identityserver / identityserver2 Goto Github PK

Creating a new user causes an exception. On form submit, the model is not valid due to the role collection being null. When the page reloads, iterating through the roles fails in the view.

I m trying to implement a scenario, where my api is a realm protected by identity server, everything works, fine , and i m able to sign in with facebook users and users i created in identity server.
Now i want to understand if the new users coming from facebook are also being stored in identity server database, and if so, if is it possible to see what realms/resources we already issue a token for, and maybe revoke then. (imagine the user login via client app and want s to revoke that access because the mobile phone was stolen).

btw congrats with the setup of identity server, after trying some other imlementations,this was the easiest to setup.

Hi Dominick,

I think there's might be a little typo in Thinktecture.IdentityServer.Core\Endpoint.cs here (07112b1)

var hrd = new Uri(baseUriString + Paths.WSFedHRD);
builder = new UriBuilder(passive); // I think line this should be new UriBuilder(hrd);
builder.Scheme = Uri.UriSchemeHttps;
builder.Port = httpsPort;
ep.WSFederationHRD = builder.Uri;

CMIIW

I was thinking of using identity server v2 for a production site. I would like to customize several things:

Account/SignIn views styled to match our site.
Custom logic in the AccountController. I was thinking of doing something conditional given the user clicking "Remember me?" check box. Perhaps adding a claim based on this so the downstream RP can also know to persist it's cookie.
I'm able to update the /src/OnPremise/WebSite project easily enough, but as time goes on I would like good process to pull in your latest code or fixes and do minimal work to merge my customization.

Do you have any suggestions on more pluggable way of doing this?

Thanks much.

I m getting this exception when using Oauth token endpoint::

"Token with symmetric siganture requested, but no symmetric signing key found"

this happens in STS.cs

try
{
var rstr = _sts.Issue(principal, rst);
token = rstr.RequestedSecurityToken.SecurityToken;
return true;
}

Am i m missing something?!

If you look at Thinktecture.IdentityServer.Web.Controllers.AccountControllerBase.SignIn has a parameter for 'additionalClaims'.

It calls AuthenticationHelper.SetSessionToken but does not pass in these 'additionalClaims'. From what I can see this parameter is ignored.

Minor issue but I was thinking of using this for something.

I'm using the new Identity Server v2. to create a token and then I am using WIF to inspect it on the client side. I can see that the server is creating the claims I expect. I have even added tracing code so I can see what claims are being added to the Principal before it calls the following code:

FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);

When I inspect the Claims on the Client, It doesn't have the Roles that were added on the Server. Only the "name" is found as a claim.

This is thecode I am using to view the claims:

public static List GetAllClaims()
{
List claims = new List();
ClaimsPrincipal principal = ClaimsPrincipal.Current;
foreach (Claim claim in principal.Claims)
{
claims.Add(claim.Value + " - " + claim.Type);
}

        return claims;
    }

Am I doing something wrong?

SignInSessionManager.ClearEndPoints() forgets to set the path to the same value as WriteCookie(…) does. As a consequence it is never cleared. Why does Write Cookie set Expires? Now it is a disk cookie. It should really be a memory/session cookie, isn’t it? Because authn cookies and this one should disappear at the same time. And for disk there is only one, but for memory they are per DOM session, which normally enable two separate logons!

The delegation configuration should be using a foreign key for the RP realm, not a copy of the realm string. This will allow for a RP's realm to change and the associated delegation configuration will just pickup the updated realm value (rather than also needing to be updated).

Moved from 19:

via Paul:

The short answer is: YES.

The long answer is that an intermediate issuer (federation sts) should remember the upstream IP that has authenticated the user. When wsignout1.0 arrives a redirect (with wsignout1.0) to the upstream RP is required. Typically a memorie cookie (path is application path) is used to remember this.

But now trouble ....
Officially it is SingleSignOn. So there is only one identity (and therefor only one upstream IP) per DOM session (say IdP-a). But if you allow an authenticated user to also logon have an extra identity (by allowing an extra authentication) by using a whr=IdP-b, then you are in trouble. Because when signout is pressed then this path should be cleared to. It is non-trivial (if possible) to know which identity must be cleared....
And a fork (two identities) cannot be cleared with single signout? ADFS2 - rollup2 - was messing around with this. Lots of people were upset....
The classical way to avoid this is not allow two identities (in a single DOM session). Only allow whr to override realm cookie when the user is not authenticated (yep another memory cookie). But don't be surprised if some people do not like that.

