identitymodel / identitymodel.oidcclient Goto Github PK

Hi, I couldn't find a method to signout with in OidcClient class. Can you please clarify if the signout url is expected to be built manually and be invoked?

Thanks!

Hi, can I ask what the intention is for passing DisplayMode.Hidden as an argument to the OidcClient.LoginAsync method?

My use case: I need to obtain access tokens for multiple APIs (with different audience values), and I don't wish the user to be presented with the login dialog repeatedly.

Thanks

Hi, I'm trying to implement the OidcClient2 with a Xamarin Forms app with IdentityServer4 as my identity provider.

Im getting most of how to implement this with iOS but cannot figure out how where the input paramter 'data' for 'var result = await oidcClient.ProcessResponseAsync(data, state);' comes from?

Any hints/suggestions? I'm using the SFSafariViewController as my browser.

Thanks!

Hi There,

Since ResourceOwnerPassword is deprecated and ClientCredentials are not a recommended way for native WPF Applications I wanted to use this library to talk to IdentityServer4.

Will ResourceOwnerPassword grant will be removed in future versions of IdentityServer?

Is this library at the moment can be used with IdentityServer4?

If yes, then how can I allow other users to log in to the same app by effectively logging out? at the moment when I try to open the browser again, it's directly taking to concent screen.

Please help me.

Hi @leastprivilege,

When I tried to convert by client project to .net framework 4.7 it fails because of ValueTuple dependency.

Am I missing something?

Call end_session with configured IBrowser (e.g. to get of persistent cookies if needed).

I get an invalid grant when I try to login from my WinForms app to IS4.

fail: IdentityServer4.Validation.TokenRequestValidator[0]
      Unexpected code_verifier: 12a783b32873a5b4ae0eb7113a067cd978d3d345a8cb29cc0a1a6df131c5839a
fail: IdentityServer4.Validation.TokenRequestValidator[0]
      {
        "ClientId": "las",
        "ClientName": "LAS.NET Client",
        "GrantType": "authorization_code",
        "AuthorizationCode": "e301575cc20f47acf7c15178310f776642a7a30cf2b6a05f54702097b1645b7a",
        "Raw": {
          "grant_type": "authorization_code",
          "code": "e301575cc20f47acf7c15178310f776642a7a30cf2b6a05f54702097b1645b7a",
          "redirect_uri": "http://localhost/winforms.client",
          "code_verifier": "12a783b32873a5b4ae0eb7113a067cd978d3d345a8cb29cc0a1a6df131c5839a",
          "client_id": "las",
          "client_secret": "secret"
        }
      }

This is the client setup:

 new Client
{
	ClientId = "las",
	ClientName = "LAS.NET Client",
	AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

	ClientSecrets =
	{
		new Secret("secret".Sha256())
	},

	AllowedScopes = new List<string>
	{
		IdentityServerConstants.StandardScopes.OpenId,
		IdentityServerConstants.StandardScopes.Profile,
		IdentityServerConstants.StandardScopes.Email,
		IdentityServerConstants.StandardScopes.Phone,
		"api1"
	},

	RedirectUris = { "http://localhost/winforms.client" },

	AllowOfflineAccess = true,					
	RequireConsent = false
},

and this is how I initialize my winform app:

var options = new OidcClientOptions
{
	Authority = "http://localhost:5000",
	ClientId = "las",
	ClientSecret = "secret",
	RedirectUri = "http://localhost/winforms.client",
	Scope = "openid profile api1 offline_access",		
	Browser = new WinFormsEmbeddedBrowser(),
	Flow = OidcClientOptions.AuthenticationFlow.Hybrid
};

_oidcClient = new OidcClient(options);

How can I fix this issue?

Nice library guys - my company provides some desktop apps for investment banks. I was hoping you could confirm that I am following the recommended direction below.

LOGINS SHOULD NOT USE WEB VIEWS
This seemed to be the standard technique a few years ago, using callback URLs such as urn:ietf:wg:oauth:2.0:oob, but this is no longer considered to be good security. Also, Single Sign On and Password Autofill won't work on a web view.

LOGINS SHOULD USE THE SYSTEM BROWSER
This Auth0 Link summarizes the issue - logins must use the desktop browser to be considered good security.

