I code “MVC Client” just as in “Creating an MVC client” https://identityserver4.readthedocs.io/en/latest/quickstarts/2_interactive_aspnetcore.html#creating-an-mvc-client
My main goal is when access_token is expired to get new one with refresh_token.
I need it not for API access but for “MVC Client” authentication/authorization.
So, I thought before “MVC Client” issues redirect to IdentityServer to its login page (http://localhost:5000/connect/authorize?client_id=mvc&redirect_uri=bla, bla, bla) just intercept it and send instead of it just get new access_token (with refresh_token) w/o user need to enter his credentials.
So, I just need to get any event before “MVC Client” decides that access_token no longer valid and tries to redirect to IdentityServer login.
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
JwtSecurityTokenHandler.DefaultMapInboundClaims = false;
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options => {
options.Cookie.Name = "MyCookie";
options.Cookie.MaxAge = new TimeSpan(0, 0, 60);
options.ExpireTimeSpan = new TimeSpan(0, 0, 60);
options.SlidingExpiration = false;
//options.Cookie.s ExpireTimeSpan = new TimeSpan(0, 0, 1);
options.Events = new Func<CookieAuthenticationEvents>(() =>
{
var cookieAuthenticationEvents = new CookieAuthenticationEvents( );
var f = cookieAuthenticationEvents.OnRedirectToLogin;
var f1 = cookieAuthenticationEvents.OnValidatePrincipal;
var f2 = cookieAuthenticationEvents.OnSignedIn;
cookieAuthenticationEvents.OnRedirectToLogin = ( context ) =>
{
return f(context);
};
cookieAuthenticationEvents.OnValidatePrincipal = ( context ) =>
{
return f1(context);
};
cookieAuthenticationEvents.OnSignedIn = ( context ) =>
{
return f2(context);
};
return cookieAuthenticationEvents;
}
)( );
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc";
options.ClientSecret = "secret";
options.ResponseType = "code";
options.SaveTokens = true;
options.Scope.Add("email");
options.Scope.Add("api1");
options.Scope.Add("offline_access");
// options.Events = new Func<>
options.Events = new Func<OpenIdConnectEvents>(() =>
{
var openIdConnectEvents = new OpenIdConnectEvents( );
var f = openIdConnectEvents.OnAuthenticationFailed;
var f1 = openIdConnectEvents.OnAccessDenied;
var f2 = openIdConnectEvents.OnTokenValidated;
var f3 = openIdConnectEvents.OnAccessDenied;
openIdConnectEvents.OnAuthenticationFailed = ( context ) =>
{
return f(context);
};
openIdConnectEvents.OnAccessDenied = ( context ) =>
{
return f1(context);
};
openIdConnectEvents.OnTokenValidated = ( context ) =>
{
return f2(context);
};
openIdConnectEvents.OnAccessDenied = ( context ) =>
{
return f3(context);
};
return openIdConnectEvents;
}
)( );
});
}
On every line with "return f3(context);" I put break point with anticipation to hit it before getting to Login page of IdentityServer – no luck .
This is client config.
new Client
{
ClientId = "mvc",
ClientSecrets = { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Code,
RequireConsent = false,
RequirePkce = true,
// where to redirect to after login
RedirectUris = { "http://localhost:5002/signin-oidc" },
// where to redirect to after logout
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"api1"
},
AlwaysIncludeUserClaimsInIdToken = true,
AllowOfflineAccess = true,
AccessTokenLifetime = 150,
AuthorizationCodeLifetime = 150,
UserSsoLifetime = 150
}
How to do it - refresh token automatically w/o user interaction for MVC Client authentication (not for API access)
I've found a solution. Here it is:
https://github.com/leastprivilege/AspNetCoreSecuritySamples/tree/aspnetcore21/AutomaticTokenManagement
The key point here is to override this method
public override async Task ValidatePrincipal ( CookieValidatePrincipalContext context )
from class
Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationEvents
Related
I do not understand how I can get the authorization code/access token to make a request.
