I have a servicestack app in which I would like to make some session-related updates during heartbeat.
My simplified host code:
internal class SelfHost : AppSelfHostBase
{
public SelfHost() : base("HttpListener Self-Host", typeof(ServerEventsService).Assembly)
{
}
public override void Configure(Container container)
{
Plugins.Add(new ServerEventsFeature
{
LimitToAuthenticatedUsers = true,
NotifyChannelOfSubscriptions = false,
OnHeartbeatInit = req =>
{
var userSession = req.GetSession();
var sessionKey = SessionFeature.GetSessionKey(req.GetSessionId());
}
});
container.Register<ICacheClient>(new MemoryCacheClient());
Plugins.Add(new AuthFeature(() => new AuthUserSession(),
new IAuthProvider[]
{
new CredentialsAuthProvider
{
SessionExpiry = TimeSpan.FromSeconds(30),
SkipPasswordVerificationForInProcessRequests = true,
},
})
);
var userRep = new InMemoryAuthRepository();
container.Register<IUserAuthRepository>(userRep);
string hash;
string salt;
var pwd = "ValidPassword";
new SaltedHash().GetHashAndSaltString(pwd, out hash, out salt);
userRep.CreateUserAuth(new UserAuth
{
Id = 3,
DisplayName = "CustomDisplayName2",
Email = "test2#gmail.com",
UserName = "CustomUserName2",
FirstName = "FirstName2",
LastName = "LastName2",
PasswordHash = hash,
Salt = salt,
}, pwd);
}
}
and the simplified client code:
var mainClient = new ServerEventsClient(baseUrl, "home");
var authResponse = mainClient.Authenticate(new Authenticate
{
provider = "credentials",
UserName = "CustomUserName2",
Password = "ValidPassword",
RememberMe = false,
});
mainClient.Connect().Wait();
It connects and authenticates fine, the problematic part start in OnHeartbeatInit - my session here is always a new non authenticated session that has only Id, CreatedAt and LastModified. My service is marked with [Authenticate] attribute on class level. Have I misconfigured or lost some config that should allow that? If I post to my service and call Request.GetSession() then I get a populated session which I expect to see in OnHeartbeatInit as well.
Sidenote: there are no hidden configs anywhere, I have created a separate app exclusively for this example.
The issue is that the heartbeats requests sent in .NET ServerEventsClient isn't sent with the same CookieContainer that the client authenticates or connects to the /event-stream with, which is what contains the Session Cookies.
I've updated the ServerEventsClient so heartbeat requests now reference the same CookieContainer for every heartbeat request in this commit.
This change is available from v4.0.55 that's now available on MyGet.
Related
I'm trying to retrieve the reviews from our business account.
For this I'm using the Google.Apis.Auth.OAuth2.Mvc library for .net https://www.nuget.org/packages/Google.Apis.Auth.MVC/ and following this example https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth#web-applications-asp.net-mvc.
The library is supposed to use the refresh token automatically but for some reason after 1 hour when the access token expires we lost access to the reviews.
Here is my implementation:
public class AppFlowMetadata : FlowMetadata
{
private static readonly IAuthorizationCodeFlow flow =
new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
{
ClientSecrets = new ClientSecrets
{
ClientId = "xxxxxxxxxxxxxxxxxxxxxxxxx",
ClientSecret = "xxxxxxxxxxxxxxxxxxxxx"
},
Scopes = new string[] { "https://www.googleapis.com/auth/plus.business.manage" },
DataStore = new FileDataStore(System.Web.HttpContext.Current.Server.MapPath("/App_Data/MyGoogleStorage"), true)
//DataStore = new FileDataStore(System.Web.HttpContext.Current.Server.MapPath("/App_Data/Drive.Api.Auth.Store"))
});
public override string GetUserId(Controller controller)
{
return "our email address";
}
public override IAuthorizationCodeFlow Flow
{
get { return flow; }
}
}
public async Task<ActionResult> IndexAsync(CancellationToken cancellationToken)
{
var result = await new AuthorizationCodeMvcApp(this, new AppFlowMetadata()).
