As part of researching tenant based authentication I found I can vary the tenant without affecting the user's authentication within IdSrv4. This seems reasonable, yet there doesn't appear to be an extensibility point within the AuthorizeEndpoint's ProcessAuthorizeRequestAsync that would allow additional validation or customizing the interaction to change the prompt mode. It looks like in IdSrv I might be have been able to do this in PreAuthenticateAsync.

I'm testing this within the Mvc test project by including the "alice" tenant in the acr

            options.Events = new OpenIdConnectEvents
            {
                OnRedirectToAuthenticationEndpoint = ctx =>
                {
                    ctx.ProtocolMessage.AcrValues = "tenant:alice";
                    return Task.FromResult(0);
                }
            };

I then kill the Mvc authentication cookie and use the "bob" tenant. I'd like to detect the tenant change via a claim set on the initial sign-in and force them to authenticate again.

            options.Events = new OpenIdConnectEvents
            {
                OnRedirectToAuthenticationEndpoint = ctx =>
                {
                    ctx.ProtocolMessage.AcrValues = "tenant:bob";
                    return Task.FromResult(0);
                }
            };

You are depending on two different versions of this dependency (5.0.0-rc1-211161024 for .NET Core and 4.0.2.202250711 for .NET 4.5.1) and this is causing conflicts.
I have noticed that most APIs on ASPNET5 RC1 are on v5. You should try to use only that version.

Hi,

I just want to give you some feedback

I've implementing almost all stores as a custom implementation using ef 7 now.

It was pretty easy thanks to the simplicity of the in memory store interfaces and models, that I could use as a boilerplate for finding out relationships.

One part is a bit confusing: Why does the user have a subject property? In a classic db I would expect a user id.

Is this only because of the open id standard? Or are there cases when this could be something else than a user id?

I've seen it is used to map the consent to a user for example.

Hi,
Perhaps this is a silly question or is already answered somwhere in the docs but i cant seem to find how to change the default ui/login or ui/error routes to some other value (account/login)?

Thank you

...needs new Microsoft.IdentityModel (RC2)

I want to implement the logout and a post_logout_redirect_uri for an angular client, Implicit Flow.

I'm following the docs here:
https://identityserver.github.io/Documentation/docs/endpoints/endSession.html

I keep getting a 404, Is it possible that this does not work yet in IdentityServer4?

Greetings Damien

Hello,

can you give me some info about your plans to support WS-Federation, External IdPs and WindowsAuthentication with IdSrv4.

Thanks a lot

Hi, i'm trying to configure V4 based on my V3 configuration, first thing i get my hands on is the "ConfigureIdentityProviders" trying to add my ADFS via UseWsFederationAuthentication.

Is this implemeted yet? Is there a sample or doc i can refer to?

Thank you

Hi ASP.NET 5 Newbbie here...

I'm loading up a new blank ASP.NET 5 project in Mac (using Xamarin with DNX addin for ASP.NET 5 support), I can build the ASP.NET 5 web application "Hello world" without problem, however once I add the Nuget package IdentityServer4 it then gave me an error "The dependency fx/System.XML could not be resolved" compilation error.

Is that something related to IdentityServer4? I see it is stated to work in Core 1.0 ? Have I missed anything...

Many thanks.

Lida

Hi
using version beta 1 update 1 resource owner flow
I get the following error
"InvalidOperationException: Unable to resolve service for type 'IdentityServer4.Core.Validation.IResourceOwnerPasswordValidator' while attempting to activate 'IdentityServer4.Core.Validation.TokenRequestValidator'."

Thanks

I was wondering if there are any plans to implement AspNetIdentity for IdentityServer4?? For ASP.Net core 1.0?

I would like to be able to dynamically change the contents of the discovery document based on the URL currently being accessed. For example, the "name" of the Identity Server instance should change based on the URL.

The problem I'm trying to solve is to enable a multitenancy in IdentityServer4. While I recognize this may not be an explicit goal for the project, allowing extension points at certain places where I can plug in will allow me to customize the experience.

