duendesoftware / samples Goto Github PK

On this line of the JS example, I believe the query should say bff:logout_url instead of bff:logout

Hello,

Would it be possible to include a reference implementation/best practice quickstart sample demonstrating how to integrate a stand-alone Blazor WebAssembly client with IdentityServer.

I have attempted to do so following the below links with IdentityServer4 but have experienced some issues.

• https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-authentication-library?view=aspnetcore-5.0&tabs=visual-studio

• https://code-maze.com/how-to-secure-blazor-webassembly-with-identityserver4/

• https://code-maze.com/using-access-token-with-blazor-webassembly-httpclient/

• https://code-maze.com/blazor-webassembly-role-based-security-with-identityserver4/

• https://code-maze.com/atribute-based-access-control-blazor-webassembly-identityserver4/

A Blazor Asp.net hosted where the server app includes the IdentityServer and the BFF endpoint.

DuendeSoftware/BFF#20

After cloning the repo and running the app, I get the following error when trying to perform a GET request on /.well-known/openid-configuration

Error from CMD:

[17:03:08 Error] Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware
An unhandled exception has occurred while executing the request.
System.ArgumentException: The 'ClientId' option must be provided. (Parameter 'ClientId')
   at Microsoft.AspNetCore.Authentication.OAuth.OAuthOptions.Validate()
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationOptions.Validate(String scheme)
   at Microsoft.AspNetCore.Authentication.AuthenticationBuilder.<>c__DisplayClass4_0`2.<AddSchemeHelper>b__1(TOptions o)
   at Microsoft.Extensions.Options.ValidateOptions`1.Validate(String name, TOptions options)
   at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
   at Microsoft.Extensions.Options.OptionsMonitor`1.<>c__DisplayClass10_0.<Get>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at System.Lazy`1.get_Value()
   at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
   at Microsoft.Extensions.Options.OptionsMonitor`1.Get(String name)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.InitializeAsync(AuthenticationScheme scheme, HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandlerProvider.GetHandlerAsync(HttpContext context, String authenticationScheme)
   at Duende.IdentityServer.Hosting.FederatedSignOut.FederatedSignoutAuthenticationHandlerProvider.GetHandlerAsync(HttpContext context, String authenticationScheme) in /_/src/IdentityServer/Hosting/FederatedSignOut/FederatedSignoutAuthenticationHandlerProvider.cs:line 33
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47
   at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

OS: Windows Server 2019 Standard
IDE: Visual Studio 2022 Community Edition
.NET Version: .NET Core 6.0.200

None of the initial code in the repo has been modified.

Hi.

I'm having trouble with the MvcHybridBackChannel sample.

The scenario is the following:

• Using Chrome, I sign-in to my client application (.NET Core MVC 3.1) and show a page with the user claims. Let's say SID is A and SUB is B.
• Using Egde, I sign-in to the same application/page. SID is X and SUB is B.

When I sign-out from Chrome, the session in Edge remains valid, because the SID claims were different and the code in LogoutSessionManager doesn't match the loggedout session received from the back-channel notification.

Pretty obvious as it will only match if SID and SUB are equal or one is null:

return (Sid == sid && Sub == sub) ||
  (Sid == sid && Sub == null) ||
  (Sid == null && Sub == sub);

What am I missing here?

Thanks.

A version of the Microsoft Razor + individual accounts template using IdentityServer

What would you guys think of putting together a more detailed auth server template? Something we could essentially clone down, add some env variables, change some branding, and safely deploy something to prod. The ones you have are good starts, but still require a lot of time to set up for practical use vs something like keycloak.

Obviously there’s no one solution fits all, but getting together a ready to go common starter would go a long way. The less work it takes to get something up the easier it is for teams to bring it on and the easier it is to sell to leadership teams compared to more plug and play solutions.

Note
At the end of the day, the faster and easier it is to get something up and running in production, the more customers you’ll be able to get.

We are implementing security for an API that is being accessed by the client. The API is added as a scope for the Client. We are passing the token to the API. User is not being authenticated in API when using the [Authorize] attribute. api1 is added as a scope for the Client.

I have a Blazor hosted app (Client/Server/Shared) and I'm using BFF to authenticate with an external IdP.

In a Blazor page when using AuthenticationStateProvider I only get access to the ClaimsPrincipal. There is no information about the access token issued by the IdP. I've found a sample code using var accessToken = await HttpContext.GetUserAccessTokenAsync();, but the problem is in the Client project HttpContext doesn't exit. Then, Adding IHttpContextAccessor is always null.

Any help in this regard is really appreciated.

I downloaded the BFF Blazor Server v5 sample. I ran the Blazor project and was able to log Bob in. Where is the Razor page that calls the included API project? In particular, I am testing to see if the API can get the logged in user's claims. I set both projects to start on debug.