AuthorizeAsync(cancellationToken);
if (result.Credential != null)
{
var accessToken = result.Credential.Token.AccessToken;
var client = new RestClient("https://mybusiness.googleapis.com/v4/accounts/116326379071192580211/locations/6608127685860731136/reviews?access_token=" + accessToken);
var request = new RestRequest(Method.GET);
IRestResponse response = client.Execute(request);
GoogleReviewsModel googleReviews = Newtonsoft.Json.JsonConvert.DeserializeObject<GoogleReviewsModel>(response.Content);
return View("Index", googleReviews);
}
else
{
return new RedirectResult(result.RedirectUri);
}
}
public class AuthCallbackController : Google.Apis.Auth.OAuth2.Mvc.Controllers.AuthCallbackController
{
protected override Google.Apis.Auth.OAuth2.Mvc.FlowMetadata FlowData
{
get { return new AppFlowMetadata(); }
}
}
The reviews are from our own company so we don't to logins from different users. What I want to achieve is to login the first time with our company logins and then automatically refresh the access token with the refresh token so the reviews are always visible in the website,
Thanks a lot!
EDIT:
After 1 hour the response I get from the following code is this:
var accessToken = result.Credential.Token.AccessToken;
var client = new RestClient("https://mybusiness.googleapis.com/v4/accounts/116326379071192580211/locations/6608127685860731136/reviews?access_token=" + accessToken);
var request = new RestRequest(Method.GET);
IRestResponse response = client.Execute(request);
""message": "Request had invalid authentication credentials. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.\",\n "status": "UNAUTHENTICATED"
result.Credential contains both the access token and the refresh token so it seems to read the file in app_data. But the access code seems to be expired and is not being refreshed at this point and is not asking to login again neither:
var result = await new AuthorizationCodeMvcApp(this, new AppFlowMetadata()).
AuthorizeAsync(cancellationToken);
You are not actually "telling the library" to refresh the access token, you are directly using the token that had been stored, and is now expired. Your code that looks like this:
var accessToken = result.Credential.Token.AccessToken;
should look like this:
var accessToekn = await result.Credential.GetAccessTokenForRequestAsync();
The GetAccessTokenForRequestAsync method will check if the access token needs refreshing and do so when needed.
I'm using cookies to pass user information for authentication as seen in this question. Everything was working fine, until our team upgraded our computers and are now on windows 10. Now my cookie is not found in global.asax.cs's Application_PostAuthenticateRequest.
Here's my code trying to send the cookie:
private void AddUserDataToCookies(User user)
{
var serializeModel = new WebUserSerializeModel
{
FirstName = user.Person.FirstName,
MiddleName = user.Person.MiddleName,
LastName = user.Person.LastName,
CredentialNumber = user.CredentialNumber,
Roles = user.Roles.Select(role => role.Name).ToList(),
Permissions = user.Permissions.Select(perm => perm.PrimaryKey).ToList()
};
var userData = new JavaScriptSerializer().Serialize(serializeModel);
var authTicket = new FormsAuthenticationTicket(1, user.CredentialNumber, DateTime.Now, DateTime.Now.AddMinutes(15), false, userData);
var encryptedTicket = FormsAuthentication.Encrypt(authTicket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
{
Secure = true,
HttpOnly = true
};
Response.Cookies.Add(cookie);
var requestCookie = Request.Cookies[FormsAuthentication.FormsCookieName];
}
The cookie shows up in request cookie. But when I try in my global.asax, it doesn't. My global asax code is below.
protected void Application_PostAuthenticateRequest(object sender, EventArgs e)
{
var cookie = Request.Cookies[FormsAuthentication.FormsCookieName];
if (cookie != null)
{
try
{
var authTicket = FormsAuthentication.Decrypt(cookie.Value);
if (authTicket != null)
{
var serializer = new JavaScriptSerializer();
var serializeModel = serializer.Deserialize<WebUserSerializeModel>(authTicket.UserData);
var user = new WebUser(serializeModel.FirstName, serializeModel.LastName)
{
MiddleName = serializeModel.MiddleName,
CredentialNumber = serializeModel.CredentialNumber,
Roles = serializeModel.Roles,
Permissions = serializeModel.Permissions
};
HttpContext.Current.User = user;
}
}
catch (CryptographicException ex)
{
Logger.Error("Error while decrypting cookie post authentication.", ex);
FormsAuthentication.SignOut();
HttpContext.Current.User = null;
}
}
}
Does anyone have any ideas why changing to Windows 10 may have causes this issue? I'm somewhat new to ASP.NET and web development in general.