In IdentityServerServiceCollectionExtensions the set of IEndpoint instances associated with different well-known endpoints is added to the service collection as part of an EndpointRouter. There's really no way to modify the IEndpoint associated with a request or to affect the IEndpointResult generated by a request.

One way to get around this would be to introduce a new IEndpointMapping interface, like this:

public interface IEndpointMapping
{
  public string Endpoint { get; }
  public Type Handler { get; }
}

Instead of using a Dictionary<string, Type> right in the AddEndpoints routing registration extension, you could change to do stuff like:

if (endpoints.EnableTokenEndpoint)
{
  var mapping = new EndpointMapping
  {
    Endpoint = Constants.RoutePaths.Oidc.Token,
    Handler = typeof(TokenEndpoint)
  };
  services.AddInstance(typeof(IEndpointMapping), mapping);
  services.AddTransient(mapping.Handler)
}

EndpointRouter could be changed to take IEnumerable<IEndpointMapping> instead of Dictionary<string, Type>. It can read the IEndpointMapping instances and only add the first of a given name that's encountered - so if two endpoints are registered with the same endpoint name, the first one in wins (silently - no error).

You could then just register it as a singleton during AddEndpoints instead of registering a specific instance:

services.AddSingleton(typeof(IEndpointRouter), typeof(EndpointRouter));

If I need to override an endpoint, I can just register my overrides after your defaults:

var mapping = new EndpointMapping
{
  Endpoint = Constants.RoutePaths.Oidc.Token,
  Handler = typeof(MyCustomTokenEndpoint)
};
services.AddInstance(typeof(IEndpointMapping), mapping);
services.AddTransient(mapping.Handler)

When the singleton for the IEndpointRouter gets resolved from DI, it will see my endpoint mapping for the endpoint first and use that instead of the default.

My IEndpoint implementation can derive from the default, call base at the right time, and do customization as needed. It can use any dependency registered, so it's pretty open to do whatever it needs.

I can PR something like that if it sounds interesting.

Hi,
How would I go about using reference tokens with IdentityServer4?
I tried following the MVC Implicit from samples in my application but sometimes im getting Http 400 Url too long messages. That can be solved with clearing my cookies but every once in a while it comes back.

The real problem is when i want to authenticate from another application (Client, also MVC implicit). I get a redirect with get request and a nonce parameter in url of 2000+ chars every time.
IIS starts complaining with Http 415 (or something) that the request parameters are too long.

I can post the value here later but i read somwhere in the issues that i shoud use reference tokens instead of jwt. I have set the tokentype to Reference in Clients configuration, but i cant seem to find the UseIdentityServerBearerAuthentication extension method in services anywhere.

I'm using the OpenIdConnectAuthentication from the MVC sample.
Sorry if this was asked before. I tried going through the IdentityServer4 source but i cant seem to find what to use.

I'll post my exact config and the url that's causing the error later.
Thank you!

There are many stores where ITokenMetadata objects are cached based on a key generated by CryptoRandom.CreateUniqueId(). However, given an ITokenMetadata, it is not possible to know its key.

Is this intentional? If so, why? It introduces difficulties in implementing distributed storage for IAuthorizationCodeStore, IRefreshTokenStore, and IAuthorizationCodeStore for a load-balanced environment. Mostly with distributed caching and not a relational database store. Or is it only intended that these stores be written to an RDB for a load-balanced setup?

