wwwlicious / servicestack-authentication-identityserver Goto Github PK

I'm trying to integrate ServiceStack.Authentication.IdentityServer plugin with an Identity Server 4. I posted this question to StackOverflow and @mythz recommended that I should file it here.

When calling the protected ServiceStack endpoint from browser, the browser redirects to the authorize endpoint as below

https://localhost:5001/connect/authorize?client_id=simplehr&scope=openid%20offline_access&redirect_uri=https://localhost:5004/auth/IdentityServer&response_type=code%20id_token&state=8749c226e65646079c53ba403b51ef3e&nonce=291873debfd14de8b360c11cffbba3db&response_mode=form_post

In this case, https://localhost:5001 is my Identity Server 4, and https://localhost:5004 is my ServiceStack server.

After this step, the browser sends a POST request to ServiceStack's IdentityServer auth provider endpoint as expected. However, this endpoint returns a 302 back to the Identity Server's authorize endpoint. The response looks like

Location: https://localhost:5001/connect/authorize?client_id=simplehr&scope=openid offline_access&redirect_uri=https://localhost:5004/auth/IdentityServer&response_type=code id_token&state=8749c226e65646079c53ba403b51ef3e&nonce=f13048835b6e47f09a8c86882d2db320&response_mode=form_post

Therefore, my browser falls into an infinite loop.

Could anybody shed some light on how I can get over this? Thanks.

I have an IdentityServer4 implementation that stores the id tokens and access tokens it creates in a nosql database.

I would like my WebApps and WebApis to validate the id tokens and access tokens they receive from calling clients directly against the tokens stored in the nosql database rather than making the extra hop of going to IdentityServer which will then go to the nosql database to validate the token.

To accomplish this I see a couple of options:

1. Implement my own ServiceStack.Auth.AuthProvider. or
2. Override the behavior of the ServiceStack.Authentication.IdentityServer plugin.

If I want to pursue option 2, is there an existing way to do that? I've been looking at implementing my own IIdentityServerIdTokenValidator. But then I need some way to plug it into the UserAuthProvider class. And I don't see any existing way to do that. A number of methods and attributes are marked internal or private making it difficult to create a new class derived from UserAuthProvider that could use my IIdentityServeridTokenvalidator instance. And then I will have the difficulty of getting my derived UserAuthProvider instantiated by the IdentityServerAuthFeature instance. So I'm not sure if this is the right approach.

I wonder if I would be better off to simply implement my own ServiceStack.Auth.Provider to handle the token validation. But the part I'm uncertain about is how to reproduce the automatic redirection to the IdentityServer login page when there is no identity token or if the id token is invalid. That all works quite nicely in the ServiceStack.Authentication.IdentityServer plugin and I'm not sure how difficult it would be to reproduce it in my own ServiceStack.Auth.AuthProvider plugin.

Any suggestions or advice are welcome.

When running the ServiceAuthProvider sample, the API throws an ArgumentNullException when a secure service request from the client tries to authenticate:

serviceClient.Post(new Authenticate { provider = IdentityServerAuthProvider.Name });

The null value is being thrown by the referrerUrl variable in the CallbackUrl property get() method:

get { return appSettings.Get(ConfigKeys.CallbackUrl, referrerUrl.AppendUrlPaths("auth", "IdentityServer")); }

I notice the ServiceAuthProvider is excluded from the list of providers that require callback URL validation in the ValidateCallbackRequirements method which would appear to set the referrerUrl. Do service auth providers not require callback validation? If so, then why would the CallbackUrl need to be accessed as observed in the call stack below (just before the exception is thrown)?

ServiceStack.Authentication.IdentityServer.IdentityServerAuthFeature.CallbackUrl.get() Line 225 C# ServiceStack.Authentication.IdentityServer.Providers.IdentityServerAuthProvider.RefreshSettings() Line 166 C# ServiceStack.Authentication.IdentityServer.Providers.ServiceAuthProvider.Authenticate(ServiceStack.IServiceBase authService, ServiceStack.Auth.IAuthSession session, ServiceStack.Authenticate request) Line 30 C#

Any help would be great, thanks!

