duendesoftware / docs.duendesoftware.com Goto Github PK
View Code? Open in Web Editor NEWDocumentation for our Products
Home Page: https://docs.duendesoftware.com
Documentation for our Products
Home Page: https://docs.duendesoftware.com
We might need some more explicit discussion of refresh tokens in our docs. How to configure on Client and that it's not needed in Scopes config, and how to request w/ offline_access.
Include info for the UserInteractionOptions.ConsentUrl and ErrorUrl. If anything more, pl[ease add.
Also, for the loginpageurl -- on the Cookie Handler Configuration docs, maybe a comment about how we infer the url from the cookie handler options (same for the logout page docs).
Then finally maybe a note of any exemptions when using ASP.NET Identity (e.g. they register their own cookie handler, so use theirs if you want to tweak options, and login/logout will use SignInManger for managing the cookie, rather than HttpContext APIs).
Off the top of my head:
For example, how you can synthesize store for clients (only store minimal info in DB).
Also, how to aggregate some data from minimal store and some data from JSON.
Hey guys, any chance you could add docs and/or a sample repo on setting up SSO with on a Duende auth server?
I'm pretty much finding no good resources on how one would go about this other than purchasing this 3rd party solution.
for x-plat
In the part for adding google Authentication-Options
options.ClientId = builder.Configuration["Authentication:Google:ClientId"];
options.ClientSecret = builder.Configuration["Authentication:Google:ClientId"];
should be
options.ClientId = builder.Configuration["Authentication:Google:ClientId"];
options.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"];
Hello,
Is it possible to add a pdf version of the documentation ?
thanks
Could you reduce the spacing a bit?
e.g. https://docs.duendesoftware.com/identityserver/v5/fundamentals/resources/isolation/
We should add a section to the docs that explains 1) we abstract data access, and 2) we only read at runtime, thus 3) we don't have an admin UI. Also, add an item into EF QS.
I'd like a sequence diagram or picture showing what claims exist where during a typical protocol flow in the session (at both IdentityServer and in the client), and in the persisted grants DB at IdentityServer, and how/when the profile service is involved, and in the access token and at the API. I was thinking a pic per major protocol flow, or interaction:
The intent of this would be to show to people that aren't so familiar with the protocols or even the ASP.NET Core cookie authentication handler how and where all this fits together
DuentityServer
[Authorize(IdentityServerConstants.LocalApi.PolicyName)]
public async Task<ActionResult<IEnumerable<FriendList>>> GetFriendLists()
{
return (await _context.FriendLists.ToListAsync());
}
BlazorSever
public async Task Get()
{
var token = await HttpContext.GetUserAccessTokenAsync();
var client = new HttpClient();
client.SetBearerToken(token);
var response = await client.GetAsync($"https://localhost:5001/api/friends");
return new JsonResult(await response.Content.ReadAsStringAsync());
}
The "Interactive Applications with ASP.NET Core" quickstart reports a compile error on the "Display the Auth Cookie" step.
The file name is also a bit jumbled, it says "geWebClient/Pas/Index.cshtml" instead of "WebClient/Pages/Index.cshtml"
The issue is in the loop to display the claims, it says:
"The name 'Context' does not exist in the current context"
Looking at the source code for the quick start it should be HttpContext.AuthenticateAsync() instead of Context.AuthenticateAsync()
In QS2, in the section about the UserInfo endpoint, the OIDC config in the MvcApp is updated with options.Scope.Add("profile");
That is redundant, as the profile scope is already added by default by the OIDC handler:
I think the redundant line should be removed, but probably text should also be updated to notice that the results retrieved from the user info endpoint are those for the open_id and profile scopes.
Not sure if this is the best place for this, but was hoping you guys could provide some clarity on the SPA integration capabilities for the BFF side of things.
For example, I was able to set up a POC last night for a dotnet new react
frontend, but given that the UseSpa
functionality built into .NET is fairly limited, I'm curious if the front end can be decoupled from the .NET side of things (e.g. a standalone react app that isn't a CRA, a standalone nextjs app, etc.).
My understanding (in theory) is that, as long as the front end and the BFF are on the same server then the front end can use the cookies issued by the BFF and we're golden, but wanted to confirm your thoughts on this.
Put the issue here as I figured it might be a good addition to the docs as well.