Was having an issue logging out from a javascript SPA client, so I tried the sample app with the javascript OIDC client sample and got the same error- from the VS Output window:

Microsoft.AspNet.Hosting.Internal.HostingEngine: Information: Request finished in 0.0078ms 200 application/json
Microsoft.AspNet.Hosting.Internal.HostingEngine: Information: Request starting HTTP/1.1 GET http://localhost:22530/connect/endsession?post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A7017%2Findex.html&id_token_hint=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSIsIng1dCI6ImEzck1VZ01Gdjl0UGNsTGE2eUYzekFrZnF1RSJ9.eyJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjIyNTMwIiwiYXVkIjoianNfb2lkYyIsImV4cCI6MTQ1MzA4NTA1MywibmJmIjoxNDUzMDg0NzUzLCJub25jZSI6IjY2NDA4MzI4MDQyNTgwNSIsImlhdCI6MTQ1MzA4NDc1MywiYXRfaGFzaCI6Im81RmpBbHp5MDNvU2NDczF5SUh0dkEiLCJzaWQiOiIxNzVhMzNmNTRmYmZiYWJjZjYyMGYzMzM4NjlhN2Y2YiIsInN1YiI6Ijg4NDIxMTEzIiwiYXV0aF90aW1lIjoxNDUzMDg0NzE0LCJpZHAiOiJpZHN2ciIsIm5hbWUiOiJCb2IgU21pdGgiLCJnaXZlbl9uYW1lIjoiQm9iIiwiZmFtaWx5X25hbWUiOiJTbWl0aCIsImVtYWlsIjoiQm9iU21pdGhAZW1haWwuY29tIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIndlYnNpdGUiOiJodHRwOi8vYm9iLmNvbSJ9.e6tBWOM6A2kHP37Je78-kicslIdKv29TqHGxXgQLZwtZG6u0q8CkFfifksc4q0weXinWtXtVEMPISMOf9ZfHR5ALg4kxMlYyxQOQd3Yo-rqbqz4qLyylQ9FEWbxqfnOxt91uAlIyMjkIxDxIuTMKU _K7VJtIr_jfM95DuFn7MwNI_yeRtDOsashIgXYwDFv4VDtl3-d7JNKy_Akmpz9mfh-xsiRrHNgffr229JZzXuPpm_pbkfhSKsxcRfoPWSNZn0KdWxUrVgixy7Noz5PtPyF8z95F7GClLKYACLqyYlRmj4yPJhGyn5QrRbbf3SgzXz19LuVhJhglZ0PKfAzYaA  
Microsoft.AspNet.Authentication.Cookies.CookieAuthenticationMiddleware: Information: HttContext.User merged via AutomaticAuthentication from authenticationScheme: idsrv.
Microsoft.AspNet.StaticFiles.StaticFileMiddleware: Verbose: The request path /connect/endsession does not match a supported file type
Microsoft.AspNet.Routing.Template.TemplateRoute: Verbose: Request successfully matched the route with name 'default' and template '{controller=Home}/{action=Index}/{id?}'.
Microsoft.AspNet.Mvc.Infrastructure.MvcRouteHandler: Verbose: No actions matched the current request
Microsoft.AspNet.Builder.RouterMiddleware: Verbose: Request did not match any routes.
Microsoft.AspNet.Hosting.Internal.HostingEngine: Information: Request finished in 0ms 404 

Looks like a routing issue with the connect/endsession call?

My user need to feed some additional informations (his location) after login has already be done with success. But, in idsrv4 i dont found a point to make this extensions.

There is a way where i can made such thing? In idsrv3 we have partial login do such things.

Any thoughts?

Hi
Using IdentityServer4 1.0.0-beta1-update1 version
i am trying to use DB users for authentication
but i can't find UserServiceBase class ?

Thanks

Hi all,

Current IdSrv4 samples all use InMemory Clients, Scopes and Users stores. In IdSrv3, a custom store could be hooked up using IdentityServerServiceFactory (see sample IdentityServer3.Samples/source/CustomUserService/CustomUserService/). However, in IdSrv4 I can't find the IdentityServerServiceFactory nor how to attach a custom store.
Is there a sample available using a custom (user) store? Or what is the extension point I should use?

Kind regards,
Ronald

Can IdentityServer4 takes Windows credentials and convert to IdetityServer4 token?

I have SPA (angular.js) that is communicating with backend API. What I want to implement is OpenId Connect's Hybrid flow.

