Develop Reference

Openid - Is there a way to get the state & nonce generated by Challenge method without redirection?

I have a requirement to integrate with an external authentication provider which they require us to generate the state & nonce and using these parameters as an input for the embedded JS to generate the QR code, this QR code will be scanned by mobile for authentication.
for the standard login with external authentication provider, we call the Challenge() method to redirect to the login page, and the redirect url contains the state & nonce itself, is there a way to generate/get them without redirection?
If I generate random nonce & state at frontend side then scanning the QR code and completed the authentication in mobile, it returned the authentication code and threw "unable to unprotect the message.State." exception at the IS4, I tried to disable the state validation but it does not work.
configureOptions.ProtocolValidator = new OpenIdConnectProtocolValidator()
{
RequireState = false,
RequireStateValidation = false,
};
Any help would be much appreciated.

Identity Server Endpoints OIDC

I am using Identity server and hosting it under IIS. It was working fine when hosted directly under http://localhost:44431
Step 1: call http://localhost:44431/account/login?returnUrl=/connect/authorize/login?respone_type....
Step 2: Then it goes to the Authorize Endpoint and a return a token
Probelm hosting under localhost\id:
However, when I deploy the application on IIS under Default Web site as localhost\id. It stops working.
Step 1: Calling http://localhost/id/account/login?returnUrl=/connect/authorize/login?respone_type....
>> Inspecting the Request Headers:
>> Response Header:
>> Open Id Configuration at http://localhost/id/.well-known/openid-configuration
"authorization_endpoint":"http://localhost/id/connect/authorize",
Step 2: Calling the /connect/authorize endpoint:
>> Inspecting the Headers:
It didn't include the id virtual directory, that's why it is failing. where in the process I have to fix this?

I'm not able to reproduce your problem, but I did start from scratch hosting IdentityServer4 in IIS. The steps I followed for setup are below.
Cloned IdentityServer4.Samples. Launch Quickstarts/3_ImplicitFlowAuthentication solution:
https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Quickstarts/3_ImplicitFlowAuthentication
Created an application in IIS with the path as '/id' with the AppPool set to 'No Managed Code'
Ran 'dotnet publish' on the IdentityServer4 project and moved the output to the IIS app root's folder
Changed the Authority URL in the MvcClient project to point to localhost/id
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "Cookies",
Authority = "http://localhost/id",
RequireHttpsMetadata = false,
ClientId = "mvc",
SaveTokens = true
});
Load the MvcClient application and navigate to a route with the 'Authorize' filter. The redirect occurred properly with the appropriate virtual directory
Check to see if the proper path is being output by IdentityServer by going to the openid-configuration page: http://localhost/id/.well-known/openid-configuration
Are you running IdentityServer4 and an MVC app in the same project? If so, are you using relative paths for the OpenIdConnectOptions.Authority property? Try changing it to an absolute path and see if that fixes the problem. I'm thinking this might be the case, because your request URL does not include the /id path in the redirect uri:
http://localhost/id/account/login?**returnUrl=/connect/authorize/login**?respone_type
The correct path of course should be:
http://localhost/id/account/login?**returnUrl=/id/connect/authorize/login**?respone_type
Hope this helps! Please let me know

OWIN middleware for OpenID Connect - Code flow ( Flow type - AuthorizationCode) documentation?

In my implementation I am using OpenID-Connect Server (Identity Server v3+) to authenticate Asp.net MVC 5 app (with AngularJS front-end)
I am planning to use OID Code flow (with Scope Open_ID) to authenticate the client (RP). For the OpenID connect middle-ware, I am using OWIN (Katana Project) components.
Before the implementation, I want to understand back-channel token request, refresh token request process, etc using OWIN.. But I am unable to find any documentation for this type of implementation (most of the available examples use Implicit flow).
I could find samples for generic Code flow implementation for ID Server v3 here https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source
I am looking for a similar one using OWIN middleware ? Does anyone have any pointers ?

Edit: good news, code flow and response_mode=query support was finally added to Katana, as part of the 4.1 release (that shipped in November 2019): https://github.com/aspnet/AspNetKatana/wiki/Roadmap#410-release-november-2019.
The OpenID Connect middleware doesn't support the code flow: http://katanaproject.codeplex.com/workitem/247 (it's already fixed in the ASP.NET 5 version, though).
Actually, only the implicit flow (id_token) is officially supported, and you have to use the response_mode=form_post extension. Trying to use the authorization code flow will simply result in an exception being thrown during the callback, because it won't be able to extract the (missing) id_token from the authentication response.
Though not directly supported, you can also use the hybrid flow (code + id_token (+ token)), but it's up to you to implement the token request part. You can see https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Nancy/Nancy.Client/Startup.cs#L82-L115 for an example.

