by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 22 2015 17:45
    Build #10272 passed
  • Jan 22 2015 17:04
    Build #10271 passed
  • Jan 21 2015 21:27
    Build #10270 passed
  • Jan 21 2015 20:24
    Build #10269 passed
  • Jan 21 2015 20:17
    Build #10268 passed
  • Jan 21 2015 20:09
    Build #10267 passed
  • Jan 20 2015 23:18
    Build #10266 passed
  • Jan 20 2015 19:06
    Build #10265 passed
  • Jan 20 2015 18:38
    Build #10264 passed
  • Jan 20 2015 18:31
    Build #10263 passed
  • Jan 20 2015 03:38
    Build #10262 passed
  • Jan 20 2015 03:06
    Build #10261 passed
  • Jan 19 2015 18:02
    Build #10260 passed
  • Jan 18 2015 10:52
    Build #10259 passed
  • Jan 18 2015 10:38
    Build #10258 passed
  • Jan 18 2015 10:27
    Build #10257 passed
  • Jan 18 2015 10:15
    Build #10256 passed
  • Jan 17 2015 20:43
    Build #10255 passed
  • Jan 17 2015 20:32
    Build #10254 passed
  • Jan 17 2015 20:24
    Build #10251 passed
Brock Allen
@brockallen
for a JS based app, the TokenManager library that we're working on will validate the id_token. that JS lib is in the OAuth2JS sample
John Korsnes
@johnkors
yep. told our android devs to use the identitytokenvalidation endpoint in addition to googles audience/issuer validation
Brock Allen
@brockallen
yep, that works
John Korsnes
@johnkors
From Googles docs: "This document describes how to perform the server flow for authenticating the user. The implicit flow is significantly more complicated because of security risks in handling and using tokens on the client side. If you need to implement an implicit flow, we highly recommend using Google+ Sign-In."
Brock Allen
@brockallen
@s093294 i was just running the OAuthJS sample yesterday -- it passed the is_token_hint to signout and it bypasses the prompt
so i'd suggest looking at that traffic and comparing. also, check the logs -- they should say why your token is not good
Poul Kjeldager Sørensen
@s093294
ye i am looking into it
John Korsnes
@johnkors
does that work even if the id_token is expired?
Poul Kjeldager Sørensen
@s093294
if you have time, please read what i wrote about oidc middleware above and azure ad. would be nice to get a second oppinion if you have a sample configured with azure ad laying around
Brock Allen
@brockallen
yes. the expiration validation is skipped.
John Korsnes
@johnkors
ok
Brock Allen
@brockallen
@s093294 i tried to read it but didn't follow it.
i'll look again (after coffee. brb)
Poul Kjeldager Sørensen
@s093294
ye. Btw, i found out why my logout promt failed :D
guess what :) an incorrect tailing slash!
John Korsnes
@johnkors
:)
Poul Kjeldager Sørensen
@s093294
up until now i have agreed with +- 1 errors being most common error in programming!
not any more
Brock Allen
@brockallen
ok, i still don't understand which question is which. so what's the question/problem.
Poul Kjeldager Sørensen
@s093294
adding the following to your oidc options
            //TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters{               
            //   ValidateIssuer = false,                 
            //},
then when returning from external provider, the signin id is missing
everything works when commented out like above
i will fork latest and setup a test environment to debug it myself in the weekend, was just if you had a sample and environment already setup to verify the behavior
Brock Allen
@brockallen
no, we just have the samples
James Geall
@jageall
do you guys have plans to ship the oidc js token bits as a nuget package at some point?
the ones in the oauthjs sample
John Korsnes
@johnkors
bower!
;)
queue package manager flame war
Poul Kjeldager Sørensen
@s093294
@brockallen One idea I had was that maybe the oidc middleware inspects the post coming back on /callback and messes up the state paramter. Thats the only thing I could come to think of.
or nvm that theres no post on /callback
Brock Allen
@brockallen
yes, at some point the TokenManager will get shipped somewhere.
Poul Kjeldager Sørensen
@s093294
:)
fedEx shipping
printed and mailed!
James Geall
@jageall
cheers
John Korsnes
@johnkors
i actually worked on a project once where a developer didn't like source control and emailed code instead. So fedex is not that far off.. :S
Dan Johnson
@danjohnso
@brockallen Oh I see, the "Do you want to log out" page is skipped. I don't see anything in the OAuth2 spec about the logout process, is there a reason the post logout uri couldn't be the destination instead of the loggedOut page afterwards?
Brock Allen
@brockallen
OAuth2 doesn't cover logout at all in their spec
as for why we don't auto redirect, yes, there are some reasons.
search the issue tracker for that discussion
Dan Johnson
@danjohnso
ah the iframes
John Korsnes
@johnkors
is display=select_account something you consider adding support for?
Poul Kjeldager Sørensen
@s093294
i dont see display=select_account in openid connect spec, where are you reading?
John Korsnes
@johnkors
sorry, it's prompt
not display
Brock Allen
@brockallen
well... you can implement that yourself in your custom view service. we pass you the signin message.
Poul Kjeldager Sørensen
@s093294
since you added the sha hashing of client secrets. The advice for when client creates these is to autogenerate it, show it to the administrator and when he had a chance of seeing it, hash it and store that and never keep the none hashes key ourselfs right