I have a project running on localhost:44387 which is the IdentityServer configuration.
I have an ASP.NET Core application running on localhost:44373 which acts as a front end application for the user to engage with and another ASP.NET Core application running on localhost:44353 which acts as an API.
When the user tries to access an authorized controller in the front end application, they are redirected to the login page on the IdentityServer.
Once the user has logged in, they are redirected back.
They are then authorized on the front end application, but when calls are being made to the API on localhost:44353, it returns unauthorized.
I have tried to add a scope to the .OpenIdConnect method to add the API as a scope but it crashes the application when redirecting to the login page.
How can I add the API as a permission to request, so once the front end application is authorized it can call the API?
This is in the Config.cs file for the IdentityServer
new Client
{
ClientId = "mvc",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.Implicit,
// where to redirect to after login
RedirectUris = { "https://localhost:44373/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:44373/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"roles",
"staff_api" // <---- Add staff api as scope
},
RequireConsent = false,
}
Inside the Startup of the front end app
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
.AddOpenIdConnect("oidc", options =>
{
options.Authority = baseAuthAddress;
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
//options.Scope.Add("staff_api"); <--- THIS MAKES IT CRASH?
options.Scope.Add("roles");
// Fix for getting roles claims correctly :
options.ClaimActions.MapJsonKey("role", "role", "role");
options.TokenValidationParameters.NameClaimType = "name";
options.TokenValidationParameters.RoleClaimType = "roles";
});
Inside Startup.cs of API
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Audience = "staff_api"; ;
options.Authority = Configuration["AuthURL"];
});
Have you added and seeded an ApiResource and ApiScope on the IdentityServer side? (With the newer versions of IdentityServer)
Like shown in the quickstarts? Since we don't see the full Config.cs file, that would be the first thing to check.
You should also have a look at the .well-known/openid-configuration of your IS4, to see if the scope for the api is registered in the section scopes_supported (see link to quickstart as well).
The Debug output of IdentityServer, TokenValidationMiddleware on the API side and the AuthenticationMiddleware on the client side are very verbose, you should check the debug output for entries that inform you what is not working.
Also you should not use GrantTypes.Implicitfor Asp.Net Core applications if it is not
a SPA, this type is intended for JS-based front-ends.
Related
User can login to identity server using local account. But this is cause of user sign out from MVC client that uses open id connect for external login and I don't know why exactly!
I checked IdentityServer4 connect/authorize endpoint for any sign out code but I can't find anything.
IdentityServer config:
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
AllowOfflineAccess = true,
RequireConsent = true,
// where to redirect to after login
RedirectUris = { "https://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "https://localhost:5002/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile
}
}
Client config:
builder.Services.AddDefaultIdentity<IdentityUser>()
.AddEntityFrameworkStores<ApplicationDbContext>();
builder.Services.AddAuthentication()
.AddOpenIdConnect("oidc", "Demo IdentityServer4", options =>
{
options.Authority = "https://localhost:5001";
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("profile");
options.SaveTokens = true;
});
Aren't you by any chance using the same name for the cookies of your MVC client and your identity server?
As you are working in localhost for both MVC client and identity server, the cookie of single sign on could be overwriting the MVC cookie.
Have you checked this behavior with different domains?
And, what if you go back to the MVC Client and login from there, do you lose the single sign on? If I'm right, this time the MVC Cookie would be overwriting the identity server Cookie.
Did you check #IdentiyServer4 logs? I think those errors would help you to find the exact problem.
First of the all - I check in google and stack-overflow 2 days....
I found thousands examples and tutorials by still have missing point and don`t have full picture in the head.
So:
My architecture:
1) Identity server
2) 5 +/- MVC websites (Like Production website, Global admin, Help desk, etc...)(which have be protected by identity server )
3) Dozens micro services (which have be protected by identity server )
Now - What I not completely understand:
1) Login:
For now I setup the redirect flow. I Mean.... in website I setup Identity server like:
services.Configure<CookiePolicyOptions>(options =>
{
// This lambda determines whether user consent for non-essential cookies is needed for a given request.
options.CheckConsentNeeded = context => true;
options.MinimumSameSitePolicy = SameSiteMode.None;
});
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "https://localhost:44396";
options.RequireHttpsMetadata = true;
options.ClientId = "<<Here is client ID>>";
options.ClientSecret = "<<HERE IS PASSWORD>>";
options.ResponseType = "code id_token";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("api1.read");
options.Scope.Add("offline_access");
});
And
app.UseHttpsRedirection();
app.UseAuthentication();
app.UseStaticFiles();
app.UseRouting();
app.UseAuthorization();
Now, if user try to open page with Autorize attribute - user redirect to identity server login there and back to protected page. Everything working well.