OPTIONS
The OAuth Standards for Native Apps mentions 3 redirect options:

• Private URI Scheme
• Claimed HTTPS Scheme
• Loopback Interface

OPTION 1 - Private URI Scheme (com.mycompany.com:/mydesktopapp)

• Works for Mobile apps
• Works for desktop apps with special OS support, such as Windows Universal apps

I could not use this scheme for my WPF app - the System browser will refuse to redirect to a URL of this form.

OPTION 2 - Claimed HTTPS Scheme (https:/mycompany.com/myapp)

I think this also requires special operating system support - I cannot use it for my WPF app.

OPTION 3 - Loopback Interface (http://127.0.0.1:8000)
This seems to be the recommended option:

• The end user PC needs to run a simple (low privilege) web server
• It works for a Desktop App, without special OS support

It looks like the only good option for desktop logins.

PLANNING DEPLOYMENT
We need to tell IT staff at investment banks to not block the local web server.
If we ever ran into an IT department who refused to allow it, the only backup option we could offer would be to login on a web view.

Version 2.3.0 and 2.4.0 crash on xamarin forms (android app).
Seems like the reason is the System.Runtime.CompilerServices.Unsafe packages which is a dependency of your packages.
There are several similar issues on the EntityFrameworkCore repository (e.g. dotnet/efcore#8922).
Also several other related issues like https://forums.xamarin.com/discussion/comment/312241/#Comment_312241.

App starts and crashes with

D/Mono ( 3632): Assembly Loader probing location: 'System.Runtime.CompilerServices.Unsafe'.
F/monodroid-assembly( 3632): Could not load assembly 'System.Runtime.CompilerServices.Unsafe' during startup registration.
F/monodroid-assembly( 3632): This might be due to an invalid debug installation.

Is this client implementation usable with Unity ? Did someone already achieve it successfuly ?

Thanks for your time,
Vinny

I just tried the built in ConsoleClient using Azure Active Directory. I received an error stating that the at_hash is missing.

Digging into this a bit it looks like the issue is at https://github.com/IdentityModel/IdentityModel.OidcClient2/blob/f8fc3501aea43c16f1ada2d0dcf429464dd3015e/src/IdentityModel.OidcClient/ResponseProcessor.cs#L210.

By default the Policy has RequireAccessTokenHash = True. In the case of a hybrid flow ("code id_token") it looks like it's optional to include the at_hash. See http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken. Ie. After validating the id_token from the front-channel and then redeeming the authorization code there is no requirement for the token endpoint to give a at_hash.

I'm wondering if it would be a better default to have RequireAccessTokenHash = false when using a Hybrid Flow?

Hi, I know this isn't an issue, but a question.. :) But, hopefully you can give me some pointers..

We would like to try out client authentication in a WPF application using the OidcClient by passing client-assertions (jwt's).

Would adding the neccessary params by passing extra parameters in the PrepareLoginAsync() method be the way to go?

IdentityServer4 allows you to overwrite the IssuerUri.
I'm using this in dev environment because my identityserver gets calles from localhost (some microservice running on localhost on some other ports) AND from other hosts (e.g. any mobile devices).
On these mobile devices, IdentityModel.OidcClient2 is running which access the identityserver through it's ip (let's say 192.168.1.1).
The problem is that other microservices which rely on the token issued by identityserver are probing the issuer. Clients running on localhost (for example a browser which accesses identityserver and microservice) will have tokens issued by http://localhost:5000. And the mobile device would use a token issued by http://192.168.1.1:5000.
In the microservice I have to set ONE issuer (let's say http://localhost:5000).
In order to allow a mobile device (using this library) access the microservice, I have to use always the same issuer on identityserver which is different than the authority.

See also: IdentityServer/IdentityServer4#1207.

Can we remove that check?

Hello,

Can you please help me obtain a response for a problem that I'm having and that I posted on stackoverflow (https://stackoverflow.com/questions/48586854/oidcclient2-closing-ibrowser-while-waiting-for-loginasync) , please?

In short my problem is related to the events that close the IBrowser (backbutton on Android for example) associated with the OidcClient while awaiting for the LoginResult (var result = await client.LoginAsync();).