I was doing this based on this sample - https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Mvc/src/IdSvrHost

It all works well if I put [Authorize] attribute on some controller & try to access it - I'm being redirected to login screen and can sign in. I'm using AspNet OpenId Connect middleware for logging user in and accessing his claims.

The problem is that I want to have a simple login screen with no redirects after being unauthorized user (i.e. first time user enters the application and clicks 'Log in' button).

What I can't wrap my head around is this (from the sample mentioned above, LoginController.cs):

        [HttpGet(Constants.RoutePaths.Login, Name = "Login")]
        public async Task<IActionResult> Index(string id)
        {
            var vm = new LoginViewModel();

            if (id != null)
            {
                var request = await _signInInteraction.GetRequestAsync(id);
                if (request != null)
                {
                    vm.Username = request.LoginHint;
                    vm.SignInId = id;
                }
            }

            return View(vm);
        }

Login screen gets this SignInId cookie & id (during the unauthorized redirect) that is being later used during the actual logging in (for SignInResult).

1. Is Hybrid flow best suited for having SPA that is used together with Backend API? Both the client & identity server here are ours so they're trusted.
2. If SignInId is not necessary, then what could be the approach to implemented hybrid flow with blank login form?
3. If SignInId is necessary, then what could be the workflow for having blank log in screen & using this approach? Redirecting with [Authorize] is, sadly, the only option that I see right now
4. Can this approach (OpenId Connect's hybrid flow) work well with mobile apps? (having in mind cookies, storage, etc)
5. Currently Identity Server is inside another project (next to my API) - would anything change if both API & Identity Server would be inside the same project (self hosted) or this doesn't affect anything?

I am starting to port our code to v4 to see if we run into any issues so we can provide feedback / questions per this comment

Using IdSrv 3 we have 2 identity servers mapped to the same host (host.com/users, host.com/clients - the main reasons for this are completely different user and view services between the two). After reviewing the sample, pouring over documentation and looking at the v4 codebase itself, I cannot figure out how to set up the same type of configuration in v4. I'm assuming I'm missing something simple, but in case I'm not, figured I'd ask if this type of configuration is still possible?

http://self-issued.info/?p=1531

Do you have a sample which can demonstrate the delegated access? meaning, user access token/credentials/claims should flow down to server
say for example: from user to server1 to server2

And server2 in the above example can take decision whether to authorize particular user or not.

I am looking for 2 scenarios here:

1. all server and user is in the same windows domain
2. all are in different windows domains

Thanks.

Hi,

I'm developing an app on asp.net 5 at the moment and would like to give identity server a try. The docs on identity server 3 look like it can save lots of headache. :-)

I've seen there are already many examples for this new version. Is it worth playing arround with it or should I wait?

Are there important features, that are currently missing? Do you expect bigger breaking changes as far as you can say now?

I'm not planning to go live soon and I know things can change during development.

As I don't care about .net core at the moment, some missing support for that would not be a show stopper for me.

Thanks for any input on this

Max

Scenario: user is taken to consent page (code out of our control) with certain required scopes (e.g. "openid"). Consent response back into IdSvr does not include that scope (because of bug or lack of validation on the consent page -- whatever).

Back in our "authorization after consent" callback page, what should we do? Do we trigger error back to client that required scopes were not granted? Do we show an error and die?

Since we used to control the consent page workflow, we used to show an error to the user on the consent page that they need to agree to the required scopes, but now that's much harder to do.

Hey everyone, I am new to Openid Connect and Identity Server. However, I did manage to download the sample and get things working but I am having an issue getting a refresh token. I created my client as follows:

new Client
{
ClientId = "hybridClient",
Flow = Flows.Hybrid,
RequireConsent = false,//setting this to true made no difference
ClientName = "Hybrid client",
RedirectUris = new List
{
"http://localhost:23114/signin-oidc"
},
AllowedScopes = new List
{
StandardScopes.OpenId.Name,
StandardScopes.OfflineAccess.Name,
StandardScopes.Profile.Name,
StandardScopes.Email.Name,
StandardScopes.Roles.Name,
"api1"
},
},

my MVC project startup contains:

app.UseCookieAuthentication(options =>
{
options.AuthenticationScheme = "cookies";
options.AutomaticAuthenticate = true;
});

        JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
        app.UseOpenIdConnectAuthentication(options =>
        {
            options.AuthenticationScheme = "oidc";
            options.SignInScheme = "cookies";
            options.AutomaticChallenge = true;

            options.Authority = "https://localhost:44326/";
            options.RequireHttpsMetadata = false;

            options.ClientId = "hybridClient";
            options.ResponseType = "code id_token token";

            options.Scope.Add("offline_access");
            options.Scope.Add("profile");
            options.Scope.Add("email");
            options.Scope.Add("roles");
            options.Scope.Add("openid");
            options.Scope.Add("api1");

            options.TokenValidationParameters.NameClaimType = "name";
            options.TokenValidationParameters.RoleClaimType = "role";

        });

After I authenticate with the 'bob' user, my claims contain access token and id_token but no refresh token. What am I missing?

As a separate question, where would I be able to look up the access code the authorization endpoint gives me? I was going to try and hit the token endpoint before my API call to see if it would give me a refresh token but it needs an access code. I see plenty of ID Server 3 examples on how to use OpenIdConnectAuthenticationNotifications to set claims for this type of thing but I haven't been able to figure it out for ID Server 4. Any help would be appreciated.

Login controller depends on LoginService that depends on "fixed" InMemory user list:

public LoginService(List<InMemoryUser> users)

Everything work fine if we use InMemoryUsers

builder.AddInMemoryUsers(Users.Get());

If we change this to

builder.Services.AddTransient<IUserService, CustomUserService>();

what is proper way to inject custom service to login service ?
Just inject IUserService ?

It seems that CustomUserService and LoginService are not compatible.

Regards

Edvin

I am trying use Microsoft.AspNet.Identity for user store. In Identityserver3 we have an IUserService. Where is it in Identityserver4? Is it IprofileService?

requires RC2

When I try login with more than one client, the idsrv4 throws an ArgumentException (Invalid cookie value).

stacktrace

Trying to see if I can have our PHP/Wordpress guy use ID server(4) to call my ASP.NET Web API services. Will try to use this under the new ASP.NET 5 Core...Do you think that is possible? Hints on how to get there?

If you have a store implementation registered with Scope life time:

services.AddScoped<IScopeStore, MyScopeStore>();

the store is instantiated only once for whole application lifetime.

If you register it with Transient life time

services.AddTransient<IScopeStore, MyScopeStore>();

everything works as expected.

The problem is that the request scope is not initialized correctly. The fix which is working for me is to replace inside the Find method

endpoint = context.ApplicationServices.GetService(type) as IEndpoint;

with

endpoint = context.RequestServices.GetService(type) as IEndpoint;

because the RequestService creates the request scope everything start to work then.

I am not sure if there is better way to accomplish that but I can create the PR with this one line change if you are interested.

According to the RFC for cookies (https://tools.ietf.org/html/rfc6265#section-4.1.1), a cookie value may not contain a comma.

However, as part of the IdentityServer4.Core.Hosting.ClientCookieList.SetClients(IEnumerable<string>) method (line 64), a JSON-serialized string is created for the list of clients. If there is a single client, this works fine, but when more than one client is authorized, this string is a comma separated list. When attempting to set the cookie value, anything after the comma is excluded from the cookie value and validation fails.

I propose to convert the string to base64 after serialization, and use that for the value of the cookie. In turn, the cookie would be converted back from a base64 string in the GetClients() method (line 56).

I have modified the code and tested this locally, and can submit a pull request if desired.

Hi, I want to replace the events, the messages and the scopes strings inside the
Resources classes.
How can I do it?

In V3 it was possible to use the above.
Is this supposed to work in V4 already?
Thanks
cheers
paul.