But....
1) I want login on the MVC page. Without redirect to Identity Server.
I checked internet and found that I need use identityserver resource owner password flow
Then I setup IdentityServer as:
new Client {
ClientId = "myclient",
ClientName = "My first client",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,// GrantTypes.HybridAndClientCredentials,
ClientSecrets = new List<Secret> { new Secret("superSecretPassword".Sha256())},
AllowedScopes = new List<string> { "openid", "profile", "api1.read", IdentityServerConstants.StandardScopes.Email},
AllowOfflineAccess = true,
RedirectUris = { "https://localhost:44321/signin-oidc" },
RequireConsent = false
},
And in My MVC I can get token :
public static async Task HandleToken(this HttpClient client, string authority, string clientId, string secret, string apiName)
{
var accessToken = await client.GetRefreshTokenAsync(authority, clientId, secret, apiName);
client.SetBearerToken(accessToken);
}
private static async Task<string> GetRefreshTokenAsync(this HttpClient client, string authority, string clientId, string secret, string apiName)
{
var disco = await client.GetDiscoveryDocumentAsync(authority);
if (disco.IsError) throw new Exception(disco.Error);
var tokenResponse = await client.RequestPasswordTokenAsync(new PasswordTokenRequest
{
UserName = "<<HERE IS USERNAME>>",
Password = "<<HERE IS PASSWORD>>",
Address = disco.TokenEndpoint,
ClientId = clientId,
ClientSecret = secret,
Scope = apiName
});
var user_info = await client.GetUserInfoAsync(new UserInfoRequest() { Address = disco.UserInfoEndpoint, Token = tokenResponse.AccessToken });
Here I have all user claims and Now I want set them in Controller => User
if (!tokenResponse.IsError) return tokenResponse.AccessToken;
return null;
}
Now I get token.....Good.........but
2 Questions:
1) How I can set the User Identity inside Controller.User (ClaimsPrincipal)?
**** UPDATE
I found the one solution
I can use HttpContext.SignInAsync and after I got token and user info from code above - I can do sign in for my Web MVC project and set manually user claims. If this is good approach?
2) All manipulation with User profile data, like ChangePassword, Update FirstName, LastName, etc...
How I need to do this??
Build Microservice for Identity Membership?
P.S - In IdentityServer I use Asp Identity :
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders();
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
})
.AddInMemoryIdentityResources(Config.Ids)
.AddInMemoryApiResources(Config.Apis)
.AddInMemoryClients(Config.Clients)
.AddAspNetIdentity<ApplicationUser>();
And last question is:
If I want to use DynamoDB as user store - then I need to build by custom Identity Provider?
(Correct??)
I found this solution in github, and I just need to update to Asp Core 3.1
https://github.com/c0achmcguirk/AspNetIdentity_DynamoDB
For the first question, you just need the configure your API for Identity Server then it will be populated automatically when the client made a proper request. (which includes its access token)
Sample API Configuration
public void ConfigureServices(IServiceCollection services)
{
services.AddControllers();
services.AddCors(r => r.AddDefaultPolicy(o =>
o.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader()));
services.AddAuthentication()
.AddJwtBearer(options =>
{
options.Audience = "apix"; // this apis scope
options.Authority = "http://localhost:5000"; // Identity server url
});
services.AddAuthorization(options =>
{
options.DefaultPolicy =
new AuthorizationPolicyBuilder(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser()
.Build();
});
}
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
// ...
app.UseCors();
app.UseAuthentication();
app.UseAuthorization();
// ...
}
And you also need to decorate your API method with [Authorize] attribute.
For the second question, it is a matter of preference. There is a template named QuickStart that includes user operations with IdentityServer4 which handles that in an MVC way. You can also create WEB APIs and expose them. And you may not need to create a separate microservice for that since IdentityServer is a WEB application itself.