Thank you very much!
Ricardo

Hello,

Is it possible to make it works with UWP? Up to the version 1.7.0 it's working fine.

I got this error:

System.Security.Cryptography.Csp 4.3.0 provides a compile-time reference assembly for System.Security.Cryptography.Csp on UAP,Version=v10.0, but there is no run-time assembly compatible with win10-arm.
One or more packages are incompatible with UAP,Version=v10.0 (win10-arm).
System.Security.Cryptography.Csp 4.3.0 provides a compile-time reference assembly for System.Security.Cryptography.Csp on UAP,Version=v10.0, but there is no run-time assembly compatible with win10-arm-aot.
One or more packages are incompatible with UAP,Version=v10.0 (win10-arm-aot).
System.Security.Cryptography.Csp 4.3.0 provides a compile-time reference assembly for System.Security.Cryptography.Csp on UAP,Version=v10.0, but there is no run-time assembly compatible with win10-x64.
One or more packages are incompatible with UAP,Version=v10.0 (win10-x64).
System.Security.Cryptography.Csp 4.3.0 provides a compile-time reference assembly for System.Security.Cryptography.Csp on UAP,Version=v10.0, but there is no run-time assembly compatible with win10-x64-aot.
One or more packages are incompatible with UAP,Version=v10.0 (win10-x64-aot).
System.Security.Cryptography.Csp 4.3.0 provides a compile-time reference assembly for System.Security.Cryptography.Csp on UAP,Version=v10.0, but there is no run-time assembly compatible with win10-x86.
One or more packages are incompatible with UAP,Version=v10.0 (win10-x86).
System.Security.Cryptography.Csp 4.3.0 provides a compile-time reference assembly for System.Security.Cryptography.Csp on UAP,Version=v10.0, but there is no run-time assembly compatible with win10-x86-aot.
One or more packages are incompatible with UAP,Version=v10.0 (win10-x86-aot).

Thanks.

Hello,

Could you point me out how to set the acr_values in UWP?

I found the settings with oidc-client-js but not for the UWP client.
acr_values: "idp:XXXXXXX"

Thanks,
Adrien.

RedeemCodeAsync uses the TokenClientFactory to get a TokenClient which it then uses to get an Access Token by calling RequestAuthorizationCodeAsync.

According to https://identityserver.github.io/Documentation/docsv2/pop/requesting.html it would be possible to use Proof of Possession if we could convert this call to RequestAuthorizationCodePopAsync. We could add the key to the OidcOptions class, and if it is supplied, use the PoP method instead of the normal one.

Is this something you'd be interested in receiving a PR for?

that returns the URL

Hello,

I was wondering why for the LoginResult in the oidc client the AccessTokenExpiration uses DateTime.Now instead of DateTime.UtcNow? And i guess the same applies to AuthenticationTime.

var loginResult = new LoginResult
            {
                Claims = FilterClaims(result.Claims),
                AccessToken = result.TokenResponse.AccessToken,
                RefreshToken = result.TokenResponse.RefreshToken,
                AccessTokenExpiration = DateTime.Now.AddSeconds(result.TokenResponse.ExpiresIn),
                IdentityToken = result.TokenResponse.IdentityToken,
                AuthenticationTime = DateTime.Now
            };`

Thanks,

Sandeep

My target framework is 4.6.1 and I plan to run my project on windows and linux (with mono).
When I try to install the nuget package it also tries to install a lot of dependencies that are already available in the mscorlib. I think this is because it also tries to add .NET core/standard libraries, which I don't need or want because the build output becomes gigantic. I even switched my target to 4.5.2 temporarily but didnt seem to help and .NET standard libraries were still being added.

Is it possible to install this package without so many references being added?

When implementing OidcClient2 in our app, we noticed the login call was failing for store builds. This is only occurring for Android.

When building the Android Chrome custom tabs project with debugging disabled, the app crashes. By using a dialog in a try/catch, the following error message was found by calling LoginAsync():

Error loading discovery document: Error connecting to https://demo.identityserver.io/.well-known/openid-configuration: An error occurred while sending the request.

Is there any plan to support symmetric keys?

It seems there is currently only support for asymmetric keys - and specifically only for RSA keys https://github.com/IdentityModel/IdentityModel.OidcClient2/blob/dev/src/IdentityModel.OidcClient/IdentityTokenValidator.cs#L162

I noticed that there is no option to pass the acrValues to the AuthorizeRequest.

