Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 22 2015 17:45
    Build #10272 passed
  • Jan 22 2015 17:04
    Build #10271 passed
  • Jan 21 2015 21:27
    Build #10270 passed
  • Jan 21 2015 20:24
    Build #10269 passed
  • Jan 21 2015 20:17
    Build #10268 passed
  • Jan 21 2015 20:09
    Build #10267 passed
  • Jan 20 2015 23:18
    Build #10266 passed
  • Jan 20 2015 19:06
    Build #10265 passed
  • Jan 20 2015 18:38
    Build #10264 passed
  • Jan 20 2015 18:31
    Build #10263 passed
  • Jan 20 2015 03:38
    Build #10262 passed
  • Jan 20 2015 03:06
    Build #10261 passed
  • Jan 19 2015 18:02
    Build #10260 passed
  • Jan 18 2015 10:52
    Build #10259 passed
  • Jan 18 2015 10:38
    Build #10258 passed
  • Jan 18 2015 10:27
    Build #10257 passed
  • Jan 18 2015 10:15
    Build #10256 passed
  • Jan 17 2015 20:43
    Build #10255 passed
  • Jan 17 2015 20:32
    Build #10254 passed
  • Jan 17 2015 20:24
    Build #10251 passed
Poul Kjeldager Sørensen
@s093294
AuthenticationFailed = async (notice) =>{
notice.Response.Write(string.Format("Pleanse clear cookies from https://login.windows.net/. Exception: {0}", notice.Exception));
                     notice.SkipToNextMiddleware();                   

                 },
John Korsnes
@johnkors
I know this is a TAD out of scope, but @leastprivilege : have you any thoughts on this and the default login-view? (XSS-vuln in Android WebViews) http://arxiv.org/ftp/arxiv/papers/1304/1304.7451.pdf What mechanisms of idsrv makes this safe from XSS?
Poul Kjeldager Sørensen
@s093294
i have this entry in my logs a few times but havent experienced any issues from the user point of it.: [Thinktecture.IdentityServer.Core.Validation.TokenValidator]: 1/22/2015 10:57:03 AM +00:00 -- Token handle not found
{
"ValidateLifetime": true,
"AccessTokenType": "Reference",
"TokenHandle": "undefined"
}; TraceSource 'w3wp.exe' event
Ahh, i think its because some default bearer token validation kicks in and it ask idsrv to validate it. Using the thinktecture access token validation middleware. Maybe this should not do the request if no token was given
Brock Allen
@brockallen
@johnkors we do output encoding of all values into our views to protect against XSS
Brock Allen
@brockallen
@s093294 well, a token is being passed to the API. the token has the value "undefined" which makes me think your JS is calling the API with an uninitialized variable for the Authorization header.
John Korsnes
@johnkors
@brockallen thanks. So all IViewService implementors: do output encoding! couldn't find that wiki doc where you have recommendations for production scenarios, but could be an idea to add to it.
Poul Kjeldager Sørensen
@s093294
:( @brockallen your right
Brock Allen
@brockallen
@johnkors i think in the docs it says something like that...
yea, search for UTF8
it's the fine print :)
John Korsnes
@johnkors
ah, superb! :) escape input, and encode output
Brock Allen
@brockallen
oh, sorry. you meant HTML encoding
yes
that's always your job for anything like that
John Korsnes
@johnkors
yeah, agreed. i find that these kind of vectors is something not all devs know by heart and is easy to forget when working on a feature. Not everyone is a infosec expert. Will look into writing some sort of regression tests that tests these kind of inputs.
Poul Kjeldager Sørensen
@s093294
idsrv prompting me again for logouts :D but this time the log actually is saying End session request validation success
John Korsnes
@johnkors
/core/connect/authorize?c...&acr_values=<script>alert(hello)</script> 
Brock Allen
@brockallen
and how did that work?
John Korsnes
@johnkors
acr.png
IViewService
John Korsnes
@johnkors
returned as is
we are misusing the acr_values param to add state to the login view
Poul Kjeldager Sørensen
@s093294
linked in choose to reutrn a name claim with value PoulKjeldagerSørensen, and then also a urn:linkedin:name claim with Poul Kjeldager Sørensen. why would they not just put that urn:linkedin:name into that name claim
Brock Allen
@brockallen
why not use the state param to round trip state?
that's what the msft middleware does
John Korsnes
@johnkors
state is for state in the RP, no? i'm talking about state at the OP login view
Brock Allen
@brockallen
oh, i thought you meant round tripping state from RP to OP
also, BTW, for RTM i'm changing the config slightly for the default view service
the intent is to make it work better with the DI system
no functionality changes. just more how it's configured.
John Korsnes
@johnkors
ah, cool.
That AddHeaderAndFooter thing was also something we had to add to the defaultviewservice render method
John Korsnes
@johnkors
Is there any chance of implementing a PRG-pattern for the login POST?
to avoid "Do you want to re-submit" stuff from the browser
Brock Allen
@brockallen
well... we sort of do, given that we redirect to the authorize page
John Korsnes
@johnkors
but not in case of loginErrors
hitting F5 when you have any error in the LoginViewModel will get you the ugly browser "Confirm Form Resubmission" message
John Korsnes
@johnkors
I'll open a issue anyhow. Maybe it's just me
Poul Kjeldager Sørensen
@s093294
is it intended that when resuming a partial signin, then it round trips to idp again? Authorize with acr_values for idprovider linkedin, redirect to linkedin, partial signin redirect to registration page, resume partial signin triggered a trip more to linkedin.
Brock Allen
@brockallen
yes. the idea is that partial login is interrupting the normal sign in workflow. so at some point you might want to return the user back to finish the signin workflow.
Poul Kjeldager Sørensen
@s093294
ye, i was just wondering why I ended up at linked in twice. but havent bene able to reproduce it.
been
thanks for doing great work with idsrv :) its awesome stuff
Brock Allen
@brockallen
@johnkors ok, i updated the docs for the default view service and the changes in configuration: https://thinktecture.github.io/Thinktecture.IdentityServer.v3.Documentation/docs/advanced/customizingViews.html
John Korsnes
@johnkors
cool, will try it out in the morning!
for amusement, since you guys have this dependency (and of course alot of other people): TLDR with people arguing for and against IAppBuilder in the Owin.dll. owin/museum-piece-owin#19
Brock Allen
@brockallen
oh yea, i know that thread
John Korsnes
@johnkors
at a loss for the conclusion to that discussion, though :) Func<IDictionary<string, object>, Task> ? both?