I tryed to deploy the server to one free azure webservices account, i was almost sucessful, AzureWebsites even has already a certificate *.azurewebsites . the problem is ThinkTecture.IdentityServer, and the pool/account that is running the website don't have access to the certificate...

Do you guys have a workaround? can i override the certificate access and user another way?

Thanks.

Within ADFS, I have configured a Claims Provider Trust to an instance of IdentityServer 2. In my IdentityServer instance, I've configured ADFS as a relying party. The configuration details are as follows:

Enabled: Checked
Display Name: ADFS Org A
Realm/Scope Name: http://{{issuer}}/adfs/services/trust
Token life time: 0
Redirect URL:
Extra Data 1:
Extra Data 2:
Extra Data 3:
Symmetric Signing Key:
Encrypting Certificate: No Certificate

I've also created a user, Alice and assigned her to the IdentityServerUsers and a new role "Manager".

When I attempt to log into my application, I get redirected to the ADFS home realm discovery page, which lists Identity Server as one of the options. I can select it and then get forwarded to the Identity Server login page. After entering the correct credentials for Alice, I get a very cryptic: Sorry, an error occurred while processing your request.

I have two questions:
First, is there a good example or write up of the steps for configuring ADFS as a relying party within IdentityServer?
Second, is there a good way to go about diagnosing this problem.

Thanks

IP.cshtml refers to RP.js, but that file is missing.

Hello,

I have been experimenting with using Identity Server v2 as a Federated Gateway as you demonstrated in your third video where you show Home Realm Discovery. I have one instance of IdSrv acting as the gateway and two other instances acting as Identity Providers. When I run my test client and attempt to Authenticate and gather claims after providing credentials to one of the IP instances, the browser gets redirected back to the Uri specified in the Site ID (IssuerUri) of the Gateway instance of Identity Server. I had instead expected it to redirect to the Url specified in the Redirect URL value defined in the Relying Party settings in the Identity Provider instance. Might you have any suggestions on what settings I need to look at and correct?

Please use the title bar when "Native App" is checked in client reg.

I need assistance debugging the problem. I know that my OAuth2Client is hitting the IdSrv because it's not getting a 404, but when I put a breakpoint in public ActionResult Token(ResourceOwnerCredentialRequest request), it never gets hit. I'm not sure where to put the breakpoint to debug the issue.

We followed the steps to configure the service and the client. When we access the application it is redirecting to the service for the athentication. After the admin login, we are getting the following error message and it is not redirecting to the cleint application.

You are currenty logged in as admin, but you requested a resource that you were not authorized for. Either provide credentials that do have access or contact your administrator to grant you access.

If we login with normal user, getting the below error.

A claim of type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' or 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' was not present on the provided ClaimsIdentity. To enable anti-forgery token support with claims-based authentication, please verify that the configured claims provider is providing both of these claims on the ClaimsIdentity instances it generates. If the configured claims provider instead uses a different claim type as a unique identifier, it can be configured by setting the static property AntiForgeryConfig.UniqueClaimTypeIdentifier.

Please advice.

This is more a feature discussion than an issue. If it is not changed in IdentityServer then it is now documented here.

For a client (Dominick knows who) I needed IdentityServer v1 to be an upstream STS for an ADFS1 server as RP.
My conclusions were that it works if:

• Assertion Signature is SHA1 (I had it hard coded for all RP in the TokenServiceConfiguration.SigningCredentials. Nicer if it could be configured per RP).
• Token is SAML1 (I changed the Global default. Worked for them, but nicer if it could be configured per RP)
• Only claims of which the ClaimType Url starts with “http://schemas.xmlsoap.org/claims/” are allowed! After that the ADFS1 CustomClaim name. (This was not a real issue).

I have the following configuration : an azure ACS account in which my on-remise TT STS is configured as an identity provider. I have a demo client application configured to use ACS for authentication.

When I logon to my client, I am correctly transferred to the ACS website. The ACS website correctly displays the TT STS as an option for authentication. When I click the link, I am correctly transferred to the login page of the TT STS. After logging in however, the TT STS returns me to the ACS root (https://myBeatifulACSNameSpace.accesscontrol.windows.net/) instead of url specified in the wreply parameter (https://myBeatifulACSNameSpace.accesscontrol.windows.net/v2/wsfederation)

the result of this is of course a failure to login (there is nothing useful to be displayed on the acs root url).

