Thinktecture.IdentityModel.Oidc project about identityserver3 HOT 14 CLOSED

These are all valid points for legacy applications. But since Microsoft already previewed their new OpenID Connect middleware for Katana - the module has currently no high priority. Feel free to work on it!

from identityserver3.

I would help on this, I need a ASP.Net/WebForms app to support OIDC so (I think) I cannot rely on the Katana middleware :(

from identityserver3.

WebForms and Katana can work together (just like MVC and Katana).

from identityserver3.

sob I'm doing well today. I'd read: http://stackoverflow.com/questions/19423097/is-it-possible-to-use-katana-to-host-an-existing-webforms-application-within-a-w and trusted it :/

from identityserver3.

Well - it is right and wrong - MVC and WebForms cannot be hosted using Katana. But you can still use Katana middleware (e.g. the templates in VS2013 use Google authentication middleware).

from identityserver3.

Ah, ok. right, thank you for the clarification, that makes sense :)

from identityserver3.

.... so I've investigated the katana OpenIdConnect middleware and it appears to not support the codeflow. I can't find any supporting documentation with it to suggest there is any intention to either (no raised issues, comments in discussion forums etc.) :( (this surprises me somewhat so perhaps I'm misunderstanding its purpose!)

Before I try and re-grok the source do you know for a fact that I'm wrong about this ? (also, and related it doesn't support the ability to get back an ID+Access token at the same time [ https://katanaproject.codeplex.com/discussions/542150 ] ) long story short, your module appears to be significantly better at first + second glance to my untrained eyes!

Update: Ah. https://katanaproject.codeplex.com/workitem/247

from identityserver3.

see here:
#54

from identityserver3.

Thanks, that covers the access token, but I'm more concerned about them only supporting the implicit flow had loosely understood that flow as being the 'least secure' and should only be used when the client can't be trusted, but the implication of the middleware + azure is that implicit flows are A-Ok ?

from identityserver3.

Implicit just means that the client authentication is implicit.

They also do hybrid flow btw - but IdSrv does not support that (yet).

from identityserver3.

(implicit) Sure, but doesn't that mean the level of trust you should be willing to grant requests from that client should be lower (for example issuing shorter duration access tokens?) (I had been planning to make sure all my internal (non mobile) trusted web applications utilised the code flow, based on this potentially wrong understanding!

from identityserver3.

Well it depends on a number of factors - implicit is for JS/native applications (no client secret but redirect URI) where credential/consent should happen on the AS - whereas using code flow requires the flow triggered by a server and due to client credentials gives you additional features like refresh tokens.

from identityserver3.

Ok. That matches my understanding, I just (naively it would seem!) assumed that code flow was one of the commonest flows! Thank you as always!

from identityserver3.

Closing this for now. Please open a new issue if you plan to work on an HttpModule for backwards compat.

from identityserver3.