This is my .AddGoogle():
builder.Services.AddAuthentication(o =>
{
o.DefaultChallengeScheme = "Google";
o.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
}).AddCookie().AddGoogle("Google",options =>
{
IConfigurationSection auth = builder.Configuration.GetSection("Authentication:Google");
options.ClientId = auth["ClientId"];
options.ClientSecret = auth["ClientSecret"];
options.CallbackPath = "/Home";
options.AuthorizationEndpoint += "?prompt=consent";
options.SaveTokens = true;
options.Scope.Add(FitnessService.Scope.FitnessActivityRead);
});
So I log in / register, and then what?
I've tried this method
UserCredential credential;
var flow = new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer()
{
ClientSecrets = new ClientSecrets()
{
ClientId = configuration.GetSection("Authentication:Google")["ClientId"],
ClientSecret = configuration.GetSection("Authentication:Google")["ClientSecret"]
},
Scopes = new[] {
FitnessService.Scope.FitnessActivityRead,
FitnessService.Scope.FitnessActivityWrite,
FitnessService.Scope.FitnessSleepRead,
FitnessService.Scope.FitnessSleepWrite
},
});
var token = new TokenResponse
{
AccessToken = "",
RefreshToken = ""
};
credential = new UserCredential(flow, "user", token);
FitnessService fitnessService = new FitnessService(new BaseClientService.Initializer()
{
ApplicationName = "Exrecise App",
HttpClientInitializer = credential
});
var resp = await fitnessService.Users.Sessions.List("me").ExecuteAsync();
But how do I get the tokens to begin with?
I even tried HttpClient (by pasting the token from OAuthplayground)
HttpClient http = new HttpClient();
var resp = await http.SendAsync(new HttpRequestMessage()
{
RequestUri = new UriBuilder("https://www.googleapis.com/fitness/v1/users/me/sessions").Uri,
Headers =
{
{ "Authorization","Bearer " }
},
Method = HttpMethod.Get
});
return Ok(await resp.Content.ReadAsStringAsync());
Same problem, how do I get the access token from the currently signed in user?
I looked everywhere, but every solution is either outdated or is unclear or just doesn't work for some reason.
When I run my project and try to login to get an access token, I get an Unauthorized_Client error on the browser or when testing with Postman. I'm fairly new to IdentityServer. This is my Configuration:
Config.cs
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email(),
// custom identity resource with some consolidated claims
new IdentityResource("custom.profile", new[] { JwtClaimTypes.Name, JwtClaimTypes.Email, "location" })
};
}
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
//new ApiResource("NuB.hAPI", "Hospital API")
new ApiResource
{
Name = "NuB.HospitalSearch",
ApiSecrets = { new Secret("F621F470-9731-4A25-80EF-67A6F7C5F4B8".Sha256()) },
UserClaims =
{
JwtClaimTypes.Name,
JwtClaimTypes.Email,
JwtClaimTypes.PhoneNumber,
JwtClaimTypes.Gender,
"NuB.HospitalSearch"
},
Scopes =
{
new Scope
{
Name = "NuB.HospitalSearch",
DisplayName = "Full access to Hospital Search App"
},
new Scope
{
Name = "openid",
DisplayName = "Read only access to Hospital Search App"
}
}
}
};
}
// clients want to access resources (aka scopes)
public static IEnumerable<Client> GetClients()
{
// client credentials client
return new List<Client>
{
new Client
{
ClientId = "mvcWeb",
ClientName = "MVC Web Client",
AllowedGrantTypes = GrantTypes.Implicit,
AccessTokenType = AccessTokenType.Jwt,
RequireConsent = true,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { "http://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"NuB.HospitalSearch"
},
AllowOfflineAccess = true
}
};
}
I am using ASP.NET Identity with EntityFrameworkCore with IdentityServer4 to do this. It may by a simple problem but kindly point me to the right direction.
