Comments (9)
Identity Server will only send tokens to reply urls it is aware of before the request is made, for security reasons (it minimizes the attack surface). If this url is compromised in some way, an attacker could start stealing tokens and therefore gain unauthorized access your resources. Wildcard urls are too easily manipulated and this is how some big players have been compromised in the past.
Regarding multiple Reply Urls per Relying Party (like in the core project for OIDC), I don't see why not. Unless this is prohibited by the WS-Fed specification in some way... It'd need to be a PR either way.
from identityserver3.wsfederation.
Thank you very much for your feedback. So it means that the IdentityServer support multiple ReplyUrls in theory? Because in the current implementation we saw that the model class RelyingParty does only save one ReplyUrl. Does it mean we need to extend this class?
In the WS-Fed specification the wreply parameter is an optional parameter and is the URL to which responses are directed.
Thanks
from identityserver3.wsfederation.
In theory it is possible to have multiple ReplyUrls, however this requires changes to both the RelyingParty model and SignInValidator (I think). Either way, the change to RelyingParty model is a breaking change.
I could maybe get a PR ready for the v3 release where such breaking changes are acceptable.
from identityserver3.wsfederation.
This PR has support for multiple reply url's for WsFed:
#60
And it was just merged in.
from identityserver3.wsfederation.
Looks like you can also plug-in your own reply validator:
https://github.com/IdentityServer/IdentityServer3.WsFederation/blob/dev/source/WsFederationPlugin/Services/DefaultRedirectUriValidator.cs#L52
So you could put in your own wildcard and implement logic to parse that and satisfy the call.
from identityserver3.wsfederation.
A collection for PostLogoutRedirectUris
was added in #60, however the ReplyUrl
is still one per Relying Party. Changing this would be a breaking change.
IRedirectUriValidator is also implemented for post logout redirect urls only.
from identityserver3.wsfederation.
Oh, sorry, missed the part where you needed it to be on the ReplyUrl param
from identityserver3.wsfederation.
Hi,
I am quite new in the github community. Sorry for this bad question, but what are the steps if we like to make a breaking change to have one RP with multiple Endpoints?
Thanks
from identityserver3.wsfederation.
We would need to add the feature and release a new major version. We are not planning to do that soon.
from identityserver3.wsfederation.
Related Issues (20)
- Missing AuthenticationStatement with external provider HOT 4
- WsFederationServiceFactory IUserService registration HOT 4
- 2.3.0 is throwing exceptions while retrieving metadata using /wsfed/metadata HOT 2
- Minor tweak in SignInResponseGenerator for testing purposes HOT 4
- Consider passing sid to signout endpoint
- Question: The requested resource does not support http method 'POST' when adfs redirects back to wsfed endpoint HOT 2
- WS-Fed Endpoint usernamemixed HOT 3
- Add Client Id to LocalAuthenticationContext SignInMessage using WSFederation HOT 6
- Question: Ignoring ReturnUrl Parameter HOT 2
- Restrict identity providers HOT 5
- ASP.Net Core support? HOT 2
- WS-Federation not getting redirected to client application HOT 2
- Sign Out not invoked on WsFed RP's HOT 23
- Error Page for CustomRequestValidator HOT 2
- Windows Server 2008 r2 /wsfed url being served as a static file by IIS HOT 1
- WS-Federation signin response exception (SharePoint 2013) HOT 4
- Silent sign-in HOT 2
- FedAuth Cookie is empty HOT 2
- WsFederationController conflict with IdentityServer3 Admin
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identityserver3.wsfederation.