Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 22 2015 17:45
    Build #10272 passed
  • Jan 22 2015 17:04
    Build #10271 passed
  • Jan 21 2015 21:27
    Build #10270 passed
  • Jan 21 2015 20:24
    Build #10269 passed
  • Jan 21 2015 20:17
    Build #10268 passed
  • Jan 21 2015 20:09
    Build #10267 passed
  • Jan 20 2015 23:18
    Build #10266 passed
  • Jan 20 2015 19:06
    Build #10265 passed
  • Jan 20 2015 18:38
    Build #10264 passed
  • Jan 20 2015 18:31
    Build #10263 passed
  • Jan 20 2015 03:38
    Build #10262 passed
  • Jan 20 2015 03:06
    Build #10261 passed
  • Jan 19 2015 18:02
    Build #10260 passed
  • Jan 18 2015 10:52
    Build #10259 passed
  • Jan 18 2015 10:38
    Build #10258 passed
  • Jan 18 2015 10:27
    Build #10257 passed
  • Jan 18 2015 10:15
    Build #10256 passed
  • Jan 17 2015 20:43
    Build #10255 passed
  • Jan 17 2015 20:32
    Build #10254 passed
  • Jan 17 2015 20:24
    Build #10251 passed
Brock Allen
@brockallen
oh, sorry. you meant HTML encoding
yes
that's always your job for anything like that
John Korsnes
@johnkors
yeah, agreed. i find that these kind of vectors is something not all devs know by heart and is easy to forget when working on a feature. Not everyone is a infosec expert. Will look into writing some sort of regression tests that tests these kind of inputs.
Poul Kjeldager Sørensen
@s093294
idsrv prompting me again for logouts :D but this time the log actually is saying End session request validation success
John Korsnes
@johnkors
/core/connect/authorize?c...&acr_values=<script>alert(hello)</script> 
Brock Allen
@brockallen
and how did that work?
John Korsnes
@johnkors
acr.png
IViewService
John Korsnes
@johnkors
returned as is
we are misusing the acr_values param to add state to the login view
Poul Kjeldager Sørensen
@s093294
linked in choose to reutrn a name claim with value PoulKjeldagerSørensen, and then also a urn:linkedin:name claim with Poul Kjeldager Sørensen. why would they not just put that urn:linkedin:name into that name claim
Brock Allen
@brockallen
why not use the state param to round trip state?
that's what the msft middleware does
John Korsnes
@johnkors
state is for state in the RP, no? i'm talking about state at the OP login view
Brock Allen
@brockallen
oh, i thought you meant round tripping state from RP to OP
also, BTW, for RTM i'm changing the config slightly for the default view service
the intent is to make it work better with the DI system
no functionality changes. just more how it's configured.
John Korsnes
@johnkors
ah, cool.
That AddHeaderAndFooter thing was also something we had to add to the defaultviewservice render method
John Korsnes
@johnkors
Is there any chance of implementing a PRG-pattern for the login POST?
to avoid "Do you want to re-submit" stuff from the browser
Brock Allen
@brockallen
well... we sort of do, given that we redirect to the authorize page
John Korsnes
@johnkors
but not in case of loginErrors
hitting F5 when you have any error in the LoginViewModel will get you the ugly browser "Confirm Form Resubmission" message
John Korsnes
@johnkors
I'll open a issue anyhow. Maybe it's just me
Poul Kjeldager Sørensen
@s093294
is it intended that when resuming a partial signin, then it round trips to idp again? Authorize with acr_values for idprovider linkedin, redirect to linkedin, partial signin redirect to registration page, resume partial signin triggered a trip more to linkedin.
Brock Allen
@brockallen
yes. the idea is that partial login is interrupting the normal sign in workflow. so at some point you might want to return the user back to finish the signin workflow.
Poul Kjeldager Sørensen
@s093294
ye, i was just wondering why I ended up at linked in twice. but havent bene able to reproduce it.
been
thanks for doing great work with idsrv :) its awesome stuff
Brock Allen
@brockallen
@johnkors ok, i updated the docs for the default view service and the changes in configuration: https://thinktecture.github.io/Thinktecture.IdentityServer.v3.Documentation/docs/advanced/customizingViews.html
John Korsnes
@johnkors
cool, will try it out in the morning!
for amusement, since you guys have this dependency (and of course alot of other people): TLDR with people arguing for and against IAppBuilder in the Owin.dll. owin/museum-piece-owin#19
Brock Allen
@brockallen
oh yea, i know that thread
John Korsnes
@johnkors
at a loss for the conclusion to that discussion, though :) Func<IDictionary<string, object>, Task> ? both?
Brock Allen
@brockallen
i don't care, personally :)
but basically all non-msft impls need to conform to msft's approach (or have the bridge thing)
so that sort of is the answer
or at least, it's what must happen
John Korsnes
@johnkors
yep
John Korsnes
@johnkors
last post is 6 months ago, though. What was the conclusion - I need closure!
:)
or just go have a beer. I'll go have a beer.
Brock Allen
@brockallen
aye, same.
Dan
@dmeierotto
This message was deleted
Dan
@dmeierotto
This message was deleted
alikor
@alikor
When will IdentifyServer work with asp.net 5? Does anyone know the timeframe?
Bart Calixto
@Bartmax
just wrote on IdentityServer3 room, not sure which one is best so I'm going to repeat here, sorry if this is the wrong channel.