I have quickfixed this in WSFederationController using

    private ActionResult ProcessWSFederationSignIn(SignInRequestMessage message, ClaimsPrincipal principal)
    {
        // issue token and create ws-fed response
        var response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(
            message,
            principal as ClaimsPrincipal,
            TokenServiceConfiguration.Current.CreateSecurityTokenService());

        // start fix
        if (! string.IsNullOrEmpty(message.Reply))
        {
            response.BaseUri = new Uri(message.Reply);
        }
        // end fix

        // set cookie for single-sign-out
        new SignInSessionsManager(HttpContext, _cookieName, ConfigurationRepository.Global.MaximumTokenLifetime)
            .AddEndpoint(response.BaseUri.AbsoluteUri);

        return new WSFederationResult(response, requireSsl: ConfigurationRepository.WSFederation.RequireSslForReplyTo);
    }

I assume it has to be fixed in Thinktecture.IdentityServer.TokenService.TokenService

As client certficates identify a user (hence username as a column in the table), shouldn't this table move to the user store instead of the configuration store?

Cheers,
Marcel

            try
            {
                this.RelyingPartyRepository.Add(rp);
                return RedirectToAction("RP");
            }

Should be

            try
            {
                this.RelyingPartyRepository.Add(rp);
                return RedirectToAction("index");
            }

SharePoint requires a trustedidentitytokenissuer per website so I have a couple of relying parties for handling each website. However SharePoint uses the first provider that can decode the SAML token regardless of if it is enabled so I need to have separate signing certificates for each RP. It would be nice if there was a Gui method for overriding the signing certificate on a per RP basis.

Hi,

First of all, I'm really a fan of your work regarding IdentityServer.

We are currently evaluating IdentityServer as - well identity server - for our portal solution. We already managed to extend IdentityServer to function with our current user database as instructed in documentation (https://identity.thinktecture.com/idsrv/docs/default.htm?UserManagement.html). After you added ThinkTecture.IdentityModel to NuGet repository, I got thinking if you have any plans on adding the IdentityServer's libraries as well?

That way we could add needed interfaces as references to assembly libraries from NuGet instead of adding them to our version control so that we can build and add automated tests for our user repository implementation.

Following the "Federating the 1st Web Application" video, but when I try starting up my web application after running the "identity and access" extension to import the WSFed details, I just get an error in my web app:

Server Error in '/' Application.

Access is denied.
Description: An error occurred while accessing the resources required to serve this request. The server may not be configured for access to the requested URL.

Error message 401.2.: Unauthorized: Logon failed due to server configuration. Verify that you have permission to view this directory or page based on the credentials you supplied and the authentication methods enabled on the Web server. Contact the Web server's administrator for additional assistance.

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.17929

I have checked permissions on the App_Data folder in my idsrv application - i have even given "Everyone" full control access, but I still get this error. Can you help?

I can't find how to enable the jsnotify protocol in the UI?
I see the code for the endpoint, but can't find any code which reads the Resources/jsnotify.htm file

Cheers,
Marcel

In the OAuth protocol configuration the naming is:

Enable 'Resource Owner Password Credential' Flow
Enable 'Implicit' Flow

In the OAuth client configuration the naming is

Allow Implicit Flow
Allow Resource Owner Flow
Allow Code Flow

Please make this cosistent between the two places, like

Enable/Allow 'Resource Owner Password Credential' Flow
Enable/Allow 'Implicit Grant' Flow
Enable/Allow 'Authorization Code' Flow

PS: is 'Authorization Code' Flow already planned?

iOS6 mobile not being detected.

In the UI when you disable the OAuth2 protocol and save the changes, the submenu-item OAuth2 below protocols is hidden from the UI

In my opinion, when the OAuth protocol is disabled, the configuration of OAuth clients makes no sense, so this can be hidden in the UI

I was looking to inherit from AccountController and override the two SignIn methods. I would like to use the original behaviors but apply minor modifications in my sub class.

Could you change the two SignIn methods to 'virtual'?

Thanks much.

I've just tried pulling the code down to have a root around and I'm struggling to get the unit tests working.

The tests point to idsrv.local, which is easy enough to set up in IIS and hosts file, but because it requires SSL the tests fail. Adding a self cert SSL certificate doesn't help (unless I'm doing something wrong) as the self cert points to the local machine name, not to a custom domain name such as idsrv.local.

You guys must have this working locally so I was wondering if you can advise how you go about setting your environment up so that the unit tests work.

An application sends the green tick. But an intermediate Issuer sends an html blob with extra links....

