I've also been looking at idsrv3 lately - mainly from the enterprise PoV i.e. WS-Fed and SAML
idserv3 also supports modern authentication i.e. OpenID Connect and OAuth2.
So I wondered if this sample would work on idsrv3?
As per OpenID Connect Hybrid Flow and IdentityServer v3:
"Lastly, hybrid flow is the only flow supported by the Microsoft OpenID Connect authentication middleware (in combination with a form post response mode)"
Hybrid flow is described in the article. The above tells us that idsrv3 has to be hooked up using the hybrid flow.
(BTW - the idsrv3 equivalent sample is here - Clients/MVC OWIN Client (Hybrid)).
Turns out the changes are minimal - as you would expect.
In Startup.Auth.cs:
private static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
private static string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
private static string postLogoutRedirectUri = ConfigurationManager.AppSettings["ida:PostLogoutRedirectUri"];
string authority = String.Format(CultureInfo.InvariantCulture, aadInstance);
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType
(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
RedirectUri = postLogoutRedirectUri,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications
The only change was to add the RedirectUri.
Note that I tried to minimise the changes so I kept the AADInstance variable even though Azure AD is not involved.
web.config:
<add key="ida:ClientId" value="katanaclientad" />
<!--<add key="ida:Tenant" value="[Enter tenant name, e.g. contoso.onmicrosoft.com]" />-->
<add key="ida:AADInstance" value="https://localhost:44333/core" />
<add key="ida:PostLogoutRedirectUri" value="https://localhost:44320/" />
On the idsrv3 side, we need a new Client:
Host-Configuration/Client.cs
new Client
{
ClientName = "Katana Hybrid Client Demo - AAD Sample",
Enabled = true,
ClientId = "katanaclientad",
ClientSecrets = new List<Secret>
{
new Secret("secret".Sha256())
},
Flow = Flows.Hybrid,
AllowedScopes = new List<string>
{
Constants.StandardScopes.OpenId,
Constants.StandardScopes.Profile,
Constants.StandardScopes.Email,
Constants.StandardScopes.Roles,
Constants.StandardScopes.OfflineAccess,
"read",
"write"
},
ClientUri = "https://identityserver.io",
LogoUri = [snip]
RequireConsent = false,
AccessTokenType = AccessTokenType.Reference,
RedirectUris = new List<string>
{
//"http://localhost:2672/",
"https://localhost:44320/",
},
PostLogoutRedirectUris = new List<string>
{
//"http://localhost:2672/"
"https://localhost:44320/",
}
},
The changes to display the claim are as per: IdentityServer : Identity Server 3 as a WS-Federation IDP with an ASP.NET MVC application.
So we navigate to the sample, click the "Sign In" link. it redirects to idsrv3, we can authenticate with "alice / alice" or "bob / bob", back to the sample, click the Contact tab and the claims are displayed as below:
Claim Type | Claim Value |
---|---|
nonce | 635858209323.....Tk5YjYtNjU1NzU2ZWU4MzU5 |
iat | 1450224140 |
c_hash | 0ibKE6.....uZcbGR_A |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | 818727 |
http://schemas.microsoft.com/claims/authnmethodsreferences | password |
http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant | 1450224139 |
http://schemas.microsoft.com/identity/claims/identityprovider | idsrv |
name | Alice Smith |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | Alice |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Smith |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/webpage | http://alice.com |
iss | https://localhost:44333/core |
aud | katanaclientad |
exp | 1450224440 |
nbf | 1450224140 |
Enjoy!
No comments:
Post a Comment