Hi I am struggling to get a custom property added to the id token using asp identity in combination with IdentityServer. It would be great if example 5 added a custom property like given name to it and show the additional code to get that available in the id token. Documentation does mention it is possible, but thusfar haven't found out how, likely something with IUserClaimsPrincipalFactory and the profile service.

When building JavaScript applications with Vue, which grantTypes should I choose?What is the difference between bff and impilit?

Thanks for all your work on this! Our organization has several .NET 4.x websites that will take some time to migrate to .NET Core/.NET 5. Could you add some samples for integrating Identity Server with .NET 4.x websites?

I would like to request for a sample to demonstrate how I can secure my dotnet 5 Azure functions which run under an isolated process using Duende Identity Server as my IDP.

I'm extending a legacy Webforms multi-tenant app to integrate with a new, separate instance of Duende IdS, using your example from here as a starting point:

https://github.com/DuendeSoftware/Samples/tree/daccd2748cdb1c6b5cb04cc519b51313ce0c59dd/various/clients/WebFormsOidcClient/WebForms

It's configured to use UseOpenIdConnectAuthentication, which points to my IdS instance. My IdS is configured with multiple identity providers e.g. Google, Microsoft and multiple other OIDC IdPs that are used for particular tenants only.

I'm using:

HttpContext.Current.GetOwinContext().Authentication.Challenge(new AuthenticationProperties
{
    RedirectUri = ". . ."
}, "oidc"); // AuthenticationType = "oidc" in Startup.cs

So that I can challenge the user dynamically e.g. only under certain business rules. Currently, everything works correctly.

The part I'm stuck on is I'd like to be able to challenge directly to a particular external identity provider that's registered with my IdS instance, but I'm unsure how to do that here.

By default the HttpContext.Current.GetOwinContext().Authentication.Challenge(...) will bring you to the login page of my IdentityServer instance (as in your example), but I'd like to be able to go directly to the external identity provide challenge page, just as if I'd clicked on one of the external login buttons on the login page.

Any help would be much appreciated.

POC for using a SPA instead of MVC/Razor for login/logout/external auth

We have customers doing this still.

• get public key from KV
• use KV for signing tokens

e.g. add claims to external authN

In QuickStart 2, after running this command:

dotnet new isui

In file

\quickstart\src\IdentityServer\Pages\ServerSideSessions\Index.cshtml.cs

I get the following error:

The type or namespace name  ISessionManagementService could not be found.

using Duende.IdentityServer.Models;
using Duende.IdentityServer.Services;
using Duende.IdentityServer.Stores;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;


namespace IdentityServer.Pages.ServerSideSessions
{
    public class IndexModel : PageModel
    {
        private readonly ISessionManagementService _sessionManagementService;

        public IndexModel(ISessionManagementService sessionManagementService = null)
        {
            _sessionManagementService = sessionManagementService;
        }

        public QueryResult<UserSession> UserSessions { get; set; }

        [BindProperty(SupportsGet = true)]
        public string Filter { get; set; }

        [BindProperty(SupportsGet = true)]
        public string Token { get; set; }

        [BindProperty(SupportsGet = true)]
        public string Prev { get; set; }

        public async Task OnGet()
        {
            if (_sessionManagementService != null)
            {
                UserSessions = await _sessionManagementService.QuerySessionsAsync(new SessionQuery
                {
                    ResultsToken = Token,
                    RequestPriorResults = Prev == "true",
                    DisplayName = Filter,
                    SessionId = Filter,
                    SubjectId = Filter,
                });
            }
        }

        [BindProperty]
        public string SessionId { get; set; }

        public async Task<IActionResult> OnPost()
        {
            await _sessionManagementService.RemoveSessionsAsync(new RemoveSessionsContext { 
                SessionId = SessionId,
            });
            return RedirectToPage("/ServerSideSessions/Index", new { Token, Filter, Prev });
        }
    }
}

Hello,

I am getting the exception from the BFF part (IdentityServer\v6\Quickstarts\6_JS_with_backend) of
https://github.com/DuendeSoftware/Samples.git
No changes just trying to checkout the BFF working.

I have noticed a small bug in the Azure Function JWT validation example. (

There are conditions where you could never exit the while loop, for example, when the token exception is not of type "SecurityTokenSignatureKeyNotFoundException"

I have made a change to move the tries increment outside of the if block and this has fixed it for me but thought I would flag it just in case my fix is not correct.

...add to docs

Hi,

We are having a tough time getting all of these to work together in our solution. In particular, we need to know how to ensure the user has been granted a permission to an API method, of course the client must also be authorized. Not just a general permission to [Authorize] the client and user. We need to be able to manage the user administration and various views/functions such as login/out, signup, 2FA, email verification, etc. with the Microsoft Identity libraries all running on a Microsoft SQL Server.