Extending the OidcClientOptions and AuthorizeState classes with an AcrValues property and gluing it together in the AuthorizeClient would provide the ability to use e.g. idp:Facebook and bypass the IdSvr login screen and go directly to the provider in question.
This is very useful when used in native/mobile applications if they present their own set op login options.

Let say I need following
(1) User click on facebook login of my app
(2) User already login with facebook App in his mobile
(3) I am using facebook SDK to get token
(4) Now I want to store user information and get local access token

Can you please guide , if its supported by Identity Model 4

Thanks

Is there a way to get an id token without client secret?
From what I understand, implicit flow would accomplish that, but it seems that only AuthorizationCode and Hybrid are present in the library and none of them seems to work without client secret (result.IdentityToken is null if I don't provide client secret in OidcClientOptions).

What is the use case for RequireIdentityTokenOnRefreshTokenResponse?

I can't find anything in the oidc connect spec about requesting an ID token as part of the refresh flow. Also, is this supported by IdentityServer3?

I'm getting a ClaimsPrincipal instance from the LoginAsync method.
My identity server is using refresh tokens. So I am refreshing the access token and also would like to get updated claim values. My application uses the ClaimsPrincipal object. I was wondering, how can I retrieve claims using GetUserInfoAsync and transform them to ClaimsPrincipal like LoginAsync does.

Also the LoginResult provides a RefreshTokenHandler.
How can I construct a RefreshTokenHandler when using RefreshTokenAsync?

How is the RefreshTokenAsync method supposed to be used?

When I instantiate a new instance of OidcClient and call the RefreshTokenAsync method with a previously saved refresh_token, I get a NullReferenceException with the following stack trace relevant to OidcClient

at IdentityModel.OidcClient.Infrastructure.TokenClientFactory.Create(OidcClientOptions options)
at IdentityModel.OidcClient.OidcClient.<RefreshTokenAsync>d__12.MoveNext()

It would seem that TokenClientFactory.Create depends on the ProviderInformation being initialized (see https://github.com/IdentityModel/IdentityModel.OidcClient2/blob/dev/src/IdentityModel.OidcClient/Infrastructure/TokenClientFactory.cs#L10-L21).

When I first call LoginAsync and then RefreshTokenAsync, all works fine, because EnsureConfigurationAsync was called in that case (https://github.com/IdentityModel/IdentityModel.OidcClient2/blob/dev/src/IdentityModel.OidcClient/OidcClient.cs#L61), which will load the information from the discovery document.

Am I misunderstanding the use case. Surely I must be able to initialize an instance of OidcClient at a later stage and use it to refresh a token which was previously saved when a user authenticated?

Does this require the Identity Server to be running over https with a valid cert or can that be turned off when developing locally?

Thanks

Would it be possible for me to add an option to allow user to disable signature verification for the id_token?

We are using code flow we want option to be able to turn of signature validation completely.

My idea is to add a new option to OidcClientOptions - something like VerifyIdentityTokenSignature which defaults to true. When set to false, it will set the RequireSignedTokens property of the TokenValidationParameters to false;

https://github.com/IdentityModel/IdentityModel.OidcClient2/blob/dev/src/IdentityModel.OidcClient/IdentityTokenValidator.cs#L39-L48

This will then bypass signature validation:
https://github.com/IdentityModel/IdentityModel.OidcClient2/blob/dev/src/IdentityModel.OidcClient/IdentityTokenValidator.cs#L155

Hi,

Are the symbol files published for this library to any symbol server? I can't find them on nuget.smbsrc.net, srv.symbolsource.org/pdb/MyGet or srv.symbolsource.org/pdb/Public

Thanks, Mark

Hi, I'm trying to install this via nuget on a PCL with profile 44. Previous to this I tried on profile 111 and still the same result.
Can someone clarify this?
In the end this is a Xamarin Forms app.
I have other libraries that are .NetStandard (ex. Xam.Settings plugin by @jamesmontemagno James Montemagno) and are running great.

