My question is about Identity Server 4 and making calls to it from a pre-existing .net framework MVC application.
I've been through the ID4 "quick starts" as far as getting it run-able and responding correctly to the example .net core MVC application.
As a quick test I created an basic .Net Framework MVC app and created a startup .cs file...
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.OpenIdConnect;
using Owin;
using System.Collections.Generic;
using System.IdentityModel.Tokens;
[assembly: OwinStartup(typeof(MVC_OWIN_Client.Startup))]
namespace MVC_OWIN_Client
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
string baseClientAddress = "http://localhost:44301/";
var authority = JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
ClientId = "mvc.standard",
Authority = "http://localhost:5000/",
RedirectUri = baseClientAddress + "signin-oidc",
PostLogoutRedirectUri = baseClientAddress + "signout-callback-oidc",
ResponseType = "code id_token",
Scope = "openid api1 offline_access",
UseTokenLifetime = false,
SignInAsAuthenticationType = "Cookies"
});
}
}
}
In ID4 config, I created a client to match...
public static IEnumerable<Client> GetClients()
{
...
new Client
{
ClientId = "mvc.standard",
ClientName = "MVC Client2",
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
ClientSecrets =
{
new Secret("secret".Sha256())
},
RedirectUris = { "http://localhost:44301/signin-oidc" },
PostLogoutRedirectUris = { "http://localhost:44301/signout-callback-oidc" },
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"api1"
},
AllowOfflineAccess = true
}
};
The application will progress through the login and permissions page and ID4 finally indicates the user signed in....
info: IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator[0]
User consented to scopes: openid, api1, offline_access
info: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint[0]
Authorize endpoint response
{
"SubjectId": "2",
"ClientId": "mvc.standard",
"RedirectUri": "http://localhost:44301/signin-oidc",
"State": "OpenIdConnect.AuthenticationProperties=pnxKmthLCWSNS1Tj8sBS1K4K-Erxq8_W3Sfj1gg3zXhTCqP-gKV-Hsfgh_pRLPYQcIdVJONhzA3VMdBNv4xqE7y8uX-pzEmeNKBYb0cPAh6Q9lm5knIS5ds9gccYKubK1U0NpnGAW7tw38brRzD7dEG-EkSgXqjnEGeS4pMCrFaG2CFwq08_-KyA85VufscpT3y9sL0hTLLYYbRiJhWIZBOM427piwaHpR-jbl7KXGo",
"Scope": "openid api1 offline_access"
}
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[10]
AuthenticationScheme: idsrv signed in.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
Request finished in 152.1613ms 200 text/html; charset=UTF-8
That's it. The MVC Application is never restored, it sits there until it times-out.
Has anyone any experience with Identity Server and able to tell me if there is something missing from this? Thanks for your time in advance, Andy.
For anyone struggling with this and unable to find clear guidance, the answer is to not use UseOpenIdConnectAuthentication at all. Use WSFederationAuthentication in you .net framework mvc app...
Startup.cs :-
using Microsoft.Owin;
using Microsoft.Owin.Security.Cookies;
using Microsoft.Owin.Security.WsFederation;
using Owin;
[assembly: OwinStartup(typeof(MvcOwinWsFederation.Startup))]
namespace MvcOwinWsFederation
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions
{
MetadataAddress = "http://localhost:5000/wsfederation",
Wtrealm = "urn:owinrp",
SignInAsAuthenticationType = "Cookies"
});
}
}
}
Set up a client for testing in IdentityServer4 as
public static IEnumerable<Client> GetClients()
{
return new[]
{
new Client
{
ClientId = "urn:owinrp",
ProtocolType = ProtocolTypes.WsFederation,
RedirectUris = { "http://localhost:10313/" },
FrontChannelLogoutUri = "http://localhost:10313/home/signoutcleanup",
IdentityTokenLifetime = 36000,
AllowedScopes = { "openid", "profile" }
}
}
}
Make sure identity server 4 has this enabled in its statup.cs...
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
var cert = new X509Certificate2(Path.Combine(Directory.GetCurrentDirectory(), "idsrvtest.pfx"), "idsrv3test");
services.AddIdentityServer()
.AddSigningCredential(cert)
.AddInMemoryIdentityResources(Config.GetIdentityResources())
.AddInMemoryApiResources(Config.GetApiResources())
.AddInMemoryClients(Config.GetClients())
.AddTestUsers(TestUsers.Users)
**.AddWsFederation();**
...
}
Should all work. Found this here...
https://leastprivilege.com/2017/03/03/extending-identityserver4-with-ws-federation-support/
Andy.