EDIT - by removing Secure = true when creating my cookie I was able to get it to work. I'm investigating why this is the case before I add an answer and I welcome any insights.
As mentioned in my edit, the problem was that Secure was set to true when creating my cookie but I did not have SSL enabled when running locally, unlike, I guess, on my old workstation. The code in my controller currently looks like:
private void AddUserDataToCookies(User user)
{
var serializeModel = new WebUserSerializeModel
{
FirstName = user.FirstName,
MiddleName = user.MiddleName,
LastName = user.LastName,
CredentialNumber = user.CredentialNumber,
Roles = user.Roles,
Permissions = user.Permissions
};
var userData = new JavaScriptSerializer().Serialize(serializeModel);
var authTicket = new FormsAuthenticationTicket(1, user.CredentialNumber, DateTime.Now, DateTime.Now.AddMinutes(FormsAuthentication.Timeout.Minutes), false, userData, FormsAuthentication.FormsCookiePath);
var encryptedTicket = FormsAuthentication.Encrypt(authTicket);
var cookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket)
{
HttpOnly = true,
Secure = true
};
if (Request.IsLocal)
{
cookie.Secure = false;
}
Response.Cookies.Add(cookie);
}
Leaving Request.IsLocal is a bit ugly but it's good enough for now until we decide if we want to implement SSL for everyone locally.
At least it was an easy fix.
I am using identity server 4 for authentication using grant type as 'ResourceOwnerPassword'. I am able to authenticate the user but not able to get claims related to user. So how can I get those ?
Below is my code
Client
Startup.cs
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://localhost:5000",
RequireHttpsMetadata = false,
ApiName = "api1"
});
Controller
public async Task<IActionResult> Authentication(LoginViewModel model)
{
var disco = await DiscoveryClient.GetAsync("http://localhost:5000");
// request token
var tokenClient = new TokenClient(disco.TokenEndpoint, "ro.client", "secret");
var tokenResponse = await tokenClient.RequestResourceOwnerPasswordAsync(model.Email, model.Password, "api1");
if (tokenResponse.IsError)
{
Console.WriteLine(tokenResponse.Error);
}
// Here I am not getting the claims, it is coming Forbidden
var extraClaims = new UserInfoClient(disco.UserInfoEndpoint);
var identityClaims = await extraClaims.GetAsync(tokenResponse.AccessToken);
if (!tokenResponse.IsError)
{
Console.WriteLine(identityClaims.Json);
}
Console.WriteLine(tokenResponse.Json);
Console.WriteLine("\n\n");
}
Server
Startup.cs
services.AddIdentityServer()
.AddTemporarySigningCredential()
.AddInMemoryPersistedGrants()
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients(Configuration))
.AddAspNetIdentity<ApplicationUser>()
.AddProfileService<IdentityProfileService>()
.AddResourceOwnerValidator<ResourceOwnerPasswordValidator>();
Config.cs
public static IEnumerable<Client> GetClients(IConfigurationRoot Configuration)
{
// client credentials client
return new List<Client>
{
// resource owner password grant client
new Client
{
ClientId = "ro.client",
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AlwaysSendClientClaims = true,
AlwaysIncludeUserClaimsInIdToken = true,
AccessTokenType = AccessTokenType.Jwt
}
};
}
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api1", "My API")
};
}
But when I check my access token in jwt.io there I can see the claims But why I am not able to get in the controller ?
Any help on this appreciated !
You can call the UserInfoEndpoint, as per your example, but you can also get additional claims if you define your ApiResource as requiring them.
For example, rather than just defining your ApiResource like you are:
new ApiResource("api1", "My API")
You can use the expanded format and define what UserClaims you'd like to have when getting an access token for this scope.
For example:
new ApiResource
{
Name = "api1",
ApiSecrets = { new Secret(*some secret*) },
UserClaims = {
JwtClaimTypes.Email,
JwtClaimTypes.PhoneNumber,
JwtClaimTypes.GivenName,
JwtClaimTypes.FamilyName,
JwtClaimTypes.PreferredUserName
},
Description = "My API",
DisplayName = "MyApi1",
Enabled = true,
Scopes = { new Scope("api1") }
}
Then in your own implementation of the IProfileService you will find that calls to GetProfileDataAsync have a list of what claims are requested in the context (ProfileDataRequestContext.RequestedClaimTypes). Given that list of what's been asked for, you can then add any claims you like - however you like - to the context.IssuedClaims that you return from that method. These will then be a part of the access token.
