Build #10272 passed
  • Jan 22 2015 17:04
    Build #10271 passed
  • Jan 21 2015 21:27
    Build #10270 passed
  • Jan 21 2015 20:24
    Build #10269 passed
  • Jan 21 2015 20:17
    Build #10268 passed
  • Jan 21 2015 20:09
    Build #10267 passed
  • Jan 20 2015 23:18
    Build #10266 passed
  • Jan 20 2015 19:06
    Build #10265 passed
  • Jan 20 2015 18:38
    Build #10264 passed
  • Jan 20 2015 18:31
    Build #10263 passed
  • Jan 20 2015 03:38
    Build #10262 passed
  • Jan 20 2015 03:06
    Build #10261 passed
  • Jan 19 2015 18:02
    Build #10260 passed
  • Jan 18 2015 10:52
    Build #10259 passed
  • Jan 18 2015 10:38
    Build #10258 passed
  • Jan 18 2015 10:27
    Build #10257 passed
  • Jan 18 2015 10:15
    Build #10256 passed
  • Jan 17 2015 20:43
    Build #10255 passed
  • Jan 17 2015 20:32
    Build #10254 passed
  • Jan 17 2015 20:24
    Build #10251 passed
Brock Allen
@brockallen
@danda1man if those are passed, then the logout prompt is bypassed.
Poul Kjeldager Sørensen
@s093294
i havent been able to get that working lately brock. it was working on RC but after using myget feed i still get asked if i want to logout. (i need to check the logs if there is any indication of why there)
Brock Allen
@brockallen
@fatagun OAuth2 is not an authentication protocol: http://oauth.net/articles/authentication/
@johnkors token validation is important -- what if i install your app on my phone and then fool it into accepting an incorrect token. it's my phone, so i can control the network and fuzz the params.
well, i guess really all input validation is important :)
for a JS based app, the TokenManager library that we're working on will validate the id_token. that JS lib is in the OAuth2JS sample
John Korsnes
@johnkors
yep. told our android devs to use the identitytokenvalidation endpoint in addition to googles audience/issuer validation
Brock Allen
@brockallen
yep, that works
John Korsnes
@johnkors
From Googles docs: "This document describes how to perform the server flow for authenticating the user. The implicit flow is significantly more complicated because of security risks in handling and using tokens on the client side. If you need to implement an implicit flow, we highly recommend using Google+ Sign-In."
Brock Allen
@brockallen
@s093294 i was just running the OAuthJS sample yesterday -- it passed the is_token_hint to signout and it bypasses the prompt
so i'd suggest looking at that traffic and comparing. also, check the logs -- they should say why your token is not good
Poul Kjeldager Sørensen
@s093294
ye i am looking into it
John Korsnes
@johnkors
does that work even if the id_token is expired?
Poul Kjeldager Sørensen
@s093294
if you have time, please read what i wrote about oidc middleware above and azure ad. would be nice to get a second oppinion if you have a sample configured with azure ad laying around
Brock Allen
@brockallen
yes. the expiration validation is skipped.
John Korsnes
@johnkors
ok
Brock Allen
@brockallen
@s093294 i tried to read it but didn't follow it.
i'll look again (after coffee. brb)
Poul Kjeldager Sørensen
@s093294
ye. Btw, i found out why my logout promt failed :D
guess what :) an incorrect tailing slash!
John Korsnes
@johnkors
:)
Poul Kjeldager Sørensen
@s093294
up until now i have agreed with +- 1 errors being most common error in programming!
not any more
Brock Allen
@brockallen
ok, i still don't understand which question is which. so what's the question/problem.
Poul Kjeldager Sørensen
@s093294
adding the following to your oidc options
            //TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters{               
            //   ValidateIssuer = false,                 
            //},
then when returning from external provider, the signin id is missing
everything works when commented out like above
i will fork latest and setup a test environment to debug it myself in the weekend, was just if you had a sample and environment already setup to verify the behavior
Brock Allen
@brockallen
no, we just have the samples
James Geall
@jageall
do you guys have plans to ship the oidc js token bits as a nuget package at some point?
the ones in the oauthjs sample
John Korsnes
@johnkors
bower!
;)
queue package manager flame war
Poul Kjeldager Sørensen
@s093294
@brockallen One idea I had was that maybe the oidc middleware inspects the post coming back on /callback and messes up the state paramter. Thats the only thing I could come to think of.
or nvm that theres no post on /callback
Brock Allen
@brockallen
yes, at some point the TokenManager will get shipped somewhere.
Poul Kjeldager Sørensen
@s093294
:)
fedEx shipping
printed and mailed!
James Geall
@jageall
cheers
John Korsnes
@johnkors
i actually worked on a project once where a developer didn't like source control and emailed code instead. So fedex is not that far off.. :S
Dan Johnson
@danjohnso
@brockallen Oh I see, the "Do you want to log out" page is skipped. I don't see anything in the OAuth2 spec about the logout process, is there a reason the post logout uri couldn't be the destination instead of the loggedOut page afterwards?
Brock Allen
@brockallen
OAuth2 doesn't cover logout at all in their spec
as for why we don't auto redirect, yes, there are some reasons.
search the issue tracker for that discussion
Dan Johnson
@danjohnso
ah the iframes
John Korsnes
@johnkors
is display=select_account something you consider adding support for?
Poul Kjeldager Sørensen
@s093294
i dont see display=select_account in openid connect spec, where are you reading?