identitymodel / authorizationserver Goto Github PK

OAuth2 defines a lot of error messages - from unauthorized client to invalid scope etc...as we all know this makes it possible to reverse engineer from fuzzed input.

One solution would be to have a switch for obfuscating error messages - like always returning invalid_request.

I am getting below message as soon as i am logged in. Any idea what i might be doing wrong. The redirectURI has been added in the Client Redirect URI section when i created the Client.

Validation Error
Invalid redirect URI: https://localhost:1234/AuthMobileClient/callback.cshtml

Hi,

I keep getting the following error in the validate method of the pre built WSTrustResourceOwnerCredentialValidation class:

"ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer."

I have added the certificate thumbprint to the identityModel.config issuerNameRegistry element within the authorization server and the identity server is setup to use the same certificate to sign outgoing SAML requests.

Any ideas?

Thanks.

I have had time now to get around most of the solution and tried out the samples.

I understand what Applications are used for in a technical fashion. Container for the audience, key and token lifetime ect.

I am puzzling a little about how this is used in real cases.

Social sites like facebook,twitter ect. They are one application right? Can you give me an example of a case where a company will deploy the AS with multiply applications.

Would it make sense to deploy your AS on my as.company.domain and whenever I create some new application (some api at second.domain) to set it up with my as.company.domain. Then clients ask as.company.domain for tokens to the application located at second.domain.

What I am going at is, in a real world case. Would I not deploy a AuthorizationServer with all the applications I create?

Hope it makes sense :)

I have put AS up and running at
https://authz.s-innovations.net/

Its on a valid SSL certificate and people can test out the sample flows without having to set up the AS. It is configured with Azure ACS, so people can identify themself with liveids.

It have the sample data added.

   public static class AS
    {
        public const string OAuth2TokenEndpoint = "https://authz.s-innovations.net//" + Application + "/oauth/token";
        public const string OAuth2AuthorizeEndpoint = "https://authz.s-innovations.net/" + Application + "/oauth/authorize";

        public const string IssuerName = "S-Innovations";
        public const string SigningKey = "1fTiS2clmPTUlNcpwYzd5i4AEFJ2DEsd8TcUsllmaKQ=";
    }

Need to model bind.

Can you add an example in the Samples\Clients to authenticate and Consume WebAPI through .ajax requests from the javascript.

When i call the ResourceAPI with the token i ended up with the following exception. Am i missing any configuration ?

Jwt10316: Signature validation failed. Keys tried: 'System.IdentityModel.Tokens.InMemorySymmetricSecurityKey'.
Exceptions caught:
'System.InvalidOperationException: Jwt10532: SymmetricSecurityKey.GetKeyedHashAlgorithm( 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' ) threw and exception.
SymmetricSecurityKey: 'System.IdentityModel.Tokens.InMemorySymmetricSecurityKey'
SignatureAlgorithm: 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256', check to make sure the SignatureAlgorithm is supported.
Exception: 'System.InvalidOperationException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' not supported in this context.
at System.IdentityModel.CryptoHelper.CreateKeyedHashAlgorithm(Byte[] key, String algorithm)
at System.IdentityModel.Tokens.InMemorySymmetricSecurityKey.GetKeyedHashAlgorithm(String algorithm)
at System.IdentityModel.Tokens.SymmetricSignatureProvider..ctor(SymmetricSecurityKey key, String algorithm)'. ---> System.InvalidOperationException: Crypto algorithm 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256' not supported in this context.
at System.IdentityModel.CryptoHelper.CreateKeyedHashAlgorithm(Byte[] key, String algorithm)
at System.IdentityModel.Tokens.InMemorySymmetricSecurityKey.GetKeyedHashAlgorithm(String algorithm)
at System.IdentityModel.Tokens.SymmetricSignatureProvider..ctor(SymmetricSecurityKey key, String algorithm)
--- End of inner exception stack trace ---
at System.IdentityModel.Tokens.SymmetricSignatureProvider..ctor(SymmetricSecurityKey key, String algorithm)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateProvider(SecurityKey key, String algorithm, Boolean willCreateSignatures)
at System.IdentityModel.Tokens.SignatureProviderFactory.CreateForVerifying(SecurityKey key, String algorithm)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(SecurityKey key, String algorithm, Byte[] encodedBytes, Byte[] signature)
at System.IdentityModel.Tokens.JwtSecurityTokenHandler.ValidateSignature(JwtSecurityToken jwt, Byte[] signatureBytes, IEnumerable`1 signingTokens)
'.
jwt: '{"typ":"JWT","alg":"RS256","x5t":"dLYSTQYTczxmTQzNz2VHQw-6u50"}.{"iss":"AS","aud":"AuthorizedServices","nbf":1372534091,"exp":1372537691,"client_id":"implicitclient","scope":"read","sub":"hanish"}'