If you only want certain claims by specifically calling the UserInfo endpoint though, you'll want to create an IdentityResource definition and have that scope included as part of your original token request.
For example:
new IdentityResource
{
Name = "MyIdentityScope",
UserClaims = {
JwtClaimTypes.EmailVerified,
JwtClaimTypes.PhoneNumberVerified
}
}
But your first problem is following the other answer here so you don't get 'forbidden' as the response to the UserInfo endpoint!
Try sending the token along the request, when calling the UserInfoEndpoint. Try this:
var userInfoClient = new UserInfoClient(doc.UserInfoEndpoint, token);
var response = await userInfoClient.GetAsync();
var claims = response.Claims;
official docs
I am working on an asp.net MVC application with identity server 4 as token service. I have an api as well which has some secure resources. I want to implement roles (Authorization) for api. I want to make sure that only an authorized resource with valid role can access an api end point otherwise get 401 (unauthorized error).
Here are my configurations:
Client
new Client()
{
ClientId = "mvcClient",
ClientName = "MVC Client",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets = new List<Secret>()
{
new Secret("secret".Sha256())
},
RequireConsent = false;
// where to redirect to after login
RedirectUris = { "http://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:5002" },
AllowedScopes =
{
StandardScopes.OpenId.Name,
StandardScopes.Profile.Name,
StandardScopes.OfflineAccess.Name,
StandardScopes.Roles.Name,
"API"
}
}
Scopes
return new List<Scope>()
{
StandardScopes.OpenId, // subject id
StandardScopes.Profile, // first name, last name
StandardScopes.OfflineAccess, // requesting refresh tokens for long lived API access
StandardScopes.Roles,
new Scope()
{
Name = "API",
Description = "API desc",
Type = ScopeType.Resource,
Emphasize = true,
IncludeAllClaimsForUser = true,
Claims = new List<ScopeClaim>
{
new ScopeClaim(ClaimTypes.Name),
new ScopeClaim(ClaimTypes.Role)
}
}
};
User
new InMemoryUser()
{
Subject = "1",
Username = "testuser",
Password = "password",
Claims = new List<Claim>()
{
new Claim("name", "Alice"),
new Claim("Website", "http://alice.com"),
new Claim(JwtClaimTypes.Role, "admin")
}
}
and in server startup i added this:
services.AddIdentityServer()
.AddTemporarySigningCredential()
.AddSigningCredential(cert)
.AddInMemoryClients(Config.GetClients())
.AddInMemoryScopes(Config.GetScopes())
.AddInMemoryUsers(Config.GetUsers())
in api startup, i have this:
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions()
{
Authority = "http://localhost:5000",
ScopeName = "NamfusAPI",
RequireHttpsMetadata = false
});
in api controller, i have this:
[Authorize(Roles = "admin")]
public IActionResult Get()
{
return new JsonResult(from c in User.Claims select new {c.Type, c.Value });
}
in MVC client startup, i have this:
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
app.UseCookieAuthentication(new CookieAuthenticationOptions()
{
AuthenticationScheme = "Cookies"
});
var oidcOptions = new OpenIdConnectOptions()
{
AuthenticationScheme = "oidc",
SignInScheme = "Cookies",
Authority = "http://localhost:5000",
RequireHttpsMetadata = false,
ClientId = "mvcClient",
ClientSecret = "secret",
SaveTokens = true,
GetClaimsFromUserInfoEndpoint = true,
ResponseType = "code id_token", // hybrid flow
};
oidcOptions.Scope.Clear();
oidcOptions.Scope.Add("openid");
oidcOptions.Scope.Add("profile");
oidcOptions.Scope.Add("NamfusAPI");
oidcOptions.Scope.Add("offline_access");
oidcOptions.Scope.Add("roles");
I am trying to call the api like this:
public async Task<IActionResult> CallApiUsingUserAccessToken()
{
var accessToken = await HttpContext.Authentication.GetTokenAsync("access_token");
var client = new HttpClient();
client.SetBearerToken(accessToken);
var content = await client.GetStringAsync("http://localhost:5001/identity");
ViewBag.Json = JArray.Parse(content).ToString();
return View("json");
}
I get access token but when call is made to api (identity/get), I get 302 error Forbidden (in chrome network it shows 500 internal server error). If I change API Authorize attribute from
[Authorize(Roles = "admin")]
public IActionResult Get()
to (without role):
[Authorize]
public IActionResult Get()
it works and I get data from api in mvc app. How can I apply roles in this code.