I think we forgot about this one.
Points to docs for the authorize interaction extensibility - but it is missing.
Add docs/warning on the built-in ASP.NET Core caching.
Add suggestion to enable our caching, and link to the general caching topic.
Given that we don't strictly publish SQL scripts for the database, I would like to publish a note for each release that contains some EF/DB schema change that shows/explains the delta (e.g. index added/changed, new/changed columns/tables, etc).
Placeholder to collect feedback while reviewing
We need better wording on the packaging page that the licensed and supported product is available via NuGet (not via the source code on github).
user feedback:
how to add YARP support is missing
We get requests for "reference architecture" diagrams (including containerization). We also sometimes get request for sizing numbers. This issue is meant to collect ideas on what documentation (if any) might look like.
Mainly how to do the migrations, like IS does now.
For example: someone wants to learn about all the artifacts to cleanup at logout. Are they aware of refresh tokens, ref tokens, cookies, etc.
https://docs.duendesoftware.com/identityserver/v5/quickstarts/1_client_credentials/
There is a note half down the page that is broken as it points to no reference
That is being generated at
I gather the TODO discussion likely didn't happen and the document still got published. I'd suggest to just remove this note, but I'm unsure what you want to do here.
They still show "MVC Client"
It's needed for many things
See DuendeSoftware/IdentityServer.Templates#20 for more info/context
Forgive me for the 📘 here 🙈😄. I'd like to explain this scenario out a bit before asking my questions ...
An ASP.NET Core Blazor doc maintains guidance for a hosted Blazor WebAssembly app using IdS on Windows App Service using an AKV-managed IdS token signing certificate. The guidance calls for the developer to:
Set an Azure App Service setting of WEBSITE_LOAD_CERTIFICATES
with the cert thumbprint.
Supply app settings for Identity Server (not necessarily Duende IdS) that taps the CurrentUser > My cert store.
"IdentityServer": {
"Key": {
"Type": "Store",
"StoreName": "My",
"StoreLocation": "CurrentUser",
"Name": "CN=IdentityServerSigning"
}
}
We're trying to keep token signing cert access simple, clear, and 🔐 SAFE 🔐. A reader has remarked that such an IdS app config isn't viable for Linux App Service scenarios.
In passing, alternatives to that approach might include:
KeyVaultClient
) and calling AddSigningCredential
.X509Store
with AddSigningCredential
, hopefully with FindByThumbprint
.However, those approaches would be more complex and require more developer code.
Our doc section ...
We're leaning here toward accessing whatever Linux considers its cert storage along the lines of https://github.com/DuendeSoftware/IdentityServer/blob/main/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs#L101-L112.
... and perhaps that approach calling AddSigningCredential
will turn out to be the best practices way to go. Perhaps, Duende API doesn't read app settings for a cert store into a call to AddSigningCredential
for the dev. Perhaps, the dev just needs to handle this in their own code.
After digging around a bit, it feels like CurrentUser > My would be a thing on Linux. For example ...
https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography#the-my-store
A reader working with Linux App Service has suggested a working approach where the physical location of where the cert loads is specified in app configuration ...
{
"IdentityServer": {
"Key": {
"Type": "File",
"FilePath": "/var/ssl/private/{thumbprintGoesHere}.p12",
"Password": ""
}
}
}
Again, the preceding may or may not be viable for Duende IdS.
Cross-reference: dotnet/AspNetCore.Docs#23180 (comment)
Physical paths are fragile in general, sometimes poorly supported and/or documented, sometimes not the same distro-to-distro. Of greater concern to me is that "Password" entry in app settings config ... even with a blank value ... Yikes! 😨🏃. Truly, I'd rather pitch an approach using a Key Vault Client over using that app settings config.
So ... the ❓s ... sorry that it took so long to get here 😅.
Duende IdS with the token signing cert in AKV with Azure App Service ...
AddSigningCredential
with a StoreLocation
(CurrentUser/My? or a different store) and NameType
(cert thumbprint)?AddSigningCredential
-based approach?I am getting an error message : InvalidOperationException: No signing credential is configured. when doing the Quickstart 1 & 2. Please let me know what is the problem.
screencapture-demo-duendesoftware-connect-authorize-callback-2020-11-15-13_58_01.pdf
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.