In Identity server 3 there is an option to host the server on the same application with a client. According to the official example which is here we can add a piece of code that looks like this

app.Map("/identity", idsrvApp => 
    {
        idsrvApp.UseIdentityServer(new IdentityServerOptions
            {
                SiteName = "Embedded IdentityServer",
                SigningCertificate = LoadCertificate(),
                Factory = new IdentityServerServiceFactory()
                    .UseInMemoryUsers(Users.Get())
                    .UseInMemoryClients(Clients.Get())
                    .UseInMemoryScopes(StandardScopes.All)
        });
    });

And then when we navigate to the http://myapplication.com/identity we could see some info about the Identity server.

Is there something similar in Identity Server 4? I guess that this must be a configuration in IdentityServerOptions class as now we just have to do

app.UseIdentityServer()

inside Configure method.

Is it possible with Identity Server 4 to have auto login after registration of a new user (for a SPA)?

Hello,
I would like to ask you, if you plan some project with Entity Frameowork which will implement IClienStore etc.

Like IdentityServer3.EntityFramework.

And if you have plant his, could you tell me some release date please?

if there a sample to run the identity server 4 on a asp.net core mvc web application? I am trying to have 1 project that has it all and allows cookies on mvc side.
I created a persisted cookie (idsrv) when I SignInAsync on that authentication type and pass isPersistent, but all the CookieAuthenticationOptions such as timeout and name and such are ignored. Can't you use IdentityServer as a local authentication piece for cookies and auto route to login page if not authenticated?

Am I missing tsomething – it seems to be ignoring the cookie options I am setting

My startup in configservices
//setup for IdentityServer Service Component Middleware
//setup signing cert
var cert = new X509Certificate2(Path.Combine(_appEnv.ApplicationBasePath + @”\Infrastructure\IdentityServer\Cert”, “idsrv4test.pfx”), “idsrv3test”);

var cookieopt = new CookieAuthenticationOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
AuthenticationScheme = IdentityServer4.Core.Constants.PrimaryAuthenticationType,
CookieDomain = “/”,
CookieHttpOnly = true,
CookieName = “TestCookie”,
LoginPath = “/Account/Login”,
LogoutPath = “/Account/Logout”,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(4)

};
var builder = services.AddIdentityServer(options =>
{
options.SigningCertificate = cert;
options.SiteName = “Test Site”;
options.AuthenticationOptions.CookieAuthenticationOptions = cookieopt;
});
builder.AddInMemoryClients(Clients.Get());
builder.AddInMemoryScopes(Scopes.Get());
builder.AddInMemoryUsers(Users.Get());

In Configure
app.UseIdentityServer();

We'll get false positives for inexact Url checks. Instead something like this:

PathString remaining;
var r = ctx.Request.Path.StartsWithSegments(path, out remaining);
if (r.HasValue == false)

will let us know if there's too much junk in the URL. Don't know if there's a better way or if this is already encapsulated somewhere else.

I am getting the following message (I tried the SampleApi project)

The selected debug option is IIS Express but this project is not a web project. To use IIS Express you need to add the wwwroot attribute to project.json
So is there a problem with project.json file deployed with samples? Please let me know.

Yes, I am using 1.0.0-RC1-update1

Hello, I've integrated usage of identity server to my project according to samples. Everything works like a charm :). Then, I faced with next challenge - I have tests which call API in self-hosted server. Once I add authentication to protect resources, I need to pass the token in header for each test.

Is there any way in which I can generate access token without going through full authentication flow (I want to do this only when IsDevelopment() == true, for testing purposes only) with some basic claims like id/name?

Check IIApplicationBuilder.ApplicationServices

I am playing witht he samples and I see that in one of the clients from IdentityServer3, the oidc in javascript, there is something sending GET requests to:
http://localhost:22530/connect/checksession (the IdSvrHost)
but in the IdSvrHost from IdentityServer4.Samples there is nothing with this endpoint.

Is that something required? I apologize if this is not an issue, but I haven't been able to find any documentation about IdentityServer4 with implicit flows and I still don't fully understand what's necessary to store tokens in client side.