Error:
Could not install package 'IdentityModel.OidcClient 2.3.0'. You are trying to install this package into a project that targets '.NETPortable,Version=v4.6,Profile=Profile44', but the package does not contain any assembly references or content files that are compatible with that framework. For more information, contact the package author.

I have a backend service that needs to authenticate using JWT client assertion. Do you have some implementation for this?

var options = new OidcClientOptions(
                "http://10.0.2.2:9000",
                "ZoneChasse",
                "secret",
                "openid id_token profile offline_access sso",
                "com.zonechasseapp.mobile://callback"
            );

StartUrl:

http://10.0.2.2:9000/connect/authorize?client_id=ZoneChasse&response_type=code+id_token&scope=openid+id_token+profile+offline_access+sso&redirect_uri=com.zonechasseapp.mobile%3A%2F%2Fcallback&state=4e55e39e9cb1d10547b846e21b83d3c851407af04599bc475180312fcf31f0a17c385b2ae048683e191b84113508308949d8e65f9d7b32a102aaeba30c002bce&nonce=3f922aa811abaa874437256a05deab7f3b697da3ea56f6112e639b425444b40fa9adf71b17fb25307c81058fc6095a7c6e3650aeb53879c20fb84f214342b04a&code_challenge=ujJKfE5rf_oSeaxGpaVvzwQQCQf9Sp84_PhWuh1enEM&code_challenge_method=S256

Parsing the answer using:

AuthorizeResponse authResponse = new AuthorizationResponse(callbackUrl);

Every time I get the response back the access token is always null... On the other hand I get the Identity Token, so I'm pretty sure the authentification worked as expected. But I can't figure out how to get an access token.

How should I proceed ? Am I missing a call or something ?

LogoutAsync API call doesn't work explicitly as it does't have provider Information internally and throws exception. I think unlike LoginAsync or GetUserInfoAsync API, logout doesn't have discovery document fetch call internally.
I have a requirement to call the logoutAsync APIs from a client application where it already has a valid token/successful authentication and user has relaunched/restarted the application and trying to invoke the logout.

Just instantiating the OidcClient object and calling LogoutAsync, doesn't work.

Hi, I am using the IdentityModel.OidcClient2 Dll for a connection to an OpenId server to get a token after giving the credentials or Authentication via Browser, and I got the the following Error. I checked and try to find something in internet without successful. I got the error on var result = await client.ProcessResponseAsync(formData, state); anybody has a hin ?

var options = new OidcClientOptions {
LoadProfile = true,
Authority = _Authority ,
ClientId = "client",
ClientSecret = "secret",
RedirectUri = "http://localhost:5678",
Scope = "openid profile",
Flow = OidcClientOptions.AuthenticationFlow.AuthorizationCode ,
FilterClaims = true

sample: https://github.com/IdentityModel/IdentityModel.OidcClient.Samples/blob/master/ConsoleSystemBrowser/ConsoleSystemBrowser/Program.cs

Many Thanks.
Carlos

Hello,

I'm trying to implement IdentityModel.OidcClient for our WinForms solution in order to authenticate against a local IdentityServer. I followed the provided WinForm sample (https://github.com/IdentityModel/IdentityModel.OidcClient.Samples/tree/master/WinFormsWebView) and included the WebView .cs files in my project. This is what my code looks like:

var options = new IdentityModel.OidcClient.OidcClientOptions
                {
                    Authority = _authority,
                    ClientId = _clientId,
                    Scope = _scope,
                    RedirectUri = _redirectUri,

                    Browser = new WinFormsEmbeddedBrowser()
                };

IdentityModel.OidcClient.OidcClient _oidcClient = new IdentityModel.OidcClient.OidcClient(options);
var result = await _oidcClient.LoginAsync(IdentityModel.OidcClient.Browser.DisplayMode.Visible);

When I try to go past the last line with LoginAsync(), I get the following error:

Method not found: 'Void IdentityModel.Client.DiscoveryClient..ctor(System.String, System.Net.Http.HttpMessageHandler)'.