The answer and comment replies by Pinpoint are spot on. Thanks!
But if you are willing to step away from the NuGet package and instead run modified source code for Microsoft.Owin.Security.OpenIdConnect you can get code (code) flow with form_post.
Of course this can be said for all open source project problems but this was an quick solution for a big thing in my case so I thought I'd share that it could be an option.
I downloaded code from https://github.com/aspnet/AspNetKatana, added the csproj to my solution and removed lines from https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs in AuthenticateCoreAsync().
You must then combine it with backchannel calls and then create your own new ClaimsIdentity() to set as the notification.AuthenticationTicket.
// Install-Package IdentityModel to handle the backchannel calls in a nicer fashion
AuthorizationCodeReceived = async notification =>
{
var configuration = await notification.Options.ConfigurationManager
.GetConfigurationAsync(notification.Request.CallCancelled);
var tokenClient = new TokenClient(configuration.TokenEndpoint,
notification.Options.ClientId, notification.Options.ClientSecret,
AuthenticationStyle.PostValues);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
notification.ProtocolMessage.Code,
"http://localhost:53004/signin-oidc",
cancellationToken: notification.Request.CallCancelled);
if (tokenResponse.IsError
|| string.IsNullOrWhiteSpace(tokenResponse.AccessToken)
|| string.IsNullOrWhiteSpace(tokenResponse.RefreshToken))
{
notification.HandleResponse();
notification.Response.Write("Error retrieving tokens.");
return;
}
var userInfoClient = new UserInfoClient(configuration.UserInfoEndpoint);
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
if (userInfoResponse.IsError)
{
notification.HandleResponse();
notification.Response.Write("Error retrieving user info.");
return;
}
..

MVC 5, WIF (System.IdentityModel) & ADFS not actually authenticating, errors on federated signout

