c# - Using Claims with OpenIdConnect.Server in ASP.NET 5 -


in past 7 days i've tried setup asp.net 5 webapi using openidconnect.server resource owner flow.

i more or less successful in generating token , accessing [authorize] protected actions.

however, when try access this.user.identity.claims, it's empty. using asp.net 5, beta6 (having troubles upgrading recent beta7 , waiting it's official release)

in startup.cs got following:

public void configureservices(iservicecollection services) {     services.addcaching();      services.addentityframework()         .addsqlserver()         .adddbcontext<authcontext>(options =>         {             options.usesqlserver(configuration.get("data:defaultconnection:connectionstring"));         });      services.addidentity<authuser, authrole>(         options => options.user = new microsoft.aspnet.identity.useroptions         {             requireuniqueemail = true,             usernamevalidationregex = "^[a-za-z0-9@_\\.-]+$"         })         .addentityframeworkstores<authcontext, guid>()         .adddefaulttokenproviders();      services.configurecors(configure =>     {         configure.addpolicy("corspolicy", builder =>         {             builder.withorigins("http:/localhost/", "http://win2012.bludev.com/");         });     });      services.addscoped<iauthrepository, authrepository>(); }      public void configure(iapplicationbuilder app)     {         var factory = app.applicationservices.getrequiredservice<iloggerfactory>();         factory.addconsole();          app.usestaticfiles();          app.useoauthbearerauthentication(options =>         {             options.authority = "http://win2012.bludev.com/api/auth/";             options.audience = "http://win2012.bludev.com/";              options.automaticauthentication = true;              options.tokenvalidationparameters = new tokenvalidationparameters()             {                 requireexpirationtime = true,                 requiresignedtokens = true,                 roleclaimtype = claimtypes.role,                 nameclaimtype = claimtypes.nameidentifier,                  validateactor = true,                 validateaudience = false,                 validateissuer = true,                 validatelifetime = false,                 validateissuersigningkey = true,                 validatesignature = true,                  validaudience = "http://win2012.bludev.com/",                 validissuer = "http://win2012.bludev.com/"             };         });          app.useopenidconnectserver(options =>         {             options.issuer = new uri("http://win2012.bludev.com/api/auth/");             options.allowinsecurehttp = true;             options.authorizationendpointpath = pathstring.empty;             options.provider = new authorizationprovider();             options.applicationcandisplayerrors = true;              // note: in real world app, you'd prefer storing x.509 certificate             // in user or machine store. keep sample easy use, certificate             // extracted certificate.pfx file embedded in assembly.             options.usecertificate(                 assembly: typeof(startup).gettypeinfo().assembly,                 resource: "authexample.certificate.pfx",                 password: "owin.security.openidconnect.server");         });          app.useidentity();          app.usemvc();     } }

i used app.useoauthbearerauthentication because couldn't app.useopenidconnectauthentication working, in console:

request: /admin/user/ warning : [microsoft.aspnet.authentication.openidconnect.openidconnectauthentica tionmiddleware] oidch_0004: openidconnectauthenticationhandler: message.state null or empty. request: /.well-known/openid-configuration warning : [microsoft.aspnet.authentication.openidconnect.openidconnectauthentica tionmiddleware] oidch_0004: openidconnectauthenticationhandler: message.state null or empty.

and exception after time out

error : [microsoft.aspnet.server.weblistener.messagepump] processrequestasync system.invalidoperationexception: idx10803: unable create obtain configura tion from: 'http://win2012.bludev.com/api/auth/.well-known/openid-configuration' . @ microsoft.identitymodel.logging.loghelper.throw(string message, type excep tiontype, eventlevel loglevel, exception innerexception) @ microsoft.identitymodel.protocols.configurationmanager`1.d__24.movenext() --- end of stack trace previous location exception thrown --- @ system.runtime.compilerservices.taskawaiter.throwfornonsuccess(task task) @ system.runtime.compilerservices.taskawaiter.handlenonsuccessanddebuggernot ification(task task) ...

with configuration useopenidconnectauthentication

app.useopenidconnectauthentication(options => {     options.authenticationscheme = openidconnectauthenticationdefaults.authenticationscheme;      options.authority = "http://win2012.bludev.com/api/auth/";     options.audience = "http://win2012.bludev.com/";     options.resource = "http://win2012.bludev.com/";      options.automaticauthentication = true;      options.tokenvalidationparameters = new tokenvalidationparameters()     {         requireexpirationtime = true,         requiresignedtokens = true,         roleclaimtype = claimtypes.role,         nameclaimtype = claimtypes.nameidentifier,          validateactor = true,         validateaudience = false,         validateissuer = true,         validatelifetime = false,         validateissuersigningkey = true,         validatesignature = true     };  });

so real question is:

  1. how resource owner flow work claims
  2. validatelifetime = true or validateaudience = true throw exception , result in http code 500 response without printed error.
  3. how turn authentication failures meaningful 400/403 code , json or xml respones (depending on client preference) displayed user? (javascript client in case)?

app.useopenidconnectauthentication() (which relies on openidconnectauthenticationmiddleware) meant support interactive flows (code/implicit/hybrid) , cannot used resource owner password credentials grant type. since want validate access tokens, use app.useoauthbearerauthentication() instead.

see answer more information different openid connect/oauth2 middleware in asp.net 5: configure authorization server endpoint

how resource owner flow work claims

the entire openidconnectservermiddleware you're using based on claims.

if have trouble serializing specific claims, remember claims except claimtypes.nameidentifier not serialized default in identity , access tokens, since both readable client application , user agent. avoid leaking confidential data, need specify explicit destination indicating want claims serialized:

// claim serialized in access token. identity.addclaim(claimtypes.name, username, openidconnectconstants.destinations.accesstoken);  // claim serialized in both identity , access tokens. identity.addclaim(claimtypes.surname, "doe",     openidconnectconstants.destinations.accesstoken,     openidconnectconstants.destinations.identitytoken););

validatelifetime = true or validateaudience = true throw exception , result in http code 500 response without printed error.

how turn authentication failures meaningful 400/403 code , json or xml respones (depending on client preference) displayed user? (javascript client in case)?

that's how oidc client middleware (managed msft) works default, fixed. can see github ticket workaround: https://github.com/aspnet/security/issues/411


-

Comments

Post a Comment

Popular posts from this blog

c# - Binding a comma separated list to a List<int> in asp.net web api -

the default binder in web api expecst http://url.com/webapi/report/?pageids=3243&pageids=2365 to bind public ihttpactionresult report(list<int> pageids){ // exciting webapi code} i wish bind http://url.com/webapi/report/?pageids=3243,2365 as running out of space in url get . i have created class public class commaseparatedmodelbinder : system.web.http.modelbinding.imodelbinder { public bool bindmodel(httpactioncontext actioncontext, modelbindingcontext bindingcontext) { //binding in here } } and registered in webapiconfig.cs var provider = new simplemodelbinderprovider( typeof(list<int>), new commaseparatedmodelbinder()); config.services.insert(typeof(modelbinderprovider), 0, provider); i have altered method signature use model binder so public ihttpactionresult report( [modelbinder] list<int> pageids){ // exciting webapi code} however break point in binder not being
Read more

Delphi 7 and decode UTF-8 base64 -

in delphi 7, have widestring encoded base64(that received web service widestring result) : pd94bwwgdmvyc2lvbj0ims4wij8+dqo8c3ryaw5nptiq2lpyqjwvc3ryaw5npg== when decoded it, result not utf-8: <?xml version="1.0"?> <string>طھط³طھ</string> but when decoded base64decode.org, result true : <?xml version="1.0"?> <string>تست</string> i have use encddecd unit decodestring function. the problem have using decodestring . function, in delphi 7, treats decoded binary data being ansi encoded. , problem text utf-8 encoded. to continue encddecd unit have couple of options. can switch decodestream . instance, code produce utf-8 encoded text file data: {$apptype console} uses classes, encddecd; const data = 'pd94bwwgdmvyc2lvbj0ims4wij8+dqo8c3ryaw5nptiq2lpyqjwvc3ryaw5npg=='; var input: tstringstream; output: tfilestream; begin input := tstringstream.create(data); try output := tfilestream.
Read more

html - Is there any way to exclude a single element from the style? (Bootstrap) -

so, have img logo, overlaid on div styled background-image: url("...") , , both elements inside 2 div classes .to-color , .to-overlay respectively, black transparent overlay. is there way exclude logo style given these 2 classes? here's jsfiddle example: link html , css example: - html - <div class="to-color"> <div class="to-overlay"> <div class="respo"> <div class="row"> <div class="col-xs-4 col-xs-offset-4 text-center"> <img src="http://ansonalex.com/wp-content/uploads/2011/06/google-logo-768x260.png" alt="..." class="img-responsive"> </div> </div> </div> </div> </div> - css - .to-color { background-color: #000; } .to-overlay { opacity : 0.5; } .respo { background-image: url("https://source.unsplash.com/category/objects/1600x900"); background-position: center center;
Read more