I have enabled in my .csproj file, which generated the following redirects:

<dependentAssembly>
        <assemblyIdentity name="Microsoft.Ink" publicKeyToken="31bf3856ad364e35" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-6.1.0.0" newVersion="6.1.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-11.0.0.0" newVersion="11.0.0.0" />
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />
        <bindingRedirect oldVersion="0.0.0.0-4.1.1.2" newVersion="4.1.1.2" />        
</dependentAssembly>

I tried to recreate the issue in a new console project with just the IdentityModel.OidcClient nuget package, WebView files for the browser, and the same code snippet as above. When I run it, the program just exits as soon as it hits the LoginAsync() part of the code without warnings or any exceptions.

I've been banging my head against the wall on this for a couple of days, so any help would be greatly appreciated! Thanks in advance.

Edit: I forgot to mention that I'm using .NET 4.6.1 and the latest stable nuget package (2.5.1).

Is this library compatible with Identity Server 3? I was able to successfully use it very quickly with IDS4. However, it is not the case with IDS3. My current project is a native android / iOS app using Xamarin.

For client authentication, I am using a Hybrid client and receiving a fragmented redirect. With ID4, this library works great I can call the following line (taken directly from a sample):
var result = await _client.ProcessResponseAsync(redirectUrl, _state);

...and hurray, I get my Identity, Access, and refresh token.

However, with IDS3, I call the same line and it returns an error of "at_hash missing." The actual fragmented URI shows the token is there.....It seems this has something to do with extracting the Access Token from the ID Token- but I am not 100% sure.

Unfortunately, IDS4 is currently out of the question do to some library compatibility issues...so I was hoping to use IDS3 until there is time to properly update the existing libraries to .Net Core.

This leaves my question, is this compatible with IdentityServer3?

Thanks!

It seems that currently, the OidcClient always requires the token response to include an identity token. When logging in using the authorization code flow, ProcessCodeFlowResponseAsync() will call ValidateTokenResponseAsync() with the default true value for requireIdentityToken.

This means you can't use OidcClient for just acquiring access tokens from an authorization server that does not provide id tokens. Is that right or am I missing a setting?

Im getting an unhandled exception on await client.LoginAsync();

i used the sample of andoird Web View of https://github.com/IdentityModel/IdentityModel.OidcClient.Samples

pass a copy of my IBrowser implemented Class

public class SystemBrowser : IBrowser
    {
private readonly Context _context;

        //public event EventHandler<Browser> HiddenModeFailed;

        public SystemBrowser(Context context)
        {
            _context = context;
        }

        public Task<BrowserResult> InvokeAsync(BrowserOptions options)
        {
            
            var tcs = new TaskCompletionSource<BrowserResult>();

            var intent = new Intent(_context, typeof(AuthWebViewActivity));
            intent.PutExtra("ClearCookies", true);
            var state = new AuthWebViewActivity.State
            {
                Options = options
            };

            state.OnSuccess += (onj, res) =>
            {

                tcs.SetResult(new BrowserResult
                {
                    Response = res,
                    ResultType = BrowserResultType.Success
                });
            };
            intent.PutExtra("StateKey", AuthWebViewActivity.StateRepo.Add(state));

            _context.StartActivity(intent);

            return tcs.Task;
        }

Is there any way to pass prefered language into the LoginAsync method so it will be passed on the call made to the OpenID server? I looked into OidcClientOptions, but couldn't find any language related settings there.

Hi, I've been using your plugin for Xamarin iOS integration with IdentityServer4. The logging in works perfectly, but I am having trouble figuring out the log out process. I looked at your sample and used the code you have there, but for some reason I am not able to get the log out working. The exception thrown is below: how do I figure out which object is null?

at IdentityModel.OidcClient.AuthorizeClient+<EndSessionAsync>d__5.MoveNext () [0x0001f] in <0c50e96169f84d2c85ba9dedaa93f59c>:0 --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in /Library/Frameworks/Xamarin.iOS.framework/Versions/11.6.1.4/src/mono/mcs/class/referencesource/mscorlib/system/runtime/exceptionservices/exceptionservicescommon.cs:152 at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x00037] in /Library/Frameworks/Xamarin.iOS.framework/Versions/11.6.1.4/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:187 at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00028] in /Library/Frameworks/Xamarin.iOS.framework/Versions/11.6.1.4/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:156 at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00008] in /Library/Frameworks/Xamarin.iOS.framework/Versions/11.6.1.4/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:128 at System.Runtime.CompilerServices.TaskAwaiter.GetResult () [0x00000] in /Library/Frameworks/Xamarin.iOS.framework/Versions/11.6.1.4/src/mono/mcs/class/referencesource/mscorlib/system/runtime/compilerservices/TaskAwaiter.cs:113 at IdentityModel.OidcClient.OidcClient+<LogoutAsync>d__10.MoveNext () [0x00080] in <0c50e96169f84d2c85ba9dedaa93f59c>:0 --- End of stack trace from previous location where exception was thrown ---