BTW, I suspect this is going to be a common architecture going forward now Maui has been release.

Thanks...Scott

If I put a break point on the Get API method and inspect the user claims, it doesn't have the user claims include such as the ones given in the TestUser.cs file. How do I get to see these on the API method?

                    SubjectId = "22",
                    Username = "bob",
                    Password = "bob",
                    Claims =
                    {
                        new Claim(JwtClaimTypes.Name, "Bob Smith"),
                        new Claim(JwtClaimTypes.GivenName, "Bob"),
                        new Claim(JwtClaimTypes.FamilyName, "Smith"),
                        new Claim(JwtClaimTypes.Email, "[email protected]"),
                        new Claim(JwtClaimTypes.EmailVerified, "true", ClaimValueTypes.Boolean),
                        new Claim(JwtClaimTypes.WebSite, "http://bob.com"),
                        new Claim(JwtClaimTypes.Address, JsonSerializer.Serialize(address), IdentityServerConstants.ClaimValueTypes.Json)
                    }

Profile Service Sample v6

I'm getting the "depreciated" warning on my IdentityServer project AccountController.cs page for the HttpContext.GetchemeSupportsignOutAsync() method (see screen shot).

This was a copy of the samples / QuickStarts provided: https://github.com/DuendeSoftware/Samples/blob/main/IdentityServer/v6/Quickstarts/5_AspNetIdentity/src/IdentityServerAspNetIdentity/Quickstart/Account/AccountController.cs - line 323

I'll try and fix it on my copy and add a comment if it appears successful.... for validation that it's correct.

DuendeSoftware/Support#178 (comment)

To get access tokens and use refresh tokens

https://github.com/DuendeSoftware/IdentityServer/discussions/936#discussioncomment-3013675

Just basic login/logout/show user session for Angular using the MS Angular template as a starting point.

create / document sample

• Scope / Resource sample
• Delegation Sample
• Full featured ASP.NET Identity
• MTLS

Tried un commenting the below line in program.cs (frontendhost) to make use of remote api(BackendAPIHost ) and unclear if i have to make more change to have YARP configuration to make it work

app.MapRemoteBffApiEndpoint("/todos", "https://localhost:5020/todos")
.RequireAccessToken(Duende.Bff.TokenType.User);

Appreciate any help?

I use 3_AspNetCoreAndApis. I've added my ClientId and ClientSecret, run the project and open /signin-google
The browser shows me the following error page:

The same error I see for V5 and V6.

Is it something I'm doing wrong, or Google authentication just doesn't work?

Clean download... run

Api Error:
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
An unhandled exception has occurred while executing the request.
Swashbuckle.AspNetCore.SwaggerGen.SwaggerGeneratorException: Ambiguous HTTP method for action - Api.Controllers.IdentityController.Get (Api). Actions require an explicit HttpMethod binding for Swagger/OpenAPI 3.0

Identity Server Error:
[00:30:53 Error] Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware
An unhandled exception has occurred while executing the request.
System.ArgumentException: The 'ClientId' option must be provided. (Parameter 'ClientId')

Web Client Error:
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
An unhandled exception has occurred while executing the request.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.

Maybe show authz req validator to impose some logic on request validation. And interaction response generator to show something like re-authN user for some acr_values request (e.g. MFA).

Context: https://github.com/DuendeSoftware/IdentityServer/discussions/683

Where i can find example on how to configure the identity server on how manage the username and password validation?

like make a request on a service or queryng a custom database?

FYI, the UseDatabaseErrorPage(IApplicationBuilder) method is marked as obsolete in the latest (non pre-release) version of Microsoft.AspNetCore (5.0.5.0).

Warning	CS0618	'DatabaseErrorPageExtensions.UseDatabaseErrorPage(IApplicationBuilder)' is obsolete: 'This is obsolete and will be removed in a future version. Use DatabaseDeveloperPageExceptionFilter instead, see documentation at https://aka.ms/DatabaseDeveloperPageExceptionFilter.'

Hi.

I see that the projects under Clients include one for console and authorization code with PKCE.

I can't make it work because it fails with an object reference null exception.

Any change this could be included in the official samples repo? It's a useful scenario.

Regards.

Originally posted by @hugoqribeiro in https://github.com/DuendeSoftware/IdentityServer/discussions/297

Maybe also using device flow..

Take email address, for example, to federate to two different upstream IdPs, rather than show nascar list of buttons.

