c# - Using Claims with OpenIdConnect.Server in ASP.NET 5 -


in past 7 days i've tried setup asp.net 5 webapi using openidconnect.server resource owner flow.

i more or less successful in generating token , accessing [authorize] protected actions.

however, when try access this.user.identity.claims, it's empty. using asp.net 5, beta6 (having troubles upgrading recent beta7 , waiting it's official release)

in startup.cs got following:

public void configureservices(iservicecollection services) {     services.addcaching();      services.addentityframework()         .addsqlserver()         .adddbcontext<authcontext>(options =>         {             options.usesqlserver(configuration.get("data:defaultconnection:connectionstring"));         });      services.addidentity<authuser, authrole>(         options => options.user = new microsoft.aspnet.identity.useroptions         {             requireuniqueemail = true,             usernamevalidationregex = "^[a-za-z0-9@_\\.-]+$"         })         .addentityframeworkstores<authcontext, guid>()         .adddefaulttokenproviders();      services.configurecors(configure =>     {         configure.addpolicy("corspolicy", builder =>         {             builder.withorigins("http:/localhost/", "http://win2012.bludev.com/");         });     });      services.addscoped<iauthrepository, authrepository>(); }      public void configure(iapplicationbuilder app)     {         var factory = app.applicationservices.getrequiredservice<iloggerfactory>();         factory.addconsole();          app.usestaticfiles();          app.useoauthbearerauthentication(options =>         {             options.authority = "http://win2012.bludev.com/api/auth/";             options.audience = "http://win2012.bludev.com/";              options.automaticauthentication = true;              options.tokenvalidationparameters = new tokenvalidationparameters()             {                 requireexpirationtime = true,                 requiresignedtokens = true,                 roleclaimtype = claimtypes.role,                 nameclaimtype = claimtypes.nameidentifier,                  validateactor = true,                 validateaudience = false,                 validateissuer = true,                 validatelifetime = false,                 validateissuersigningkey = true,                 validatesignature = true,                  validaudience = "http://win2012.bludev.com/",                 validissuer = "http://win2012.bludev.com/"             };         });          app.useopenidconnectserver(options =>         {             options.issuer = new uri("http://win2012.bludev.com/api/auth/");             options.allowinsecurehttp = true;             options.authorizationendpointpath = pathstring.empty;             options.provider = new authorizationprovider();             options.applicationcandisplayerrors = true;              // note: in real world app, you'd prefer storing x.509 certificate             // in user or machine store. keep sample easy use, certificate             // extracted certificate.pfx file embedded in assembly.             options.usecertificate(                 assembly: typeof(startup).gettypeinfo().assembly,                 resource: "authexample.certificate.pfx",                 password: "owin.security.openidconnect.server");         });          app.useidentity();          app.usemvc();     } }

i used app.useoauthbearerauthentication because couldn't app.useopenidconnectauthentication working, in console:

request: /admin/user/ warning : [microsoft.aspnet.authentication.openidconnect.openidconnectauthentica tionmiddleware] oidch_0004: openidconnectauthenticationhandler: message.state null or empty. request: /.well-known/openid-configuration warning : [microsoft.aspnet.authentication.openidconnect.openidconnectauthentica tionmiddleware] oidch_0004: openidconnectauthenticationhandler: message.state null or empty.

and exception after time out

error : [microsoft.aspnet.server.weblistener.messagepump] processrequestasync system.invalidoperationexception: idx10803: unable create obtain configura tion from: 'http://win2012.bludev.com/api/auth/.well-known/openid-configuration' . @ microsoft.identitymodel.logging.loghelper.throw(string message, type excep tiontype, eventlevel loglevel, exception innerexception) @ microsoft.identitymodel.protocols.configurationmanager`1.d__24.movenext() --- end of stack trace previous location exception thrown --- @ system.runtime.compilerservices.taskawaiter.throwfornonsuccess(task task) @ system.runtime.compilerservices.taskawaiter.handlenonsuccessanddebuggernot ification(task task) ...

with configuration useopenidconnectauthentication

app.useopenidconnectauthentication(options => {     options.authenticationscheme = openidconnectauthenticationdefaults.authenticationscheme;      options.authority = "http://win2012.bludev.com/api/auth/";     options.audience = "http://win2012.bludev.com/";     options.resource = "http://win2012.bludev.com/";      options.automaticauthentication = true;      options.tokenvalidationparameters = new tokenvalidationparameters()     {         requireexpirationtime = true,         requiresignedtokens = true,         roleclaimtype = claimtypes.role,         nameclaimtype = claimtypes.nameidentifier,          validateactor = true,         validateaudience = false,         validateissuer = true,         validatelifetime = false,         validateissuersigningkey = true,         validatesignature = true     };  });

so real question is:

  1. how resource owner flow work claims
  2. validatelifetime = true or validateaudience = true throw exception , result in http code 500 response without printed error.
  3. how turn authentication failures meaningful 400/403 code , json or xml respones (depending on client preference) displayed user? (javascript client in case)?

app.useopenidconnectauthentication() (which relies on openidconnectauthenticationmiddleware) meant support interactive flows (code/implicit/hybrid) , cannot used resource owner password credentials grant type. since want validate access tokens, use app.useoauthbearerauthentication() instead.

see answer more information different openid connect/oauth2 middleware in asp.net 5: configure authorization server endpoint

how resource owner flow work claims

the entire openidconnectservermiddleware you're using based on claims.

if have trouble serializing specific claims, remember claims except claimtypes.nameidentifier not serialized default in identity , access tokens, since both readable client application , user agent. avoid leaking confidential data, need specify explicit destination indicating want claims serialized:

// claim serialized in access token. identity.addclaim(claimtypes.name, username, openidconnectconstants.destinations.accesstoken);  // claim serialized in both identity , access tokens. identity.addclaim(claimtypes.surname, "doe",     openidconnectconstants.destinations.accesstoken,     openidconnectconstants.destinations.identitytoken););

validatelifetime = true or validateaudience = true throw exception , result in http code 500 response without printed error.

how turn authentication failures meaningful 400/403 code , json or xml respones (depending on client preference) displayed user? (javascript client in case)?

that's how oidc client middleware (managed msft) works default, fixed. can see github ticket workaround: https://github.com/aspnet/security/issues/411


-

Comments

Post a Comment

Popular posts from this blog

c# - Binding a comma separated list to a List<int> in asp.net web api -

the default binder in web api expecst http://url.com/webapi/report/?pageids=3243&pageids=2365 to bind public ihttpactionresult report(list<int> pageids){ // exciting webapi code} i wish bind http://url.com/webapi/report/?pageids=3243,2365 as running out of space in url get . i have created class public class commaseparatedmodelbinder : system.web.http.modelbinding.imodelbinder { public bool bindmodel(httpactioncontext actioncontext, modelbindingcontext bindingcontext) { //binding in here } } and registered in webapiconfig.cs var provider = new simplemodelbinderprovider( typeof(list<int>), new commaseparatedmodelbinder()); config.services.insert(typeof(modelbinderprovider), 0, provider); i have altered method signature use model binder so public ihttpactionresult report( [modelbinder] list<int> pageids){ // exciting webapi code} however break point in binder not being ...
Read more

how to prompt save As Box in Excel Interlop c# MVC 4 -

i want export excel sheet using excel interloop... i have datatable convert excel sheet... now there way save file using save dialogue box in mvc 4 here code public string datatabletoexcel(datatable dt, string htmlheading, string key) { try { microsoft.office.interop.excel.application excel; microsoft.office.interop.excel.workbook excelworkbook; microsoft.office.interop.excel.worksheet excelsheet; microsoft.office.interop.excel.range excelcellrange; excel = new microsoft.office.interop.excel.application(); excel.visible = false; excel.displayalerts = false; excelworkbook = excel.workbooks.add(type.missing); excelsheet = (microsoft.office.interop.excel.worksheet)excelworkbook.activesheet; excelsheet.name = "sheet1"; dataset ...
Read more

xslt 1.0 - How to access or retrieve mets content of an item from another item? -

my use case have item has link in item. example, item 123456789/152 has metadata field dc.relation.hasversion=123456789/717 . within item view of 123456789/152 , how can retrieve values of metadata of 123456789/717 ? example, want retrieve dc.language.iso value of 123456789/717 123456789/152 . i looked @ related items feature in dspace don't know how metadata displayed in related items list pulled items in list. i using dspace version 5.3 mirage 2 theme . edit based on schweerelos answer, below actual code. using custom metadata field dc.relation.languageversion . basically, want link other version instead of displaying value, display dc.language.iso of other version in item-view.xsl . i've incorporated answer of schweerelos question in code just displaying value of dc.relation.languageversion . sample values of dc.relation.languageversion 10665.1/9843 ; 10665.1/9844 ie not complete uri handle. thanks in advance! actual code <xsl:template name=...
Read more