What I want to do is when user clicks on logout button, they will be taken to IdentityServer4 instance logged out and redirected back to the app. Additionally, I'll wipe the tokens from the app but that's out of scope of IdentityServer. Can you please help?

Thank you!

I was wondering if you could help me with a problem I have. I am trying to build a UWP app that is authenticated through Identity Server.
I've used the UWP sample from this repository as a base. In that sample the redirect url is set through WebAuthenticationBroker.GetCurrentApplicationCallbackUri().
The problem is that my Identity Server has a RedirectUrl validator that verifies that URL supplied with request is the one that the client that is supposed to have (we have different clients for different platforms like web, ios, android etc). But as far as I understand the Uri returned by the method above will be different each time the app is deployed to different computers. Is that so? And if it is, do you know how that can be overcome?
Thanks!

If the redirect Uris, between IdentityServer and IdentityModel.OidcClient2, don't match exactly, including whether there is trailing slash, the log produces an error of an invalid redirect Uri. The IdentityServer console does not report anything. This is only apparent, if you enable logging within IdentityServer. It is not difficult to make sure that the Uris between the client and the server are exact. However, it seems like the comparison should not fail based on the difference of a trailing slash.

Is this library similar to ComponentPro.Saml dll ?
I need to replace Shibboleth implementation (SAML) with OpenIdconnect in one of my project.
Is there some class like AuthnRequest which could perform redirection and validation for me?

I'm trying to implement an authorization flow.
From what I understood so far I'm supposed to go for the AuthorizationCode flow.

I thought the flow would be like this:

1. The client makes a request to the backend and gets a redirect back
2. I use the redirect information (including callback uri) and call LoginAsync
3. That call pops up a web browser where I can log in
4. The web browser gets redirected to the callback uri
5. The backend receives the callback and gets id token and sets a session cookie
6. The client can use the session cookie to keep on communicating with the backend

The problem is that I'm looking in the samples in the browser implementation WinFormsWebView and can see that the callback is explicitly canceled in the BeforeNavigate2 event. That means that even though I got authorized by the OpenID provider, my backend has still no idea about it and I have no session cookie.

Why was this callback disabled? Is it because it's just a sample and I have to create my own browser implementation that gos throgh with it, or have I misunderstood something?

I tried to used it against Azure AD, but no success. I copied the WinForms sample, verified that it worked against the example server, then tried to change OicdClientOptions to match the ones in Azure AD.
I set Authority to https://login.microsoftonline.com/[tenant-id]
But when calling _oidcClient.LoginAsync(DisplayMode.Visible) I get following exception:

Error loading discovery document: Issuer name does not match authority: https://sts.windows.net/[tenant-id]

I'm confused. Is it because of mismatch between login.microsoftonline.net and sts.windows.net?
But this is how it is in Azure AD, the URIs to call are based on the first, but the issuer is the second.
Why does it throw an exception?

Hello,

I'm currently trying to use this library in order to authenticate from my Xamarin.Android app. The problem I am having is that, after checking out the samples and trying to setup the client on my side, I get a Malformed URL exception. As far as I saw, the issue is that after authentication passes through in the System Browser implementation from the samples, I try to pass in only the callbackUrl, but only the old OIDC client works with this implementation. The new one apparently expects the whole URL with all of the query parameters.

As I'm quite new to identity servers and Oauth2 and so on, I guess I need some help and maybe ask you to review the samples so they actually work with OidcClient2. Could you shed some light as to what I might do to actually get this to work? I've been trying to handle it on my own for a while, but I'm lacking a lot of knowledge.

Best regards.

I'm trying to use the library from a strong named assembly, which means that the library also has to be strong named. I fixed this by taking the source and building it myself and signing, but then I will have to rebuild it every time there is a change. Would it be possible to add strong naming to this package?