duendesoftware / docs.duendesoftware.com Goto Github PK

We might need some more explicit discussion of refresh tokens in our docs. How to configure on Client and that it's not needed in Scopes config, and how to request w/ offline_access.

Include info for the UserInteractionOptions.ConsentUrl and ErrorUrl. If anything more, pl[ease add.

Also, for the loginpageurl -- on the Cookie Handler Configuration docs, maybe a comment about how we infer the url from the cookie handler options (same for the logout page docs).

Then finally maybe a note of any exemptions when using ASP.NET Identity (e.g. they register their own cookie handler, so use theirs if you want to tweak options, and login/logout will use SignInManger for managing the cookie, rather than HttpContext APIs).

Off the top of my head:

• persisted grants (unless disabled)
• AddOidcStateDataFormatterCache
• Server-side session store
• Message cookies from authorize endpoint to UI
• signing keys in automatic key management

For example, how you can synthesize store for clients (only store minimal info in DB).
Also, how to aggregate some data from minimal store and some data from JSON.

Hey guys, any chance you could add docs and/or a sample repo on setting up SSO with on a Duende auth server?

I'm pretty much finding no good resources on how one would go about this other than purchasing this 3rd party solution.

for x-plat

In the part for adding google Authentication-Options

options.ClientId = builder.Configuration["Authentication:Google:ClientId"];
options.ClientSecret = builder.Configuration["Authentication:Google:ClientId"];

should be

options.ClientId = builder.Configuration["Authentication:Google:ClientId"];
options.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"];

Hello,
Is it possible to add a pdf version of the documentation ?

thanks

Could you reduce the spacing a bit?

e.g. https://docs.duendesoftware.com/identityserver/v5/fundamentals/resources/isolation/

We should add a section to the docs that explains 1) we abstract data access, and 2) we only read at runtime, thus 3) we don't have an admin UI. Also, add an item into EF QS.

• overview in /basics - please review @brockallen
• details on storage, EF, custom storage in /data
• options reference in /reference/options

• resource isolation
• server-side session
• dynamic auth

I'd like a sequence diagram or picture showing what claims exist where during a typical protocol flow in the session (at both IdentityServer and in the client), and in the persisted grants DB at IdentityServer, and how/when the profile service is involved, and in the access token and at the API. I was thinking a pic per major protocol flow, or interaction:

• implicit flow
• code flow w/ and w/o userinfo
  • we'd need to explain the "AlwaysInclude" option in here and how it affects the claims
• refresh token renewal
  • we'd need to explain the "UpdateClaims" option
• API invocation w/ access token w/ and w/o introspection

The intent of this would be to show to people that aren't so familiar with the protocols or even the ASP.NET Core cookie authentication handler how and where all this fits together

DuentityServer

[Authorize(IdentityServerConstants.LocalApi.PolicyName)]
    public async Task<ActionResult<IEnumerable<FriendList>>> GetFriendLists()
    {           
        return (await _context.FriendLists.ToListAsync());
    }

BlazorSever
public async Task Get()
{
var token = await HttpContext.GetUserAccessTokenAsync();
var client = new HttpClient();
client.SetBearerToken(token);

        var response = await client.GetAsync($"https://localhost:5001/api/friends");

        return new JsonResult(await response.Content.ReadAsStringAsync());


    }

https://docs.duendesoftware.com/identityserver/v5/ui/login/session/

https://github.com/DuendeSoftware/IdentityServer/discussions/483#discussioncomment-1516810

The "Interactive Applications with ASP.NET Core" quickstart reports a compile error on the "Display the Auth Cookie" step.

The file name is also a bit jumbled, it says "geWebClient/Pas/Index.cshtml" instead of "WebClient/Pages/Index.cshtml"

The issue is in the loop to display the claims, it says:

"The name 'Context' does not exist in the current context"

Looking at the source code for the quick start it should be HttpContext.AuthenticateAsync() instead of Context.AuthenticateAsync()

In QS2, in the section about the UserInfo endpoint, the OIDC config in the MvcApp is updated with options.Scope.Add("profile"); That is redundant, as the profile scope is already added by default by the OIDC handler:

https://github.com/dotnet/aspnetcore/blob/15fa3ad10859abcc54e3ad5557dc928f6c94994d/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs#L44

I think the redundant line should be removed, but probably text should also be updated to notice that the results retrieved from the user info endpoint are those for the open_id and profile scopes.

IdentityServer/IdentityServer4#4916

Not sure if this is the best place for this, but was hoping you guys could provide some clarity on the SPA integration capabilities for the BFF side of things.

For example, I was able to set up a POC last night for a dotnet new react frontend, but given that the UseSpa functionality built into .NET is fairly limited, I'm curious if the front end can be decoupled from the .NET side of things (e.g. a standalone react app that isn't a CRA, a standalone nextjs app, etc.).

My understanding (in theory) is that, as long as the front end and the BFF are on the same server then the front end can use the cookies issued by the BFF and we're golden, but wanted to confirm your thoughts on this.

Put the issue here as I figured it might be a good addition to the docs as well.

I think we forgot about this one.

DuendeSoftware/Support#154 (comment)

https://docs.duendesoftware.com/identityserver/v5/ui/custom/#authorize-endpoint-requests-and-custom-pages

Points to docs for the authorize interaction extensibility - but it is missing.

Add docs/warning on the built-in ASP.NET Core caching.

Add suggestion to enable our caching, and link to the general caching topic.

Given that we don't strictly publish SQL scripts for the database, I would like to publish a note for each release that contains some EF/DB schema change that shows/explains the delta (e.g. index added/changed, new/changed columns/tables, etc).