I have an example running where if I change that code to GetRequestValue, it works, because my code is coming from the form data. I'm just not 100% sure if this is purposefully QueryString where others are GetRequestValue or if it's just an oversight.

Update the build as per other projects

Hi,
This code
GrantTypes.List(ActAsUserGrantValidator.GrantTypeName)

is invalid.
Is there any update from the sample?

When I try to access protected api method, I got redirected to /auth/IdentityServer?redirect=path-to-my-api-method with following exception:

[Authenticate: 2018-10-24 12:24:00 AM]: [REQUEST: {provider:IdentityServer}] System.MissingMethodException: Method not found: 'ServiceStack.Web.INameValueCollection ServiceStack.Web.IRequest.get_QueryString()'. at ServiceStack.Authentication.IdentityServer.Providers.UserAuthProvider.GetReferrerUrl(IServiceBase authService, IAuthSession session, Authenticate request) at ServiceStack.Authentication.IdentityServer.Providers.UserAuthProvider.Init(IServiceBase authService, IAuthSession& session, Authenticate request) at ServiceStack.Authentication.IdentityServer.Providers.UserAuthProvider.AuthenticateAsync(IServiceBase authService, IAuthSession session, Authenticate request)

I thought this would redirect me to identity server instance so I can login (locally or to use registered external providers), any idea why is this happening?

We are using 4.5.0 version of this library because our project is using ServiceStack 4.5.0. UserAuthProvider's AuthCodeClient is using IdentityModel 1.11.0 but our project has used IdenittyModel 3.9.0 elsewhere. This kind of settings makes UserAuthProvider fails to call TokenClient and returns this error: Method not found: 'Void IdentityModel.Client.TokenClient..ctor(System.String, System.String, System.String, IdentityModel.Client.AuthenticationStyle)'

It'd be nice if UserAuthProvider's AuthCodeClient is a protected property so that we can easily just override it without overwriting the whole UserAuthProvider class. Otherwise, it'd also good if there is some override-able factory pattern to construct a UserAuthProvider.

Identity Server sets the referrer policy to no-referrer which seems to cause the logic inside UserAuthProvider.AuthenticateAsync to fail. The IsCallbackRequest function seems to depend on the UrlReferrer and verifies that it matchs the AuthRealm. It would seem like rolling back the Identity Server "security enhancement" would not be a good idea. Thoughts?

Hi,
I noticed that if you call directly the endpoint auth/IdentityServer the webservice not redirects to Identity Server

Steps to reproduce:

• Create a new empty SS instance with a protected endpoint with a simply [Authenticate] Tag
• Basic plugin configuration:
  Plugins.Add(new IdentityServerAuthFeature
  {
  AuthProviderType = IdentityServerAuthProviderType.UserAuthProvider,
  AuthRealm = "http://localhost:5000/",
  ClientId = "xxxxx",
  ClientSecret = "xxxxx",
  Scopes = "openid"
  });
• Start the webservice

If you call directly auth/IdentityServer -> error
if you call first the protected endpoint and after auth/IdentityServer -> the redirect works

Hi,

I am trying to use servicestack-authentication-identityserver in my .NetCore 2.0 project but facing issue. Also i noticed dependency with Servicestack.Mvc.Core 1.0.33. Also logout functionality did not work as expected in samples provided.

It's convenient to have pre-authentication occur at the same time a secured request is made, especially when using a client like Postman, else one has to a call to /auth/IdentityServer before making another to the desired service call.

Is there any reason why you chose not to add IAuthWithRequest, which requires the implementation of PreAuthenticate(req, res), as an interface for IdentityServerAuthProvider?

Hi, Any plan of releasing this plugin to support Core 2.0 with .Net Standard?.

I tried using this component in a ServiceStack version 5.4.0 web service and I was not able to use it.

