nothing happens, it just hangs there until i cancel the request
and i need to restart IIS before it work again
restart that site on IIS that is
Brock Allen
@brockallen
so yea, it's lazy loading the metadata from azure and it's just timing out
or maybe somewhere there's a deadlock
have fun locating it :)
Poul Kjeldager Sørensen
@s093294
ye
but is it inside oidc middleware itself you think
then i know somewhere else to go poke people :D
Brock Allen
@brockallen
well, it sort of seems so from the callstack
i'd ping in jabbr/owin and see if anyone bites
Poul Kjeldager Sørensen
@s093294
just saw it also in the callstack
not sure why I didnt pick it up in the first place
Brock Allen
@brockallen
ConfigurationManager`1.<GetConfigurationAsync is the clue, i think
Poul Kjeldager Sørensen
@s093294
thanks
what is the recomended claim for display name? I really dislike this given_name, family_name and name claims. Is one supposed to use name as displayname or a concat of given and family_name
cool stuff you added with the claimsfactory thing for aspnet btw
Poul Kjeldager Sørensen
@s093294
the purpose is that you can take stuff from usertable and put into claims when an identity is created right?
Poul Kjeldager Sørensen
@s093294
i added a custom document receiver to oidc now that only alows 5sec before it fails and writes out log message if so. will know in a few days if it it was the issue.
Brock Allen
@brockallen
the name claim is for the display name
yea, as for how you produce it... i guess that's up to you.
if you're using MR or AspId, then you can override the virtual for GetDisplayName
actually, sorry, that API is just for the display name on IdSvr.
if you want to tweak the actual token claims, then override GetClaimsFromAccount
_
Poul Kjeldager Sørensen
@s093294
thanks @brockallen
Poul Kjeldager Sørensen
@s093294
@brockallen@leastprivilege I am in a yello screen of death situation due to oidc middleware doing an error (error:invalid_request error_description:AADSTS16000: Session is invalid due to recent password change.) http://www.cloudidentity.com/blog/2014/05/11/openid-connect-and-ws-fed-owin-components-design-principles-object-model-and-pipeline/ shows how to redirect away. Is there any way to redirect the error into idsrvs views. Maybe we can set some properties on owinctx that idsrv can pickup. Just ideas in case its something more people will run into
Poul Kjeldager Sørensen
@s093294
right now i have done this just to move on.
AuthenticationFailed = async (notice) =>{ notice.Response.Write(string.Format("Pleanse clear cookies from https://login.windows.net/. Exception: {0}", notice.Exception));
notice.SkipToNextMiddleware();
},
John Korsnes
@johnkors
I know this is a TAD out of scope, but @leastprivilege : have you any thoughts on this and the default login-view? (XSS-vuln in Android WebViews) http://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf What mechanisms of idsrv makes this safe from XSS?
Poul Kjeldager Sørensen
@s093294
i have this entry in my logs a few times but havent experienced any issues from the user point of it.: [Thinktecture.IdentityServer.Core.Validation.TokenValidator]: 1/22/2015 10:57:03 AM +00:00 -- Token handle not found { "ValidateLifetime": true, "AccessTokenType": "Reference", "TokenHandle": "undefined" }; TraceSource 'w3wp.exe' event
Ahh, i think its because some default bearer token validation kicks in and it ask idsrv to validate it. Using the thinktecture access token validation middleware. Maybe this should not do the request if no token was given
Brock Allen
@brockallen
@johnkors we do output encoding of all values into our views to protect against XSS
Brock Allen
@brockallen
@s093294 well, a token is being passed to the API. the token has the value "undefined" which makes me think your JS is calling the API with an uninitialized variable for the Authorization header.
John Korsnes
@johnkors
@brockallen thanks. So all IViewService implementors: do output encoding! couldn't find that wiki doc where you have recommendations for production scenarios, but could be an idea to add to it.
Poul Kjeldager Sørensen
@s093294
:( @brockallen your right
Brock Allen
@brockallen
@johnkors i think in the docs it says something like that...
yeah, agreed. i find that these kind of vectors is something not all devs know by heart and is easy to forget when working on a feature. Not everyone is a infosec expert. Will look into writing some sort of regression tests that tests these kind of inputs.
Poul Kjeldager Sørensen
@s093294
idsrv prompting me again for logouts :D but this time the log actually is saying End session request validation success