thinktecture/Thinktecture.IdentityServer.v3

OpenID Connect and OAuth2 based security token service

Poul Kjeldager Sørensen

@s093294

cool stuff you added with the claimsfactory thing for aspnet btw

the purpose is that you can take stuff from usertable and put into claims when an identity is created right?

Poul Kjeldager Sørensen

@s093294

i added a custom document receiver to oidc now that only alows 5sec before it fails and writes out log message if so. will know in a few days if it it was the issue.

Brock Allen

@brockallen

the name claim is for the display name

yea, as for how you produce it... i guess that's up to you.

if you're using MR or AspId, then you can override the virtual for GetDisplayName

actually, sorry, that API is just for the display name on IdSvr.

if you want to tweak the actual token claims, then override GetClaimsFromAccount

Poul Kjeldager Sørensen

@s093294

thanks @brockallen

Poul Kjeldager Sørensen

@s093294

@brockallen @leastprivilege I am in a yello screen of death situation due to oidc middleware doing an error (error:invalid_request
error_description:AADSTS16000: Session is invalid due to recent password change.) http://www.cloudidentity.com/blog/2014/05/11/openid-connect-and-ws-fed-owin-components-design-principles-object-model-and-pipeline/ shows how to redirect away. Is there any way to redirect the error into idsrvs views. Maybe we can set some properties on owinctx that idsrv can pickup. Just ideas in case its something more people will run into

Poul Kjeldager Sørensen

@s093294

right now i have done this just to move on.

AuthenticationFailed = async (notice) =>{
notice.Response.Write(string.Format("Pleanse clear cookies from https://login.windows.net/. Exception: {0}", notice.Exception));

                     notice.SkipToNextMiddleware();                   

                 },

John Korsnes

@johnkors

I know this is a TAD out of scope, but @leastprivilege : have you any thoughts on this and the default login-view? (XSS-vuln in Android WebViews) http://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf What mechanisms of idsrv makes this safe from XSS?

Poul Kjeldager Sørensen

@s093294

i have this entry in my logs a few times but havent experienced any issues from the user point of it.: [Thinktecture.IdentityServer.Core.Validation.TokenValidator]: 1/22/2015 10:57:03 AM +00:00 -- Token handle not found
{
"ValidateLifetime": true,
"AccessTokenType": "Reference",
"TokenHandle": "undefined"
}; TraceSource 'w3wp.exe' event

Ahh, i think its because some default bearer token validation kicks in and it ask idsrv to validate it. Using the thinktecture access token validation middleware. Maybe this should not do the request if no token was given

Brock Allen

@brockallen

@johnkors we do output encoding of all values into our views to protect against XSS

Brock Allen

@brockallen

@s093294 well, a token is being passed to the API. the token has the value "undefined" which makes me think your JS is calling the API with an uninitialized variable for the Authorization header.

John Korsnes

@johnkors

@brockallen thanks. So all IViewService implementors: do output encoding! couldn't find that wiki doc where you have recommendations for production scenarios, but could be an idea to add to it.

Poul Kjeldager Sørensen

@s093294

:( @brockallen your right

Brock Allen

@brockallen

@johnkors i think in the docs it says something like that...

https://thinktecture.github.io/Thinktecture.IdentityServer.v3.Documentation/docs/advanced/customizingViews.html

yea, search for UTF8

it's the fine print :)

John Korsnes

@johnkors

ah, superb! :) escape input, and encode output

Brock Allen

@brockallen

oh, sorry. you meant HTML encoding

yes

that's always your job for anything like that

John Korsnes

@johnkors

yeah, agreed. i find that these kind of vectors is something not all devs know by heart and is easy to forget when working on a feature. Not everyone is a infosec expert. Will look into writing some sort of regression tests that tests these kind of inputs.

Poul Kjeldager Sørensen

@s093294

idsrv prompting me again for logouts :D but this time the log actually is saying End session request validation success

John Korsnes

@johnkors

/core/connect/authorize?c...&acr_values=<script>alert(hello)</script>

Brock Allen

@brockallen

and how did that work?

John Korsnes

@johnkors

IViewService

John Korsnes

@johnkors

returned as is

we are misusing the acr_values param to add state to the login view

Poul Kjeldager Sørensen

@s093294

linked in choose to reutrn a name claim with value PoulKjeldagerSørensen, and then also a urn:linkedin:name claim with Poul Kjeldager Sørensen. why would they not just put that urn:linkedin:name into that name claim

Brock Allen

@brockallen

why not use the state param to round trip state?

that's what the msft middleware does

John Korsnes

@johnkors

state is for state in the RP, no? i'm talking about state at the OP login view

Brock Allen

@brockallen

oh, i thought you meant round tripping state from RP to OP

also, BTW, for RTM i'm changing the config slightly for the default view service

the intent is to make it work better with the DI system

no functionality changes. just more how it's configured.

John Korsnes

@johnkors

ah, cool.

That AddHeaderAndFooter thing was also something we had to add to the defaultviewservice render method

John Korsnes

@johnkors

Is there any chance of implementing a PRG-pattern for the login POST?

to avoid "Do you want to re-submit" stuff from the browser

Brock Allen

@brockallen

well... we sort of do, given that we redirect to the authorize page

John Korsnes

@johnkors

but not in case of loginErrors

hitting F5 when you have any error in the LoginViewModel will get you the ugly browser "Confirm Form Resubmission" message

Where communities thrive

People

Repo info

Activity