Unauthorized_Client means that your client is trying to authencate to the Ids with a client that does not exist. You apear to have created a client called mvcWeb
That means that your client will need to use a client id of mvcWeb your client code should probably look something like this. Note options.ClientId = "mvcWeb";
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = "Cookies";
options.Authority = settingsSetup.Authority;
options.RequireHttpsMetadata = false;
options.ClientId = "mvcWeb";
options.ClientSecret = "secret";
options.ResponseType = oidcConstants.ResponseTypes.CodeIdTokenToken;
options.Scope.Add("openid");
options.Scope.Add("profile");
});
I'm trying to add LinkedIn authentication to my ASP.NET Core 2.0 app but getting the following error:
No authentication handler is configured to handle the scheme: LinkedIn
Here's how I add LinkedIn/OAuth authentication in the ConfigureServices in Startup.cs:
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie("internal_cookie", options => {
options.AccessDeniedPath = "/Account/Forbidden/";
options.LoginPath = "/Account/Login";
})
.AddCookie("external_cookie")
.AddOAuth("LinkedIn", options => {
options.SignInScheme = "external_cookie";
options.ClientId = "1234567890";
options.ClientSecret = "1234567890";
options.CallbackPath = "/linkedin-callback";
options.AuthorizationEndpoint = "https://www.linkedin.com/oauth/v2/authorization";
options.TokenEndpoint = "https://www.linkedin.com/oauth/v2/accessToken";
options.UserInformationEndpoint = "https://api.linkedin.com/v1/people/~:(id,first-name,last-name,email-address,picture-url,picture-urls::(original))";
options.Scope.Add("r_basicprofile");
options.Scope.Add("r_emailaddress");
options.Events = new OAuthEvents
{
OnCreatingTicket = OnCreatingTicketLinkedInCallBack,
OnTicketReceived = OnTicketReceivedCallback
};
})
.AddFacebook(options =>
{
options.AppId = "1234567980";
options.AppSecret = "1234567890";
options.Events = new OAuthEvents
{
OnCreatingTicket = OnCreatingTicketFacebookCallback,
OnTicketReceived = OnTicketReceivedCallback
};
})
.AddGoogle(options =>
{
options.ClientId = "1234567890";
options.ClientSecret = "1234567890";
options.CallbackPath = "/google-callback";
options.Events = new OAuthEvents
{
OnCreatingTicket = OnCreatingTicketGoogleCallback,
OnTicketReceived = OnTicketReceivedCallback
};
});
Where's my error?
UPDATE:
After making the corrections suggested, I'm now getting the following error:
No IAuthenticationSignInHandler is configured to handle sign in for
the scheme: social_login
You mixed up the authentication scheme associated with your custom LinkedIn handler registration with the sign-in scheme that OAuthHandler will ultimately call to persist the identity (typically a cookie handler instance).
Fix your registration to specify LinkedIn as the scheme and social_login as the sign-in scheme (assuming your cookie handler is indeed named social_login), and it should work:
services.AddAuthentication()
.AddCookie("social_login")
.AddOAuth("LinkedIn", options =>
{
options.SignInScheme = "social_login";
// ...
});
Note: you can remove the SignInScheme assignation if social_login is the default sign-in scheme (i.e if you call services.AddAuthentication("social_login") or services.AddAuthentication(options => options.DefaultSignInScheme = "social_login"):
services.AddAuthentication("social_login")
.AddCookie("social_login")
.AddOAuth("LinkedIn", options =>
{
// ...
});
I have a Asp.NET MVC / WebAPI project with an embedded IdentityServer3.
I want both MVC and WebAPI to be protected by the IdentityServer. So I have used Authorize attribute on both MVC controllers and API controllers.
When surfing to my test page (which is protected) I get redirected to the IdentityServer login page. I enter my username and password and get authenticated and redirected back.
On the page I have a button that triggers a GET from javascript, with my access token in the authorization header, to my protected API. But here it fails with a 401 Unauthorized.
I get the access token to javascript by rendering it to the page with Razor.
I have 1 client in the IdentityServer set to hybrid flow. MVC uses cookies, while the API uses bearer tokens.
On my API HttpConfiguration I have set SuppressDefaultHostAuthentication. If I remove that line everything works, but then it uses cookies for the API which I don't want.
I use only HTTP and RequireSsl=false for now to avoid potential certificate problems.
I have tried for days to get this to work but I'm getting nowhere.
I don't even know how to debug this to get to cause of the 401.
By now I recognize just about every page that google suggests when I search for help.