I'm wading through the creation of a claims-based MVC site in Visual Studio 2013.
Some things I learned so far:
System.Identity is in, Microsoft.Identity is out
Many of the tutorials, including Microsoft's guides for 4.5, are out-dated. For example, I don't believe any changes to the Project Template-generated .config file are necessary for adding modules/handlers or anything.
There is no Microsoft built-in/add-in STS in Visual Studio 2013 as there was for 2012
Thinktecture's EmbeddedSTS addin is oft-recommended and sounds cool, but *://EmbeddedSTS/ doesn't resolve(?? I don't get it). Also, binary links to their IdentityServer v2- are currently broken(?)
ADFS feature requires Windows Server 2012, a Domain, and self-signed certs - not too hard if you've done it before, but steep learning curve if you haven't.
ADFS requires SSL - Visual Studio 2013/IIS Express 8 easily supports SSL sites, just make sure the port number is in the range :44300-44398
ADFS manager Relying Party interface suggests examples referring to "sts" and "adfs/ls" and stuff which is, I think, misleading. Really they should just point back to your app (https://localhost:44300 for example). Although mine's not working right yet, so that could be related to my mistake.
Once you create a new Visual Studio Web Application project, there is no tooling to change the authentication mechanisms. Just start over with a new project and change the authentication to Organizational Accounts (for on-premises, as in my case). Your STS, such as your ADFS installation, has to be installed and reachable in order to complete this wizard.
Use the hosts file to override DNS for the VM's IP to the expected domain name if you're hacking together a test ADFS DC in a VM because you don't have rights to join a machine to the domain.
"Users are required to provide credentials each time the sign in" is helpful when working through sign-in sign-out problems at first.
I don't think any claims, even identity, are passed if you don't have any Claim Rules.
1) What is wrong such that my app still thinks the user is not authenticated?
I'm to the point where my https://localhost:44300/Default/Index/ action is supposed to display details of User.Identity (I also tried Thread.CurrentPrincipal.Identity) if the user is authenticated. I have a login Action link, generated with:
var signIn = new SignInRequestMessage(new Uri("https://dc.ad.dev.local/adfs/ls/"), "https://localhost:44300");
return new RedirectResult(signIn.WriteQueryString());
Clicking this link indeed takes me to the ADFS login page. Logging in brings me back to my application. Watching the preserved Network activity in Chrome Bug shows that I have a RequestSecurityTokenResponse message being posted back to the app, but the app's User.Identity is still not authenticated.
I have one Claim Rule configured: A "Transform an Incoming Claim" from "Windows Account Name" to "Name ID" as a "Transient Identifier". I see the <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">DevAD\jdoe</saml:NameIdentifier> represented in the sniffed POST. I've tried a bunch of other Claim Rules and still don't get authenticated.
I don't have any custom code for absorbing the claims. I am expect interception of a POST with the token to any app url to be converted to the User.Identity auto-magically by the framework, perhaps having been initiated by this wizard-generated code in Startup.Auth.cs:
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
Audience = ConfigurationManager.AppSettings["ida:Audience"],
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"]
});
But part of me doubts this expectation. Is it correct? Is there a special known route that MVC WIF creates for accepting such login posts that I should be using besides my default route url?
2) How can I log out successfully?
I also have a logout action:
WSFederationAuthenticationModule.FederatedSignOut(new Uri("https://dc.ad.dev.local/adfs/ls/"), new Uri(Url.Action("Index", null, null, Request.Url.Scheme)));
But on this https://dc.ad.dev.local/adfs/ls?wa=wsignout1.0&wreply=https%3a%2f%2flocalhost%3a44300%2f page, "An error occurred". Event Viewer shows #364: "Encountered error during federation passive request."
Protocol Name:
wsfed
Relying Party:
Exception details:
System.ArgumentException: An item with the same key has already been added.
at System.Collections.Generic.Dictionary`2.Insert(TKey key, TValue value, Boolean add)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.AddSignoutSessionInformation(WSFederationSignOutContextBase context)
at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessSignOut(WSFederationSignOutContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolSignoutRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
My ADFS Service > Certificates are all set to the same cert and I think are correct.
================
And by the way, the following is what is supposed to be passively posted to the app, right? And, again, it is absorbed automatically?
<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:Lifetime>
<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-07-28T14:29:47.167Z</wsu:Created>
<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-07-28T15:29:47.167Z</wsu:Expires>
</t:Lifetime>
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://localhost:44300/</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<t:RequestedSecurityToken>
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="_e2399a27-acac-4390-aa8a-556f41fec2f2" Issuer="http://dc.ad.dev.local/adfs/services/trust" IssueInstant="2014-07-28T14:29:47.167Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2014-07-28T14:29:47.167Z" NotOnOrAfter="2014-07-28T15:29:47.167Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>https://localhost:44300/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">DevAD\jdoe</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="name" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>jdoe</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="givenname" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>John Doe</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute AttributeName="upn" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>jdoe#ad.dev.local</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" AuthenticationInstant="2014-07-28T14:29:47.152Z">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">DevAD\jdoe</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_e2399a27-acac-4390-aa8a-556f41fec2f2">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>+ZDduF0CKxXq7P+diyAXN51mo549pvwo3BNCekWSEpk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>VMjCbSZXw3YROHYQ1eCYH5D9UQl1tzqZ9Nw99FUK78A8TSLs1ns3G8PE1d1Z1db2KKpbnzExXSXG2elP3Z69OejSWjsywIFTPeGcbGk4BvrV4ZcHGCbYKN0Wg5pySMEqm4LV1E5k+32kuALveLi5fkQROyXudquvVRgYrgu7XBsfr96Uvqo1yWmAzhhpEorfe4Z0p4RurKRpS7IsrI9SkssGOdQV/89NQelIZSZzOEMfay/AxewBbQ8C46g/4NgygaaPsG8X52EFVftzFY0BM8k+aMMUiKrJ0Xo7tJCMxJLcQ3aJdLBRNybHaklFgtln0ZCSlYylglUjUZ5d66jGcg==</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC7jCCAdagAwIBAgIQLB+dBr0GI75OvLElC1HZHTANBgkqhkiG9w0BAQsFADAzMTEwLwYDVQQDEyhBREZTIFNpZ25pbmcgLSBkYy5hZC5lbnRlcnByaXNlZGV2LmxvY2FsMB4XDTE0MDcyNDIxMTMxM1oXDTE1MDcyNDIxMTMxM1owMzExMC8GA1UEAxMoQURGUyBTaWduaW5nIC0gZGMuYWQuZW50ZXJwcmlzZWRldi5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALvkkbfrr5YZWNkfv7LFQlVj3qTcfduRltKfAGiK/NOXNp498uMY+zhUBtiPU1woJhsoqfahgQpy3YJhIPsxbVGSXjAGcFVcUq03V2xVJB6+tW1Ny+/lqiXrdvYAHcZvqpeG/tnh5/hGi/mapd2oMxWIWkyRdztJrN+BCzUi4mm80bYrYX8liuDAcJEk5EYh73gaOwzIyUAZvOXwX1UWh9FA8j2mIMyv3b4SgjFQMPT+Fyw4L1cX+3u/PhGlVRSUEAu+igfMxM1JTco+3HMfQuBZLGd8YXhig+6WbIGlcGUhHEdNSr9ymljJBaps1JfGZk7Rj/7hYeHCXbl3mKK7yFUCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAU5gYs7BZZBrrm+eDZM5pTaQfnwyeHYWHe9D2UDweWTNjj9KVC2sucUI2K9MXzA3kZOP7UIvnLmHvxG7cnPen095NBIyYYDjzvlImGwq297m6cz0m2ZxkBGMKq9bVSPoVOgDrX0c+e2wFjRgVojd1bWm9fbMvIUWn8KyMQMquXmyJxX5sPxpMfm95yheyh6q67VzgWF9TcUp6jNdmMcRowHWnQ9UVYf1UEMcPUlaljARVQYNQjyHjrcFaRkxF57EkjO3e263KIe0knVNoz8W57prXJLOHOqSe2f4kSKUdU+Xt8XQbJ77xHPdSOoW8NwKZVL7/9TrfVJ6pi1Ob/+LrAA==</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</t:RequestedSecurityToken>
<t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType>
</t:RequestSecurityTokenResponse>
===============
Below are the Claims defined. As suggested by #nzpcmad, the second one now "Send LDAP Attributes as Claims" from "Active Directory" to send "SAM-Account-Name" as "Name", "Display Name" as "Given Name", and "User-Principal-Name" as "UPN". And though the application receives the claims in the passive post, User.Identity.IsAuthenticated is still false and the other User.Identity data are blank too.