Please suggest.
First, you need to request "API" scope in your OpenIdConnectOptions().
oidcOptions.Scope.Add("API");
or
Scope = { "API", "offline_access",..},
Then you need to check if the role claim is included in the claims list available to your API controler(don't apply the roles filter in authorize attribute yet. Put a debug point inside controller method and expand User property). Check if the type of the role claim you received(listed in Claims Collection) matches User.Identity.RoleClaimType property
If the role claim type you have and User.Identity.RoleClaimType doesn't match, authorize attribute with roles filter won't work. You can set the correct RoleClaimType in IdentityServerAuthenticationOptions() like follows
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://localhost:5000",
ScopeName = "API",
RoleClaimType = ClaimTypes.Role,
RequireHttpsMetadata = false
});
I just set up a SelfHost(InMem with WS-Fed) Thinktecture IdentityServer3 project example and I'm trying to use it to get a JWT, the problem is that I only recieve tokens signed with an asymmetric key using the alg RS256 but I need them to be symmetric using the alg HS256 so I can use the same key on the client.
I have tried to follow some examples by configuring the Relying Party on the server with no success.
For example, I see the following markup:
var relyingParty = new RelyingParty()
{
Enabled = true,
Realm = "urn:carbon",
Name = "Test party",
SymmetricSigningKey =
Convert.FromBase64String("R03W9kJERSSLH11Px+R/O7EYfAadSMQfZD5haQZj6eU="),
TokenLifeTime = 120
};
But when I try it on my code, I have an error on SymmetricSigningKey and it says that:
'Thinktecture.IdentityServer.WsFederation.Models.RelyingParty' does
not contain a definition for 'SymmetricSigningKey'
What am I doing wrong?, thanks in advance!
UPDATE
Markup of the startup file:
public void Configuration(IAppBuilder appBuilder)
{
var factory = InMemoryFactory.Create(
users: Users.Get(),
clients: Clients.Get(),
scopes: Scopes.Get()
);
var options = new IdentityServerOptions
{
IssuerUri = "https://idsrv3.com",
SiteName = "Thinktecture IdentityServer3 - WsFed",
SigningCertificate = Certificate.Get(),
Factory = factory,
PluginConfiguration = ConfigurePlugins,
};
appBuilder.UseIdentityServer(options);
}
private void ConfigurePlugins(IAppBuilder pluginApp, IdentityServerOptions options)
{
var wsFedOptions = new WsFederationPluginOptions(options);
// data sources for in-memory services
wsFedOptions.Factory.Register(new Registration<IEnumerable<RelyingParty>>(RelyingParties.Get()));
wsFedOptions.Factory.RelyingPartyService = new Registration<IRelyingPartyService>(typeof(InMemoryRelyingPartyService));
pluginApp.UseWsFederationPlugin(wsFedOptions);
}
Markup of the scope used:
new Scope
{
Name = "api1"
}
Markup of the client used:
new Client
{
ClientName = "Silicon on behalf of Carbon Client",
ClientId = "carbon",
Enabled = true,
AccessTokenType = AccessTokenType.Jwt,
Flow = Flows.ResourceOwner,
ClientSecrets = new List<ClientSecret>
{
new ClientSecret("21B5F798-BE55-42BC-8AA8-0025B903DC3B".Sha256())
}
}
Markup of the user used:
new InMemoryUser{Subject = "bob", Username = "bob", Password = "bob",
Claims = new Claim[]
{
new Claim(Constants.ClaimTypes.GivenName, "Bob"),
new Claim(Constants.ClaimTypes.FamilyName, "Smith"),
new Claim(Constants.ClaimTypes.Email, "BobSmith#email.com")
}
}
UPDATE
I just check the class model of the relying party of IdentityServer3 and there's no property for the symmetric signing key... I'm lost...
Any ideas?