Any ideas what it could be or how to debug this?
Here is my Startup.cs
public class Startup
{
public void Configuration(IAppBuilder app)
{
Log.Logger = new LoggerConfiguration()
.MinimumLevel.Debug()
.WriteTo.Trace()
.CreateLogger();
// MVC client
string authBaseAddress = "http://localhost:50319/identity";
string tokenEndpoint = authBaseAddress + "/connect/token";
string userInfoEndpoint = authBaseAddress + "/connect/userinfo";
string redirectUri = "http://localhost:50319/";
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "hybrid_clients",
Authority = authBaseAddress,
RedirectUri = redirectUri,
ResponseType = "code id_token token",
Scope = "openid profile roles sampleApi offline_access",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthorizationCodeReceived = async n =>
{
// use the code to get the access and refresh token
var tokenClient = new TokenClient(
tokenEndpoint,
"hybrid_clients",
"secret");
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(n.Code, n.RedirectUri);
if (tokenResponse.IsError)
{
throw new Exception(tokenResponse.Error);
}
// use the access token to retrieve claims from userinfo
var userInfoClient = new UserInfoClient(
new Uri(userInfoEndpoint),
tokenResponse.AccessToken);
var userInfoResponse = await userInfoClient.GetAsync();
// create new identity
var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
id.AddClaims(userInfoResponse.GetClaimsIdentity().Claims);
id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));
n.AuthenticationTicket = new AuthenticationTicket(
new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
n.AuthenticationTicket.Properties);
},
// Attach the id_token for the logout roundtrip to IdentityServer
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
{
var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");
if (idTokenHint != null)
{
n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
}
}
return Task.FromResult(0);
}
}
});
AntiForgeryConfig.UniqueClaimTypeIdentifier = Constants.ClaimTypes.Subject;
JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
// web api
app.Map("/api", a =>
{
var config = new HttpConfiguration();
a.UseCors(CorsOptions.AllowAll);
a.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
//AuthenticationMode = AuthenticationMode.Active,
Authority = authBaseAddress,
RequiredScopes = new[] { "sampleApi" },
DelayLoadMetadata = true
});
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
config.MapHttpAttributeRoutes();
a.UseWebApi(config);
});
// Identity server
app.Map("/identity", idsrvApp =>
{
idsrvApp.UseCors(CorsOptions.AllowAll);
idsrvApp.UseIdentityServer(new IdentityServerOptions
{
SiteName = "Embedded IdentityServer",
SigningCertificate = LoadCertificate(),
Factory = new IdentityServerServiceFactory()
.UseInMemoryUsers(Users.Get())
.UseInMemoryClients(Clients.Get())
.UseInMemoryScopes(Scopes.Get()),
AuthenticationOptions = new IdentityServer3.Core.Configuration.AuthenticationOptions()
{
EnablePostSignOutAutoRedirect = true // Automatically redirects back to the client on signout
},
RequireSsl = false,
});
});
}
X509Certificate2 LoadCertificate()
{
return new X509Certificate2(
string.Format(#"{0}\bin\idsrv3test.pfx", AppDomain.CurrentDomain.BaseDirectory), "idsrv3test");
}
}
My client
new Client
{
Enabled = true,
ClientName = "Hybrid Clients",
ClientId = "hybrid_clients",
Flow = Flows.Hybrid,
//AllowAccessTokensViaBrowser = false,
RedirectUris = new List<string>
{
"http://localhost:50319/"
},
PostLogoutRedirectUris = new List<string>
{
"http://localhost:50319/"
},
AllowedScopes = new List<string>
{
"openid",
"profile",
"email",
"roles",
"address",
"all_claims",
"sampleApi",
"offline_access"
},
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
AccessTokenType = AccessTokenType.Reference,
LogoutSessionRequired = true
},
My scopes
public static class Scopes
{
public static IEnumerable<Scope> Get()
{
var scopes = new List<Scope>
{
StandardScopes.OpenId,
StandardScopes.Profile,
StandardScopes.Email,
StandardScopes.Address,
