cool stuff you added with the claimsfactory thing for aspnet btw
the purpose is that you can take stuff from usertable and put into claims when an identity is created right?
Poul Kjeldager Sørensen
@s093294
i added a custom document receiver to oidc now that only alows 5sec before it fails and writes out log message if so. will know in a few days if it it was the issue.
Brock Allen
@brockallen
the name claim is for the display name
yea, as for how you produce it... i guess that's up to you.
if you're using MR or AspId, then you can override the virtual for GetDisplayName
actually, sorry, that API is just for the display name on IdSvr.
if you want to tweak the actual token claims, then override GetClaimsFromAccount
Poul Kjeldager Sørensen
@s093294
thanks @brockallen
Poul Kjeldager Sørensen
@s093294
@brockallen@leastprivilege I am in a yello screen of death situation due to oidc middleware doing an error (error:invalid_request error_description:AADSTS16000: Session is invalid due to recent password change.) http://www.cloudidentity.com/blog/2014/05/11/openid-connect-and-ws-fed-owin-components-design-principles-object-model-and-pipeline/ shows how to redirect away. Is there any way to redirect the error into idsrvs views. Maybe we can set some properties on owinctx that idsrv can pickup. Just ideas in case its something more people will run into
Poul Kjeldager Sørensen
@s093294
right now i have done this just to move on.
AuthenticationFailed = async (notice) =>{ notice.Response.Write(string.Format("Pleanse clear cookies from https://login.windows.net/. Exception: {0}", notice.Exception));
notice.SkipToNextMiddleware();
},
John Korsnes
@johnkors
I know this is a TAD out of scope, but @leastprivilege : have you any thoughts on this and the default login-view? (XSS-vuln in Android WebViews) http://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf What mechanisms of idsrv makes this safe from XSS?
Poul Kjeldager Sørensen
@s093294
i have this entry in my logs a few times but havent experienced any issues from the user point of it.: [Thinktecture.IdentityServer.Core.Validation.TokenValidator]: 1/22/2015 10:57:03 AM +00:00 -- Token handle not found { "ValidateLifetime": true, "AccessTokenType": "Reference", "TokenHandle": "undefined" }; TraceSource 'w3wp.exe' event
Ahh, i think its because some default bearer token validation kicks in and it ask idsrv to validate it. Using the thinktecture access token validation middleware. Maybe this should not do the request if no token was given
Brock Allen
@brockallen
@johnkors we do output encoding of all values into our views to protect against XSS
Brock Allen
@brockallen
@s093294 well, a token is being passed to the API. the token has the value "undefined" which makes me think your JS is calling the API with an uninitialized variable for the Authorization header.
John Korsnes
@johnkors
@brockallen thanks. So all IViewService implementors: do output encoding! couldn't find that wiki doc where you have recommendations for production scenarios, but could be an idea to add to it.
Poul Kjeldager Sørensen
@s093294
:( @brockallen your right
Brock Allen
@brockallen
@johnkors i think in the docs it says something like that...
yeah, agreed. i find that these kind of vectors is something not all devs know by heart and is easy to forget when working on a feature. Not everyone is a infosec expert. Will look into writing some sort of regression tests that tests these kind of inputs.
Poul Kjeldager Sørensen
@s093294
idsrv prompting me again for logouts :D but this time the log actually is saying End session request validation success
we are misusing the acr_values param to add state to the login view
Poul Kjeldager Sørensen
@s093294
linked in choose to reutrn a name claim with value PoulKjeldagerSørensen, and then also a urn:linkedin:name claim with Poul Kjeldager Sørensen. why would they not just put that urn:linkedin:name into that name claim
Brock Allen
@brockallen
why not use the state param to round trip state?
that's what the msft middleware does
John Korsnes
@johnkors
state is for state in the RP, no? i'm talking about state at the OP login view
Brock Allen
@brockallen
oh, i thought you meant round tripping state from RP to OP
also, BTW, for RTM i'm changing the config slightly for the default view service
the intent is to make it work better with the DI system
no functionality changes. just more how it's configured.
John Korsnes
@johnkors
ah, cool.
That AddHeaderAndFooter thing was also something we had to add to the defaultviewservice render method
John Korsnes
@johnkors
Is there any chance of implementing a PRG-pattern for the login POST?
to avoid "Do you want to re-submit" stuff from the browser
Brock Allen
@brockallen
well... we sort of do, given that we redirect to the authorize page
John Korsnes
@johnkors
but not in case of loginErrors
hitting F5 when you have any error in the LoginViewModel will get you the ugly browser "Confirm Form Resubmission" message