Hi,

I just want to know what are the best practises to use claims in a Web Application. Just consider a scenario that i have an MVC4 application or Web Api project.
In that project i have multiple Controllers like:

1. PurchaseOrder
2. SalesOrder etc

I am authenticated successfully and I got the claims extracted from the token received in my application then how can I use these claims in my controllers to restrict the user certain permissions.

ex:
If user XYZ is Sales guy then he has different access level to my Controller SalesOrder and if the user PQR is Admin then he is a different level of access to the same controller.

How can I achieve this , or may be its possible or not. Any help on the same that how claims will work exactly.

I built two websites with your excellent projects --Thinktecture.IdentityServer and Thinktecture.AuthorizationServer. However, I encountered a problem when following your video tutorial, that is I receive a blank page after clicking "Configure Server" in AS.

The url is "https://192.168.1.210/authsvr/Admin/Home", it's suppose to direct to IdentityServer and come back to show me admin menus, but it didn't go there and showed me a black page insteadly.

At first, this problem appeared in my Windows 8. No error, no log, and I got nothing with Fiddler. It really drove me crazy. Fortunately, I happened to create a windows 2008 by using VM and move my website on it. The website worked as it does in your videos!

But today, I created anther virtual machine, which is windows 2012. On the new windows 2012, the problem appeared again.

Does anybody know what's going on about it?
or is there any way to get more error information in AS?
I installed ADDS, ADFS and WIF on both virtual machines, Did I miss any important component?

Thanks in advance.

In Authorization server I identify any Applications, but is it possible link Application to client? Any client can access all or any application.

Start the Code Flow sample.
Use Identity Server as the Idp
Configure Authorization Server as a RP
Get Token fails with error..

Unexpected character encountered while parsing value: <. Path '', line 0, position 0.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: Newtonsoft.Json.JsonReaderException: Unexpected character encountered while parsing value: <. Path '', line 0, position 0.

Source Error:

Line 32: var code = Request.QueryString["code"];
Line 33:
Line 34: var response = client.RequestAccessTokenCode(
Line 35: code,
Line 36: new Uri(Constants.Clients.CodeClientRedirectUrl));

Source File: c:\Users\zuahmed\Source\Repos\Thinktecture.AuthorizationServer\samples\Flows\Clients\OAuth2 CodeFlow\Controllers\CallbackController.cs Line: 34

Stack Trace:

[JsonReaderException: Unexpected character encountered while parsing value: <. Path '', line 0, position 0.]
Newtonsoft.Json.JsonTextReader.ParseValue() +1325
Newtonsoft.Json.JsonTextReader.ReadInternal() +84
Newtonsoft.Json.JsonTextReader.Read() +41
Newtonsoft.Json.Linq.JObject.Load(JsonReader reader) +91
Newtonsoft.Json.Linq.JObject.Parse(String json) +114
Thinktecture.IdentityModel.Clients.OAuth2Client.RequestAccessTokenCode(String code, Uri redirectUri, Dictionary2 additionalProperties) in c:\etc\Dropbox\source\Thinktecture\Thinktecture.IdentityModel.45\IdentityModel\Thinktecture.IdentityModel\Clients\OAuth2Client.cs:111 OAuth2CodeFlow.Controllers.CallbackController.Postback() in c:\Users\zuahmed\Source\Repos\Thinktecture.AuthorizationServer\samples\Flows\Clients\OAuth2 CodeFlow\Controllers\CallbackController.cs:34 lambda_method(Closure , ControllerBase , Object[] ) +101 System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14 System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) +211
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) +27 System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +28 System.Web.Mvc.Async.<>c__DisplayClass81.b__7(IAsyncResult _) +10
System.Web.Mvc.Async.WrappedAsyncResult1.End() +57 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +48 System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +57 System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +223 System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +10 System.Web.Mvc.Async.WrappedAsyncResult1.End() +57
System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +48
System.Web.Mvc.Async.<>c__DisplayClass2a.b__20() +24
System.Web.Mvc.Async.<>c__DisplayClass25.b__22(IAsyncResult asyncResult) +102
System.Web.Mvc.Async.WrappedAsyncResult1.End() +57 System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +43 System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +14 System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23 System.Web.Mvc.Async.WrappedAsyncResult1.End() +62
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +57
System.Web.Mvc.Async.<>c__DisplayClass4.b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult1.End() +62 System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +47 System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10 System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25 System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23 System.Web.Mvc.Async.WrappedAsyncResult1.End() +62
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +47
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9629296
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

to set up the name and admins at least

maybe with a check box - "insert test data"

I dont know how things work with identityServer.

But if using ACS, I need to tell ACS to signout - else i will just be authenticated right away again when I it the ACS wiht no option to select identity provider.

this works for ACS, havent made a pull request as I dont know if it breaks in other situations.

            var authModule = FederatedAuthentication.WSFederationAuthenticationModule;
            var url = WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(authModule.Issuer, authModule.Realm, null);
            var request = WebRequest.Create(url);
            var task = request.GetResponseAsync();

            authModule.SignOut();
            var result = await task;

On: http://thinktecture.github.io/

Hi dominick, when i press Signout in Authorization Server the page loop in:

https://macbookprodamy/IdSrv/issue/wsfed?wa=wsignin1.0&wtrealm=urn%3aauthorizationserver&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fauths%252fSignout&wct=2013-08-01T15%3a28%3a34Z

https://macbookprodamy/IdSrv/issue/wsfed?wa=wsignin1.0&wtrealm=urn%3aauthorizationserver&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fauths%252fSignout&wct=2013-08-01T15%3a29%3a00Z
....
Where I wrong??

The callbackcontroller in codeflow.

Line 34: var response = client.RequestAccessTokenCode(
Line 35: code,
Line 36: new Uri(Constants.Clients.CodeClientRedirectUrl));

Its the Oauth2Client that thows:
The remote certificate is invalid according to the validation procedure.

I have setup AS to run in IIS with a selfsigned ssl.
I start on:
https://localhost:44301/
which send me to:
https://local.test/authz/users/oauth/authorize?client_id=codeclient&scope=read%20search&redirect_uri=https://localhost:44301/callback&response_type=code
where i give my consensus and is returned to
https://localhost:44301/callback?code=99a9cbd28c6c4fd88e1cf13434d8dda8

The error comes when i try get token.

( I assumed you also was using a self signed ssl in your videos, ( i just clicked add self signed in IIS and it did it for me).

Follow up, I noticed how the code was made to throw an error if the redirect uri is not of https. (If i recall correctly i can set up facebook apps to use non https) How bad from a security point of view is it to let clients work on http only?

Allow users to revoke access without admin intervention

Hi I went through Authorization Server and Identity Server where we can define Scope for a set of permission for a user. I would like to know how granular i can be using authorization scope. for ex in my case
I would like to give a user Read scope + an Update operation for a table (rather than giving update scope). Will i be able to achieve this with Authorization Server.

Can i have a nested scope? how to achieve this.

Can you also let me know how to add custom claims in one of your sample project Flows.

Thank you
Murali

Hi Dom,

imagine we have a object "Customer" which has many attributes within it.
a normal user may have access to few attributes of customer object and
a user with elevated permissions may have access to all the attributes
within the customer object .
my question is it a good practice to add claims in attribute level ?
or is it good to add claims for object level ?