The following code won't compile:

        this.Plugins.Add(new IdentityServerAuthFeature 
        {
            AuthProviderType = IdentityServerAuthProviderType.UserAuthProvider,
            AuthRealm = "http://identityserver:5000/", 
            ClientId = "ServiceStack.SelfHost", 
            ClientSecret = "F621F470-9731-4A25-80EF-67A6F7C5F4B8",              
            Scopes = "openid ServiceStack.SelfHost offline_access"
        });

due to these errors:

1>C:\Code\BITS\DiscountGuidanceService\DiscountGuidanceService\DiscountGuidanceService\AppHost.cs(109,34,109,59): error CS0012: The type 'IAppSettings' is defined in an assembly that is not referenced. You must add a reference to assembly 'ServiceStack.Interfaces, Version=4.0.0.0, Culture=neutral, PublicKeyToken=e06fbc6124f57c43'.
1>C:\Code\BITS\DiscountGuidanceService\DiscountGuidanceService\DiscountGuidanceService\AppHost.cs(109,13,109,29): error CS0012: The type 'IPlugin' is defined in an assembly that is not referenced. You must add a reference to assembly 'ServiceStack, Version=4.0.56.0, Culture=neutral, PublicKeyToken=null'.

I tried downgrading ServiceStack to version 4.x to support this component but then other areas of the service code begin to fail.

Is there some simple way to get this Identity Server authentication working on version 5.4.x?

Update dependency to resolve CVE

Hi,

Currently, the UserAuthProvider.AuthenticateClient create a new nonce and new state and pass it to the preAuthUrl. I think it should check if the nonce and state passed from the Authenticate request DTO is empty first. If it is not empty, it should be passed down to the new URL.

I am now investigating how to pass parameters back in the redirect_uri.

I find the following links stating that the redirect_uri must be exact matching without any parameter. To passing back the parameters back to the redirect_uri after logon, it should use the state parameter

IdentityServer/IdentityServer3#1371

https://stackoverflow.com/questions/7722062/google-oauth2-redirect-uri-with-several-parameters

I use the debugger to set the state in the Authenticate DTO, but then that AuthenticateClient does not pass it down. When I use the debugger to set that state, I can see the state is passed back in the redirect_uri where I can retrieve the parameters back.

I think it can be something like this:

        // We need to get the user to login as we don't have any credentials for them
        if (isInitialRequest && !IsCallbackRequest(authService, request))
        {
            return AuthenticateClient(authService, session, tokens, request.nonce, request.State);
        }

    internal IHttpResult AuthenticateClient(IServiceBase authService, IAuthSession session, IAuthTokens authTokens, string nonce, string state)
    {
        const string preAuthUrl = "{0}?client_id={1}&scope={2}&redirect_uri={3}&response_type=code id_token&state={4}&nonce={5}&response_mode=form_post";

        if (string.IsNullOrEmpty(nonce))
        {
            nonce = Guid.NewGuid().ToString("N");
        }

        if (string.IsNullOrEmpty(state))
        {
            state = Guid.NewGuid().ToString("N");
        }

        var requestUrl = string.Format(
            preAuthUrl, 
            AuthorizeUrl, 
            AuthProviderSettings.ClientId, 
            AuthProviderSettings.Scopes,
            CallbackUrl,
            state,
            nonce);

Thanks,

While working with #15 I discovered that it does not seem like this identity server integration has support for reference tokens?

I would really love to have that "back-channel" communication feature that IdentityServer4's middleware for ASP.netcore MVC provides, as it allows to call and get further claims based off the access token, it being JWT or Reference.

Do you have any pointers on where to start adding this into the code-base?

Access token validation middleware from IDP4:

https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation

I'm trying to run this identity server auth with core, but when I add [Authenticate] attribute and try to invoke my method, I'm getting this as response:

{
  "responseStatus": {
    "errorCode": "Exception",
    "message": "No registered Auth Providers found matching any provider"
  }
}

In sample ServiceAuthProvider.ServiceStack.SelfHostThrows an NullException Error is thown, when accessing "http://localhost:5001/hello/" direktly (over the adress bar, not over the link).

I'm trying to use ServiceStack.Authentication.IdentityServer with IdentityServer4 and I'm getting an error validating an access token. Just wondering if I can expect the plugin to work with IdentityServer4?