This is just a place holder. I will suggest some alternatives later (tomorrow?).

(Enhancement)
My current IdentityServer implementation is for a French-speaking audience. I will add resource files(*.resx) to the application to meet my goals, but a much cleaner solution would be to have built-in support for localizing the IdentityServer.

Thank you.

Any chance of getting NuGet packages for the Core, Protocols and Web.Library projects? We're integrating IdentityServer directly into an existing web project without the UI pieces and would be very useful!

Cheers,
Dean

Do we emit an expires_in query string? we should.

There should be a button generate a random client secret.

All endpoints are available (ws-fed is running fine), but the OAuth one gives a 404 on post/get.

im trying the endpoint from the 'Application Integration' page: https://localhost/idsrv/issue/wsfed
everything is setup like in your installation video

Is this implemented? Have to say this is really a great project. This IdP just works and together with the identitymodel very easy to use. Great work!

In the UI - please rename:

Relying Parties to Relying Parties/Resources
Delegation to Identity Delegation

when i try to login from the html/js client (oauth2) i get the access-control-allow-origin error.

i looked at how the responses are created (OAuth2AuthorizeController/OAuth2TokenController) and the origin header seems to be missing. shouldn't the idp do that and use the rp realm/scope as a value?

missing header: “Access-Control-Allow-Origin:http://localhost/clientdomain”

I just cloned the repo, opened Thinktecture.IdentityServer.sln and tried a rebuild...ApiClaimsAuthorizeAttribute.cs and ClaimsAuthorizeAttribute.cs are missing. They're referenced/included within Thinktecture.IdentityServer.Core.csproj - locally and when browsing the source here in the web.

We have two different signout types:

WS-Fed - this should do a redirect to the IdP signout page

OAuth2 - what should we do here (Google, FB and Live have well known signout pages) - does signout make sense here at all?

is it possible to have http oauth endpoint without https ?

I think it makes sense.

Is Windows Server VM setup (IaaS) the only deployment option that is planned for v2 or is Azure Web/Worker/Blobs, etc. (PaaS) deployment also planned for v2 release?

Thank you!

how do i get the identity for an obtained swt token? the identitymodel tests use a webapisecurity endpoint, is that available in the identityserver?

the following code is from a consoleapp and taken from the identitymodel tests (IdSrvOAuth2Client)

static readonly Uri Oauth2Address = new Uri("https://localhost/idsrv/issue/oauth2/token");
        private const string BaseAddress = "https://localhost/idsrv/webapisecurity/api";
                                                                                                                   ^^^^ ?????? gives 404
        static void Main(string[] args)
        {
            var swtToken = GetIdentityToken();
            "Ok, token received".ConsoleGreen();

            var identity = CallService(swtToken);  // BOOM: 404
            "Ok, identity received".ConsoleGreen();
        }

        private static string GetIdentityToken()
        {
            "Requesting swt (oauth2) token from idp".ConsoleYellow();

            var client = new OAuth2Client(Oauth2Address, "test", "secret");
            var response = client.RequestAccessTokenUserName("admin", "*****", "https://test/rp/"); 
            return response.AccessToken;
        }

        private static Identity CallService(string swt)
        {
            "Calling identity service".ConsoleYellow();

            var client = new HttpClient { BaseAddress = new Uri(BaseAddress) };
            client.DefaultRequestHeaders.Authorization =
                new AuthenticationHeaderValue("IdSrv", swt);

            var response = client.GetAsync("identity").Result;
            response.EnsureSuccessStatusCode();

            return response.Content.ReadAsAsync<Identity>().Result;
        }

Since Identity Server allows us to assign user Roles it would be good to make these available to the Resource Server.

Hello Dominick,

I am trying to use your Identity Server to secure communication between my iPhone / Android client applications and our WebAPI (MVC WebAPI). Can you point me to a good solution that you have or any reference that you have on this particular topic? Maybe you can suggest a model that you would prefer for this?

Thanks
Ryan

hi dominick, brock,

i've been playing with the identityserver for the last week and am very pleased, all my usecases seem covered. great job!

can you provide some sort of roadmap and maturity of the identityserver v2? i'm evaluating it and can't get a clear picture how finished it is. maybe some insight and your feelings would help.

would you put it in production right now, if not why not... when?

In the UI when you disable a type of flow for the OAuth2 protocol you still can allow the same flow in an OAuth client, but this flow won't be used...

Should be application path. When cross-posting back to RP should be cleared [with same path :-) ].