Pretty much right with your observations.
Just to note:
ADFS runs on Server 2008 R2, 2012 and 2012 R2.
Have a look at Use the On-Premises Organizational Authentication Option (ADFS) With ASP.NET in Visual Studio 2013.
It describes exactly what you are trying to do.
In particular, have a look at the claims.
You'll see it uses "Send LDAP Attribute" rather than the Transform you use.

I came across the same sign-out issue and it seems to occur if you do not have the issuing certificate in the trusted people certificate store.

IllegalArgumentException : Trying to set foreign cookie while downloading Google Spreadsheet via API?

I am trying to download the Google spreadsheet using download API version 3 ( v3 ). I am getting "java.lang.IllegalArgumentException: Trying to set foreign cookie" error message while downloading spreadsheet. I am tried by my google apps account which is authenticated by 2 legged oauth authentication process. Is there anyone facing this kind of problem ?
Here is the error stacktrace :
Servlet.service() for servlet action threw exception|java.lang.IllegalArgumentException: Trying to set foreign cookie
at com.google.gdata.client.http.GoogleGDataRequest$GoogleCookie.<init>(GoogleGDataRequest.java:166)
at com.google.gdata.client.http.GoogleGDataRequest$GoogleCookieHandler.put(GoogleGDataRequest.java:399)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:710)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:632)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1000)
at sun.net.www.protocol.http.HttpURLConnection.getHeaderFields(HttpURLConnection.java:2053)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getHeaderFields(HttpsURLConnectionImpl.java:263)
at com.google.gdata.client.http.HttpGDataRequest.isOAuthProxyErrorResponse(HttpGDataRequest.java:558)
at com.google.gdata.client.http.HttpGDataRequest.checkResponse(HttpGDataRequest.java:549)
at com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:530)
at com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:535)
Edit: This issue occurs only in one of our user's accounts using our App. Its working fine for all other users

I faced the same issue and was able to solve it by changing the url.
The URL I got directly from GDrive:
https://docs.google.com/spreadsheets/d/19Du6mgmzP94vxxHK5httgfK4dqgycQkBBLDq_6I5J7o/edit#gid=1472457471
Had to modify the above to:
https://spreadsheets.google.com/feeds/spreadsheets/**19Du6mgmzP94vxxHK5httgfK4dqgycQkBBLDq_6I5J7o
Hope this will help someone.

I get the service this way:
int GDATA_TIMEOUT = 10* 1000;
spreadsheetService = new SpreadsheetService("cellmaster.com.au-v0.2");
spreadsheetService.setHeader("Authorization", "Bearer " + accessToken);
spreadsheetService.setConnectTimeout(GDATA_TIMEOUT);
spreadsheetService.setReadTimeout(GDATA_TIMEOUT);
And include a retry loop because it does fail once in a while.