i actually worked on a project once where a developer didn't like source control and emailed code instead. So fedex is not that far off.. :S
Dan Johnson
@danjohnso
@brockallen Oh I see, the "Do you want to log out" page is skipped. I don't see anything in the OAuth2 spec about the logout process, is there a reason the post logout uri couldn't be the destination instead of the loggedOut page afterwards?
Brock Allen
@brockallen
OAuth2 doesn't cover logout at all in their spec
as for why we don't auto redirect, yes, there are some reasons.
search the issue tracker for that discussion
Dan Johnson
@danjohnso
ah the iframes
John Korsnes
@johnkors
is display=select_account something you consider adding support for?
Poul Kjeldager Sørensen
@s093294
i dont see display=select_account in openid connect spec, where are you reading?
well... you can implement that yourself in your custom view service. we pass you the signin message.
Poul Kjeldager Sørensen
@s093294
since you added the sha hashing of client secrets. The advice for when client creates these is to autogenerate it, show it to the administrator and when he had a chance of seeing it, hash it and store that and never keep the none hashes key ourselfs right
"client administrators creates"
Brock Allen
@brockallen
yes
so the admin ui gens it, shows it to admin, and stores it hashed so you will never be able to reverse it
Poul Kjeldager Sørensen
@s093294
i have so many clientsecrets stored in web.config for 3th party services that we use. would love to try out azure key vault and just keep one secret for that and then add secrets to the vault instead of webconfig. Would mean less encrypting of config file when changed.
or service definition file that is
Brock Allen
@brockallen
or just use a DB that keeps the hashed strings. shrug
Poul Kjeldager Sørensen
@s093294
was not the idsvr client secrets
meant like all those secrets and ids one get from using sendgrid, twilio, 3party id providers and stuff. but ye, those could also go into a db :)
_
Brock Allen
@brockallen
oh, your client secrets... got ya
Poul Kjeldager Sørensen
@s093294
these weird issues with page just hanging still happens once a while. last trace message is : w3wp.exe Information: 0 : [Thinktecture.IdentityServer.Core.Endpoints.AuthenticationController]: 1/21/2015 9:36:23 PM +00:00 -- Triggering challenge for external identity provider
so far redeploying fixes it
remoted in and restarted the site on iis also helped. tbh i dont think its something with idsrv
Poul Kjeldager Sørensen
@s093294
just found some unhangled exceptions in application log (i am really not familiar with these things, so tell me if its important)
so if it dies at that endpoint, then it might be that it's tryign to load the metadata and for some reason connecting to it fails. this would leave the user stuck on that url.
does the end user get an exception? or just the 401 and a blank screen?
Poul Kjeldager Sørensen
@s093294
nothing happens, it just hangs there until i cancel the request
and i need to restart IIS before it work again
restart that site on IIS that is
Brock Allen
@brockallen
so yea, it's lazy loading the metadata from azure and it's just timing out
or maybe somewhere there's a deadlock
have fun locating it :)
Poul Kjeldager Sørensen
@s093294
ye
but is it inside oidc middleware itself you think
then i know somewhere else to go poke people :D
Brock Allen
@brockallen
well, it sort of seems so from the callstack
i'd ping in jabbr/owin and see if anyone bites
Poul Kjeldager Sørensen
@s093294
just saw it also in the callstack
not sure why I didnt pick it up in the first place
Brock Allen
@brockallen
ConfigurationManager`1.<GetConfigurationAsync is the clue, i think