Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 22 2015 17:45
    Build #10272 passed
  • Jan 22 2015 17:04
    Build #10271 passed
  • Jan 21 2015 21:27
    Build #10270 passed
  • Jan 21 2015 20:24
    Build #10269 passed
  • Jan 21 2015 20:17
    Build #10268 passed
  • Jan 21 2015 20:09
    Build #10267 passed
  • Jan 20 2015 23:18
    Build #10266 passed
  • Jan 20 2015 19:06
    Build #10265 passed
  • Jan 20 2015 18:38
    Build #10264 passed
  • Jan 20 2015 18:31
    Build #10263 passed
  • Jan 20 2015 03:38
    Build #10262 passed
  • Jan 20 2015 03:06
    Build #10261 passed
  • Jan 19 2015 18:02
    Build #10260 passed
  • Jan 18 2015 10:52
    Build #10259 passed
  • Jan 18 2015 10:38
    Build #10258 passed
  • Jan 18 2015 10:27
    Build #10257 passed
  • Jan 18 2015 10:15
    Build #10256 passed
  • Jan 17 2015 20:43
    Build #10255 passed
  • Jan 17 2015 20:32
    Build #10254 passed
  • Jan 17 2015 20:24
    Build #10251 passed
Poul Kjeldager Sørensen
@s093294
and i need to restart IIS before it work again
restart that site on IIS that is
Brock Allen
@brockallen
so yea, it's lazy loading the metadata from azure and it's just timing out
or maybe somewhere there's a deadlock
have fun locating it :)
Poul Kjeldager Sørensen
@s093294
ye
but is it inside oidc middleware itself you think
then i know somewhere else to go poke people :D
Brock Allen
@brockallen
well, it sort of seems so from the callstack
i'd ping in jabbr/owin and see if anyone bites
Poul Kjeldager Sørensen
@s093294
just saw it also in the callstack
not sure why I didnt pick it up in the first place
Brock Allen
@brockallen
ConfigurationManager`1.<GetConfigurationAsync is the clue, i think
Poul Kjeldager Sørensen
@s093294
thanks
what is the recomended claim for display name? I really dislike this given_name, family_name and name claims. Is one supposed to use name as displayname or a concat of given and family_name
cool stuff you added with the claimsfactory thing for aspnet btw
Poul Kjeldager Sørensen
@s093294
the purpose is that you can take stuff from usertable and put into claims when an identity is created right?
Poul Kjeldager Sørensen
@s093294
i added a custom document receiver to oidc now that only alows 5sec before it fails and writes out log message if so. will know in a few days if it it was the issue.
Brock Allen
@brockallen
the name claim is for the display name
yea, as for how you produce it... i guess that's up to you.
if you're using MR or AspId, then you can override the virtual for GetDisplayName
actually, sorry, that API is just for the display name on IdSvr.
if you want to tweak the actual token claims, then override GetClaimsFromAccount
Poul Kjeldager Sørensen
@s093294
thanks @brockallen
Poul Kjeldager Sørensen
@s093294
@brockallen @leastprivilege I am in a yello screen of death situation due to oidc middleware doing an error (error:invalid_request
error_description:AADSTS16000: Session is invalid due to recent password change.) http://www.cloudidentity.com/blog/2014/05/11/openid-connect-and-ws-fed-owin-components-design-principles-object-model-and-pipeline/ shows how to redirect away. Is there any way to redirect the error into idsrvs views. Maybe we can set some properties on owinctx that idsrv can pickup. Just ideas in case its something more people will run into
Poul Kjeldager Sørensen
@s093294
right now i have done this just to move on.
AuthenticationFailed = async (notice) =>{
notice.Response.Write(string.Format("Pleanse clear cookies from https://login.windows.net/. Exception: {0}", notice.Exception));
                     notice.SkipToNextMiddleware();                   

                 },
John Korsnes
@johnkors
I know this is a TAD out of scope, but @leastprivilege : have you any thoughts on this and the default login-view? (XSS-vuln in Android WebViews) http://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf What mechanisms of idsrv makes this safe from XSS?
Poul Kjeldager Sørensen
@s093294
i have this entry in my logs a few times but havent experienced any issues from the user point of it.: [Thinktecture.IdentityServer.Core.Validation.TokenValidator]: 1/22/2015 10:57:03 AM +00:00 -- Token handle not found
{
"ValidateLifetime": true,
"AccessTokenType": "Reference",
"TokenHandle": "undefined"
}; TraceSource 'w3wp.exe' event
Ahh, i think its because some default bearer token validation kicks in and it ask idsrv to validate it. Using the thinktecture access token validation middleware. Maybe this should not do the request if no token was given
Brock Allen
@brockallen
@johnkors we do output encoding of all values into our views to protect against XSS
Brock Allen
@brockallen
@s093294 well, a token is being passed to the API. the token has the value "undefined" which makes me think your JS is calling the API with an uninitialized variable for the Authorization header.
John Korsnes
@johnkors
@brockallen thanks. So all IViewService implementors: do output encoding! couldn't find that wiki doc where you have recommendations for production scenarios, but could be an idea to add to it.
Poul Kjeldager Sørensen
@s093294
:( @brockallen your right
Brock Allen
@brockallen
@johnkors i think in the docs it says something like that...
yea, search for UTF8
it's the fine print :)
John Korsnes
@johnkors
ah, superb! :) escape input, and encode output
Brock Allen
@brockallen
oh, sorry. you meant HTML encoding
yes
that's always your job for anything like that
John Korsnes
@johnkors
yeah, agreed. i find that these kind of vectors is something not all devs know by heart and is easy to forget when working on a feature. Not everyone is a infosec expert. Will look into writing some sort of regression tests that tests these kind of inputs.
Poul Kjeldager Sørensen
@s093294
idsrv prompting me again for logouts :D but this time the log actually is saying End session request validation success
John Korsnes
@johnkors
/core/connect/authorize?c...&acr_values=<script>alert(hello)</script> 
Brock Allen
@brockallen
and how did that work?
John Korsnes
@johnkors
acr.png
IViewService
John Korsnes
@johnkors
returned as is
we are misusing the acr_values param to add state to the login view