Placeholder to collect feedback while reviewing

• Personal opinion: the intro is too casual
• There's some copy editing that could be done throughout
  • some sections need more context to intro them
  • some topics need expanded explanation of what it's referring to (e.g. "the endpoints that want the extra security must be decorated" -- what that referrs to should be clarified)
• Session mgmt endpoints should explain request style of each: Ajax vs. browser redirect
• need formal docs on the EF support
• missing page for session mgmt details

We need better wording on the packaging page that the licensed and supported product is available via NuGet (not via the source code on github).

https://docs.duendesoftware.com/identityserver/v6/ui/logout/notification/#back-channel-server-side-clients

In the actual markdown file I see this rendering as an iframe tag:

user feedback:

in
https://docs.duendesoftware.com/identityserver/v6/quickstarts/js_clients/js_with_backend/#update-routing-to-accept-local-and-remote-api-calls

how to add YARP support is missing

We get requests for "reference architecture" diagrams (including containerization). We also sometimes get request for sizing numbers. This issue is meant to collect ideas on what documentation (if any) might look like.

// @damianh @josephdecock

Mainly how to do the migrations, like IS does now.

For example: someone wants to learn about all the artifacts to cleanup at logout. Are they aware of refresh tokens, ref tokens, cookies, etc.

https://docs.duendesoftware.com/identityserver/v5/quickstarts/1_client_credentials/

There is a note half down the page that is broken as it points to no reference

That is being generated at

I gather the TODO discussion likely didn't happen and the document still got published. I'd suggest to just remove this note, but I'm unsure what you want to do here.

They still show "MVC Client"

It's needed for many things

See DuendeSoftware/IdentityServer.Templates#20 for more info/context

Forgive me for the 📘 here 🙈😄. I'd like to explain this scenario out a bit before asking my questions ...

An ASP.NET Core Blazor doc maintains guidance for a hosted Blazor WebAssembly app using IdS on Windows App Service using an AKV-managed IdS token signing certificate. The guidance calls for the developer to:

• Set an Azure App Service setting of WEBSITE_LOAD_CERTIFICATES with the cert thumbprint.

• Supply app settings for Identity Server (not necessarily Duende IdS) that taps the CurrentUser > My cert store.

  "IdentityServer": {
    "Key": {
      "Type": "Store",
      "StoreName": "My",
      "StoreLocation": "CurrentUser",
      "Name": "CN=IdentityServerSigning"
    }
  }

We're trying to keep token signing cert access simple, clear, and 🔐 SAFE 🔐. A reader has remarked that such an IdS app config isn't viable for Linux App Service scenarios.

In passing, alternatives to that approach might include:

• Loading a cert manually (as a secret) from AKV (KeyVaultClient) and calling AddSigningCredential.
• Some alternate flavor of that via an X509Store with AddSigningCredential, hopefully with FindByThumbprint.

However, those approaches would be more complex and require more developer code.

Our doc section ...

https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-identity-server?view=aspnetcore-5.0&tabs=visual-studio#host-in-azure-app-service-with-a-custom-domain-and-certificate-1

We're leaning here toward accessing whatever Linux considers its cert storage along the lines of https://github.com/DuendeSoftware/IdentityServer/blob/main/src/IdentityServer/Configuration/DependencyInjection/BuilderExtensions/Crypto.cs#L101-L112.

... and perhaps that approach calling AddSigningCredential will turn out to be the best practices way to go. Perhaps, Duende API doesn't read app settings for a cert store into a call to AddSigningCredential for the dev. Perhaps, the dev just needs to handle this in their own code.

After digging around a bit, it feels like CurrentUser > My would be a thing on Linux. For example ...

https://docs.microsoft.com/en-us/dotnet/standard/security/cross-platform-cryptography#the-my-store

A reader working with Linux App Service has suggested a working approach where the physical location of where the cert loads is specified in app configuration ...

{
  "IdentityServer": {
    "Key": {
      "Type": "File",
      "FilePath": "/var/ssl/private/{thumbprintGoesHere}.p12",
      "Password": ""
    }
  }
}

Again, the preceding may or may not be viable for Duende IdS.

Cross-reference: dotnet/AspNetCore.Docs#23180 (comment)

Physical paths are fragile in general, sometimes poorly supported and/or documented, sometimes not the same distro-to-distro. Of greater concern to me is that "Password" entry in app settings config ... even with a blank value ... Yikes! 😨🏃. Truly, I'd rather pitch an approach using a Key Vault Client over using that app settings config.

So ... the ❓s ... sorry that it took so long to get here 😅.

Duende IdS with the token signing cert in AKV with Azure App Service ...

• Our doc wasn't written with Duende IdS in mind.
  • Is the Windows App Service configuration (the CurrentUser > My cert store app config) the same for Duende IdS?
  • If not, should the dev to call AddSigningCredential with a StoreLocation (CurrentUser/My? or a different store) and NameType (cert thumbprint)?
  • If not, would you next suggest an AKV client (cert loaded as a secret perhaps)+AddSigningCredential-based approach?
• The Duende docs don't cover the best practice configuration/set up explicitly for these scenarios, Windows or Linux App Service with AKV. Do you want to cover it so that the Blazor WASM doc can link to a Duende doc for this scenario? Alternatively, can you comment on the best practices approach so that I can place your recommendation into the Blazor WASM topic? ... and as mentioned, I need Windows- and Linux-based guidance.

I am getting an error message : InvalidOperationException: No signing credential is configured. when doing the Quickstart 1 & 2. Please let me know what is the problem.
screencapture-demo-duendesoftware-connect-authorize-callback-2020-11-15-13_58_01.pdf

Hey Gina,

this is probably useful

https://learn.netlify.app/en/basics/style-customization/

When you choose a menu item that's near the bottom of the scrolling menu, the currently selected page is no where to be seen.

vs.

I'd like to get the menu to auto scroll to the current item when we load a page. This is low priority.