Will you be adding the same type of SAML -> JWT exchange that's in IdentityServer? (ADFS Integration)

First off, I really like the project stucture. The samples really show how to create web projects properly.

I have one issue, I am not 100% sure to get the samples working. (A blog post telling how to set it up would be nice, or when i figure it out, i will do one my self).

First off, i changed system.identityModel, and services to target my ACS namespace. (Identity and Access in VS2012 did most of it. Just had to remove the deny users=? on the site).

Spinning up the AS works fine, when the authz:EnableAdmin is true, two buttons: Application Permission, Configuration is there. But clicking them gives blank pages(and auth denied in network tab).

When trying the clients and they redirects to the AS, the same issue happen.

I properly am missing something like hooking it up with some authentication.

Looking forward to see more stuff from this project, and I am learning from this project as in a few weeks I am going to implement a system where users (Resource Owners) have some resources (Data) that they need to allow 3party apps (Clients) to manipulate the data and present it to them. And from the looks of this, it could look like I could save a lot of time not having to implement all the oauth2 flows for allowing clients to access my users data, so I am hoping to get in depth with this and try it out.

Move whatever makes sense to autofac.config.

On consent screen.

Lets say I build an API.

AS is there to set scopes for users, such I can say the user needs a "write" scope to access a given API request.

Then I just put [Scope] attributes on my API and if the user has a claim with the given scope he is allowed to get the resource.

Next, I can also add ClaimsAuthorizeAttributes to validate that a user can get the resource and use the action (action is just the scope i assume).

Is there any real use of the ClaimsAuthorizeAttributes when we have scopes? I am thinking about what my Api calls returns, would one normally not make the queries such they only return data the user is allowed to see based on his nameidentifier(or subject in the as tokens).

Or would I create a AuthorizationManager that for a given resource checks if a user have access to the given resource instead of just make a query that checks it.

I assume the later will help keeping code simple, and seperating the two things makes it easier to maintain. But it also means it will do up to double the amount of requests to the database ? Check if user have access and if yes, go get the data instead of just take the data if he has access.

I might have answered my own question by writing this. Are there any other factors then the two above that I could consider before implementing it.

Resource API does not get all the claims from the ADFS. Looks like it is just getting the Name and the Role claims. Where do i have to make the changes in order to populate all the claims that were sent by ADFS.

Would it not make sense to have application lvl administrators?

for Apps, Clients, Scopes etc... ;)

I was following this video for installing Authorization Server http://vimeo.com/69300053 . After AuthZ has been added as a relying party in the Idsrv and i clicked on the 'Configure Server' and ended up with this error. I have included the stack trace for details.

Any ideas ?

WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'TrustTheThink'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.IdentityModel.Tokens.SecurityTokenValidationException: WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'TrustTheThink'.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityTokenValidationException: WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'TrustTheThink'.]
System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ValidateToken(SecurityToken token) +1040811
System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token) +135
System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) +117
System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) +698
System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +123924
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

...for keys and secrets...

I had typed in all the information in the Appication Create page, okay not that much, but still. Then when no keys are created i had to type it Again. Would be nice with a create key button here.

Hi Dominick

I am using Authorization Server which has been configured to use SQL Database. Under Application Tab i was able to create Application, but i am not able to update. "Error Updating" is the error message which i receive. I am not able to do any operation on the existing record. I can create new ones without any issue.

Thank you

Murali

Hi ,

we have built a Claims Aware App, which accepts token from Thinktecture authorization server.
i want to pull the claims from the DB based on the user and add those claims to the token . i want to achieve this in the authorization server .
what is the best way to do it ?

How about this:

We create a simple interface to encrypt, decrypt of strings, like

string Encrypt(string secret)

The returned sting is self contained and has all the necessary info for decrypting (e.g. the IV). It is up to the crypto service to use the right key material then.

By default - we put the symmetric master key into a .config file - e.g. in App_Data so we can create new one with a random key at initial setup time. And have a crypto service impl that works with that config file.

Maybe we should remove the .net config section - and use a plain text file in app_data.

This way we coud simplify the creation logic to "no file -> generate a new one"