For the last question, people usually modify old repos to make it work with DynamoDb. Like this one
Edit:
For the question How to set up the MVC to set User Claims after ResourceOwner flow login
You need to implement a IProfileService service and register it in the startup. (IdentityServer)
public async Task GetProfileDataAsync(ProfileDataRequestContext context)
{
var subject = context.Subject;
var subjectId = subject.Claims.Where(x => x.Type == "sub").FirstOrDefault().Value;
var user = await _userManager.FindByIdAsync(subjectId);
var claims = GetClaimsFromUser(user,context.Caller); // here is the magic method arranges claims according to user and caller
context.IssuedClaims = claims.ToList();
}
I'm hoping this is mostly agnostic from Okta (the service we are using for social logins), but I'm having a hard time finding documentation. I'm using .NET Core 2.0+ and my Startup.cs looks like this:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
//Configuration pulled from appsettings.json by default:
options.ClientId = Configuration["okta:ClientId"];
options.ClientSecret = Configuration["okta:ClientSecret"];
options.Authority = Configuration["okta:Issuer"];
options.CallbackPath = "/authorization-code/callback";
options.ResponseType = OpenIdConnectResponseType.IdToken;
options.SaveTokens = true;
options.UseTokenLifetime = false;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
});
A login form within the site allows you to click 'Login to Facebook' and the process of authenticating via the identity provider takes place. When it is confirmed, it punts back to my defined redirect 'Home/Secure'. When the redirect returns, the id_token is in the URL as an anchor:
https://localhost:5001/Home/Secure#id_token=XXXXXXX
There is also an authorize call that I can see happen that receives a response with the id_token in it as well via the Chrome developer tools console. I'm not as familiar with .NET Core, so I'm having a hard time understanding how I can grab this id_token.
The Request doesn't seem to have the id_token in the Query or QueryString parameters, so I'm not seeing where I can grab it.
Since you are using the OIDC middleware and set SaveTokens to true , you would subsequently be able to retrieve those tokens by calling GetTokenAsync for ID token you want to access ,in controller :
string idToken = await HttpContext.GetTokenAsync("id_token");
I'm implementing an authentication server with IdentityServer4 for clients using Hybrid flow. I managed to implement my own user store and also my own repository for clients, grants and resources.
When a user wants to login the client redirects it to my authentication server and if it's not loged in, it shows the login page. At this point I need some extra information than username and password in order to login my users. This is a projectId from another system where I'm actually authentication the users to. The client should provide this projectId.
The flow looks like that:
flow
I've read here Sending Custom Parameters to login screen
that I should retrieve parameteres from the returnUrl I get in the AccountController. The way I'm triggering the login flow right now is with the [Authorize] attribute in a controller method in my client code:
[Route("login")]
[Authorize]
public async Task<IActionResult> Login()
My questions are:
1.How can I send the projectId in the connect/authorize request to identity server?
2.Should I create the request manually for that?
2.a If so,then how can I handle the redirect uri action in the controller? Because now i'm using the /signin-oidc standard route.
My client definition looks like that:
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://localhost:5001";
options.RequireHttpsMetadata = false;
options.ClientId = "BGServer";
options.ClientSecret = "ThisIsTheBGServerSecret";
options.ResponseType = "code id_token"; //"code";
//set SaveTokens to save tokens to the AuthenticationProperties
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("BG_API");
options.Scope.Add("offline_access");
});
}
And my client definition in the authentication server looks like that:
// OpenID Connect hybrid flow and client credentials client (BGServerClient)
new Client
{
ClientId = "BGServer",
ClientName = "BabyGiness Server",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
RequireConsent = false,
ClientSecrets =
{
new Secret("ThisIsTheBGServerSecret".Sha256())
},
RedirectUris = {"http://localhost:5005/signin-oidc"},
PostLogoutRedirectUris = { "http://localhost:5005/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"BG_API"
},
AllowOfflineAccess = true //used to be able to retrieve refresh tokens
};
Thank you very much for your help.
You should be able to simply add additional query string parameters to the authorize endpoint request and then parse them out of the returnUrl in your MVC controller for the login flow. Anything not part of the protocol will be ignored by by IDS4 I'm pretty sure.
TLDR; In the context of using IdentityServer4
How do you get email address and hd claims from Google?
How do you get User.Identity.Name to be populated?
