indice-co / indice.kentico Goto Github PK

Hello,

We are attempting to use AWS Cognito as our identity provider. Cognito doesn't support the hybrid "code id_token". I have made changes to the attached three files in order to get the project to work with Cognito (using the authorization code flow). In the process, I added a few more OAuthConfiguration options for configurability. The code still supports the "code id_token" response_type based on a an OAuthConfiguration option. Here is an example of my web.config configuration:

    <add key="Oidc:AutoRedirect" value="false" />
    <add key="Oidc:Authority" value="https://epuio.auth.us-east-2.amazoncognito.com" />
    <add key="Oidc:Host" value="https://test.equio.com/Kentico12" />
    <add key="Oidc:ClientId" value="************" />
    <add key="Oidc:ClientSecret" value="*******" />
    <add key="Oidc:Scopes" value="openid profile" />
    <add key="Oidc:AuthorizeEndpointPath" value="authorize" /> 
    <add key="Oidc:TokenEndpointPath" value="oauth2/token" /> 
    <add key="Oidc:UserInfoEndpointPath" value="oauth2/userInfo" /> 
    <add key="Oidc:ResponseType" value="Code" /> <!-- Allowed values: "Code" or "CodeIdToken" -->
    <add key="Oidc:UserNameClaim" value="username" /> <!-- The name of the claim returned by the IDP that uniquely identifies the user -->

SignInOidcHandler.cs.txt

I encountered an error where I had to change "SiteCon
OAuthConfiguration.cs.txt
OidcAuthenticationModule.cs.txt
text.CurrentSite.SiteID" to "SiteContext.CurrentSiteID". Not sure why.

I'm not an accomplished programmer so I'm sure there are many things that can be improved in my changes. I couldn't figure out how to create a new branch and push it so I've attached the three files that I changed.

I hope these changes are helpful. I would appreciate any feedback you may have.

Paul

The OIDC URL for my IDP is:

https://xyzidp.b2clogin.com/xyzidp.onmicrosoft.com/b2c_1_signin_and_signup/oauth2/v2.0/authorize

I have configured the following in my settings file:

<add key="Oidc:Authority" value="https://xyzidp.b2clogin.com/xyzidp.onmicrosoft.com/b2c_1_signin_and_signup/oauth2/v2.0" />
When indice.kentico redirects to the IDP, is uses the following URL:

https://xyzidp.b2clogin.com/xyzidp.onmicrosoft.com/b2c_1_signin_and_signup/oauth2/v2.0/connect/authorize

This causes an error on the IDP. Is there a way for me to remove the "connect/" portion of the URL when redirecting to the IDP?

Thank you

I've followed all of the instructions in the README to install this into my site. Everything appears to be working up to the point that Cognito redirects back to my site with the code and token. At that point, I get a 404 on SignInOidc.ashx. Looking at the network log, it looks like that request is coming through as a GET request (since it's an actual HTTP redirect). Looking back through the handlers, SignInOidc.ashx is configured to be a POST endpoint. I don't see a way to force Cognito redirect back to my site via POST. (However, if I snag the URL from the network log and quickly send it as a POST, I do indeed get logged in.)

I've tried updating the handler to use the GET verb, but when I do, I get the following error:

Object reference not set to an instance of an object. at
 Indice.Kentico.Oidc.SignInOidcHandler.ProcessRequest(HttpContext context) at 
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at 
System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at 
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)  
   https://kentico.example.com:443/SignInOidc.ashx?code=xxxxxx-xxxx-xxxx-xxxx-xxxxxx&state=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx== 
   /SignInOidc.ashx 

I don't know if this (GET handler) is supported or if it somehow depends on the request being a POST and hence the error.

I don't know for sure if it's related, but this PR seems to mention similar things: #10

Are you aware of a way that I can exclude the Kentico administrative interface from the OIDC login process? I'd like to keep admins logging directly into Kentico (so they can address any issues independent of OIDC).

Thank you,

Paul

Hi,

I'm trying to get the Indice Kentico OIDC plugin to work in Azure with Kentico 12 (I've successfully gotten it running with IIS on a Windows system). When I connect to /SignIn.ashx, I'm redirected to the IDP successfully. However, once I enter my credentials and get redirected back, I get the following error in the browser:

`Server Error in '/' Application.
The resource cannot be found.
Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly.

Requested URL: /SignInOidc.ashx
`
I've tried to double check that I've got all of the necessary DLLs. I temporarily removed System.Text.Encodings.Web.dll to confirm that I get an explicit dependency error log, which I do (under Diagnose and solve problems --> Diagnostic Tools --> Support Tools --> Application Events on the app service). When I put the DLL back, I don't get any dependency errors.

However, I do get the following error in the log:

`4005
Forms authentication failed for the request. Reason: The ticket supplied was invalid.
2/16/2022 12:30:35 AM
2/16/2022 12:30:35 AM
6146c4ce543e4bddb3c26d84bda420d6
9
1
50201
/LM/W3SVC/769197253/ROOT-7-132894450124207552
Full
/
C:\home\site\wwwroot
pd0sdwk000G8T

13108
w3wp.exe
IIS APPPOOL\dev-sypw-1-102921-cognito
https://dev.syda.net:443/SignIn.ashx
/SignIn.ashx
35.142.159.41

False

IIS APPPOOL\dev-sypw-1-102921-cognito`

It appears that SignIn.ashx is successfully getting executed so that it redirects but simultaneously generating the above error. It doesn't appear that SignInOidc.ashx is getting executed.

Any ideas of what I might be doing wrong or a way that I can figure out what is causing the error. Thanks for any suggestions you can provide.

Hi @giorgos07,

@epiuo and I have been trying to integrate your library into our Kentico 12 SP instance with AWS Cognito, and we're further along now, and getting an error on the redirected call back to SignInOIDC.ashx:

Message: D:\home\site\wwwroot\SignInOidc.ashx(100): error CS0200: Property or indexer 'UserCreatedEventArgs.User' cannot be assigned to -- it is read only

Looking at the source file for UserCreatedEventArgs.cs, I noticed that the UserInfo object setter has the internal keyword set on it, and wasn't sure if that was the cause of the error.

public UserInfo User { get; internal set; }

Thanks in advance,
Garuda