StandardScopes.OfflineAccess,
StandardScopes.RolesAlwaysInclude,
StandardScopes.AllClaims,
new Scope
{
Enabled = true,
Name = "roles",
Type = ScopeType.Identity,
Claims = new List<ScopeClaim>
{
new ScopeClaim("role")
}
},
new Scope
{
Enabled = true,
DisplayName = "Sample API",
Name = "sampleApi",
Description = "Access to a sample API",
Type = ScopeType.Resource
}
};
return scopes;
}
}
My API
[Authorize]
public class SecuredApiController : ApiController
{
public IHttpActionResult Get()
{
var user = User as ClaimsPrincipal;
var claims = from c in user.Claims
select new
{
type = c.Type,
value = c.Value
};
return Json(claims);
}
}
Part of my Razor view
<button data-bind="click:callApi">Call API</button>
<span data-bind="text:apiResult"></span>
<script>
$(function() {
ko.myViewModel = new ClientAppViewModel('#ViewData["access_token"]');
ko.applyBindings(ko.myViewModel);
});
</script>
My JavaScript (KnockoutJS) that calls SecuredApi
function ClientAppViewModel(accessToken) {
var self = this;
self.accessToken = accessToken;
self.apiResult = ko.observable('empty');
self.callApi = function () {
console.log('CallApi');
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://localhost:50319/api/SecuredApi");
xhr.onload = function () {
self.apiResult(JSON.stringify(JSON.parse(xhr.response), null, 2));
};
xhr.setRequestHeader("Authorization", "Bearer " + self.accessToken);
xhr.send();
}
}
The Katana logs for the API are what you want. With these you will see why the API is returning a 401.
You can access these using the Microsoft.Owin log source (see Katana Documentation)
So as the title says I'm using both Cookies and Google for signin/authentication.
Startup.cs Cookie Snippet
app.UseCookieAuthentication(options =>
{
options.LoginPath = new PathString("/account/login");
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.ExpireTimeSpan = TimeSpan.FromDays(7);
options.CookieName = "CUSTOMCOOKIE";
});
Startup.cs Google Snippet
app.UseGoogleAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.ClientId = "xx";
options.ClientSecret = "xx";
}
My CUSTOMCOOKIE does not show up when I signin with Google. Basically what I want to do is have the user use Google to sign in to the site, and use the cookie to remember the user for x amount of days.
Is there something I'm missing? I also tried to set 'options.AuthenticationScheme = "Cookies"' to the Cookie snippet and 'options.AuthenticationScheme = "Google"' to the Google snippet.
you need to set the SignInScheme of the google options to be the same as the AuthenticationScheme on the main auth cookie like this:
app.UseCookieAuthentication(options =>
{
options.LoginPath = new PathString("/account/login");
options.AutomaticAuthenticate = true;
options.AutomaticChallenge = true;
options.ExpireTimeSpan = TimeSpan.FromDays(7);
options.AuthenticationScheme = "CUSTOMCOOKIE";
options.CookieName = "CUSTOMCOOKIE";
});
app.UseGoogleAuthentication(options =>
{
options.AutomaticAuthenticate = true;
options.ClientId = "xx";
options.ClientSecret = "xx";
options.SignInScheme = "CUSTOMCOOKIE";
}
if that doesn't get you going then you need to show the callback method of your account controller that is used for google callback
Just for future reference, there is a minor change in the signature of app.UseCookieAuthentication and app.UseGoogleAuthentication methods in the latest version -
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
LoginPath = new PathString("/account/login"),
AutomaticAuthenticate = true,
AutomaticChallenge = true,
ExpireTimeSpan = TimeSpan.FromDays(7),
AuthenticationScheme = "CUSTOMCOOKIE",
CookieName = "CUSTOMCOOKIE",
Events = new CookieAuthenticationEvents
{
OnRedirectToAccessDenied = (context) =>
{
context.Response.Redirect("/Auth/Logout");
return Task.FromResult(0);
}
}
});
app.UseGoogleAuthentication(new GoogleOptions
{
AutomaticAuthenticate = true,
ClientId = "xx",
ClientSecret = "xx",
SignInScheme = "CUSTOMCOOKIE",
CallbackPath = new PathString("/auth/signin-google")
}