My Access Token is set to expire

IdentityServer:
ClientId = "web",
ClientSecrets = { new Secret("**************************".Sha256()) },

            AllowedGrantTypes = GrantTypes.Code,
            AccessTokenLifetime = 120,

SPA Client:
// registers HTTP client that uses the managed user access token
builder.Services.AddUserAccessTokenHttpClient("user_client", configureClient: client =>
{
client.BaseAddress = new Uri(apiBaseAddress);
});

I get below error in the log once the accesstoken expires.
SPAclient LOG*******
warn: Duende.Bff[0]
You do not have a valid license key for the Duende software. This is allowed for development and testing scenarios. If you are running in production you are required to have a licensed version. Please start a conversation with us: https://duendesoftware.com/contact
info: Microsoft.Hosting.Lifetime[14]
Now listening on: https://localhost:7240
info: Microsoft.Hosting.Lifetime[14]
Now listening on: http://localhost:5267
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
Content root path: C:\cfund\quickstart\src\FrontendHost
info: Microsoft.AspNetCore.SpaProxy.SpaProxyLaunchManager[0]
No SPA development server running at https://localhost:44447 found.
info: Microsoft.AspNetCore.SpaProxy.SpaProxyMiddleware[0]
SPA proxy is not ready. Returning temporary landing page.
info: Microsoft.AspNetCore.SpaProxy.SpaProxyMiddleware[0]
SPA proxy is not ready. Returning temporary landing page.
info: Microsoft.AspNetCore.SpaProxy.SpaProxyLaunchManager[0]
SPA development server running at 'https://localhost:44447'
info: Microsoft.AspNetCore.SpaProxy.SpaProxyMiddleware[0]
SPA proxy is ready. Redirecting to https://localhost:44447.
info: System.Net.Http.HttpClient.IdentityModel.AspNetCore.AccessTokenManagement.TokenEndpointService.LogicalHandler[100]
Start processing HTTP request POST https://localhost:5001/connect/token
info: System.Net.Http.HttpClient.IdentityModel.AspNetCore.AccessTokenManagement.TokenEndpointService.ClientHandler[100]
Sending HTTP request POST https://localhost:5001/connect/token
info: System.Net.Http.HttpClient.IdentityModel.AspNetCore.AccessTokenManagement.TokenEndpointService.ClientHandler[101]
Received HTTP response headers after 142.7934ms - 400
info: System.Net.Http.HttpClient.IdentityModel.AspNetCore.AccessTokenManagement.TokenEndpointService.LogicalHandler[101]
End processing HTTP request after 160.1737ms - 400
fail: IdentityModel.AspNetCore.AccessTokenManagement.UserAccessAccessTokenManagementService[0]
Error refreshing access token. Error = invalid_grant
warn: Duende.Bff.RemoteApiEndpoints[4]
Access token is missing. token type: 'User', local path: '/TradeOrder'.
warn: Duende.Bff.RemoteApiEndpoints[4]
Access token is missing. token type: 'User', local path: '/TradeOrder'.
warn: Duende.Bff.RemoteApiEndpoints[4]
Access token is missing. token type: 'User', local path: '/TradeOrder'.
info: System.Net.Http.HttpClient.IdentityModel.AspNetCore.AccessTokenManagement.TokenEndpointService.LogicalHandler[100]
Start processing HTTP request POST https://localhost:5001/connect/token
info: System.Net.Http.HttpClient.IdentityModel.AspNetCore.AccessTokenManagement.TokenEndpointService.ClientHandler[100]
Sending HTTP request POST https://localhost:5001/connect/token
info: System.Net.Http.HttpClient.IdentityModel.AspNetCore.AccessTokenManagement.TokenEndpointService.ClientHandler[101]
Received HTTP response headers after 85.0946ms - 400
info: System.Net.Http.HttpClient.IdentityModel.AspNetCore.AccessTokenManagement.TokenEndpointService.LogicalHandler[101]
End processing HTTP request after 105.5918ms - 400
fail: IdentityModel.AspNetCore.AccessTokenManagement.UserAccessAccessTokenManagementService[0]
Error refreshing access token. Error = invalid_grant
warn: Duende.Bff.RemoteApiEndpoints[4]
Access token is missing. token type: 'User', local path: '/Order'.
warn: Duende.Bff.RemoteApiEndpoints[4]
Access token is missing. token type: 'User', local path: '/Order'.
warn: Duende.Bff.RemoteApiEndpoints[4]
Access token is missing. token type: 'User', local path: '/Order'.

• Client Credentials
• Client Credentials + JWT authN
• MVC Code Flow (minimal)
• MVC Code Flow (+ token management)
• MVC Code Flow (backchannel logout)
• MVC JWT + JAR
• Introspection & Reference Token

So in this example for using a SPA login page you're referencing a local path to wwwroot, but I wanted to check if it's technically okay to use an external path to another SPA app before I go down a rabbit hole?

I know this is normally not okay as it would a big gap for malicious actors, but doing it in the UserInteraction seems like it would essentially whitelist that known path, but maybe I'm missing something.