I have worked through the IdentityServer quickstarts and have a working MVC client talking to a IdentityServer instance (apologies if using the wrong terminology). I am using External Authentication (Google) and do not have anything mildly complicated such as local logins / database etc. I am not using ASP.NET Identity. This is all working just fine.
I can successfully authenticate in my MVC app and the following code produces the claims in the screenshot below:
#foreach (var claim in User.Claims)
{
<dt>#claim.Type</dt>
<dd>#claim.Value</dd>
}
<dt>Identity.Name</dt>
<dd> #User.Identity.Name</dd>
<dt>IsAuthenticated</dt>
<dd>#User.Identity.IsAuthenticated</dd>
Questions:
I cannot retrieve extra claims (right term?) from Google. Specifically 'hd' or even 'email' - note that they don't show up in the claims in the above screenshot. How do I get the email address and hd claims from Google? What am I missing or doing wrong?
Note that the output of User.Identity.Name is empty. Why is this and how do I get this populated? This seems to be the only property of User.Identity that isn't set.
My setup is as follows - you can see the output of this as above:
Client (MVC)
In Startup.cs, ConfigureServices
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = Configuration["App:Urls:IdentityServer"];
options.RequireHttpsMetadata = false;
options.Resource = "openid profile email";
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.Scope.Add("domain");
options.ClientId = "ctda-web";
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
});
Identity Server
Client definition
// OpenID Connect implicit flow client (MVC)
new Client
{
ClientId = "ctda-web",
ClientName = "Company To Do Web App",
AllowedGrantTypes = GrantTypes.Implicit,
EnableLocalLogin = false,
// where to redirect to after login
RedirectUris = { "http://localhost:53996/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:53996/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"domain"
}
}
IdentityResource definition
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email(),
new IdentityResource
{
Name = "domain",
DisplayName = "Google Organisation",
Description = "The hosted G Suite domain of the user, if part of one",
UserClaims = new List<string> { "hd"}
}
};
The answer is amazingly unobvious: the sample code provided by IdentityServer4 works as long as you have the following configuration (in the Identity Server Startup.cs):
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryClients(Config.GetClients()
.AddTestUsers(Config.GetUsers()); //<--- this line here
Why? Because AddTestUsers is doing a bunch of the plumbing you need to do in your own world. The walkthrough implicitly assume you move to EF or ASP.NET Identity etc and make it unclear what you have to do if you aren't going to use these data stores. In short, you need to:
Create an object to represent the user (here's a starter)
Create a persistance/query class(here's a starter)
Create an instance of IProfileService which ties this all together, putting in your definitions of a User and a UserStore (here's a starter)
Add appropriate bindings etc
My IdentityServer Startup.cs ended up looking like this (I want to do in memory deliberately, but obviously not use the test users provided in the samples):
services.AddSingleton(new InMemoryUserStore()); //<-- new
services.AddIdentityServer()
.AddDeveloperSigningCredential()
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryClients(Config.GetClients())
.AddProfileService<UserProfileService>(); //<-- new
Turns out Google does return email as part of the claim. The scopes in the code sample of the question worked.
I can tell you how to get email to be returned.
There are two ways to do this but they both require that you add the email scope to the initial request. Just sending openId isnt going to work.
Openid email
UserInfo request
Now when you get the access token back you can do
https://www.googleapis.com/oauth2/v1/userinfo?alt=json&access_token={access token}
Response
{
"family_name": "Lawton",
"name": "Linda Lawton",
"picture": "https://lh5.googleusercontent.com/-a1CWlFnA5xE/AAAAAAAAAAI/AAAAAAAAl1I/UcwPajZOuN4/photo.jpg",
"gender": "female",
"email": "xxxx#gmail.com",
"link": "https://plus.google.com/+LindaLawton",
"given_name": "Linda",
"id": "117200475532672775346",
"verified_email": true
}
Token Info Request:
Using the id token
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={token id}
response
{
"azp": "07408718192.apps.googleusercontent.com",
"aud": "07408718192.apps.googleusercontent.com",
"sub": "00475532672775346",
"email": "XX#gmail.com",
"email_verified": "true",
"at_hash": "8ON2HwraMXbPpP0Nwle8Kw",
"iss": "https://accounts.google.com",
"iat": "1509967160",
"exp": "1509970760",
"alg": "RS256",
"kid": "d4ed62ee21d157e8a237b7db3cbd8f7aafab2e"
}
As to how to populate your controller i cant help with that.