3

I'm implementing an authentication server with IdentityServer4 for clients using Hybrid flow. I managed to implement my own user store and also my own repository for clients, grants and resources.

When a user wants to login the client redirects it to my authentication server and if it's not loged in, it shows the login page. At this point I need some extra information than username and password in order to login my users. This is a projectId from another system where I'm actually authentication the users to. The client should provide this projectId.

The flow looks like that:

flow

I've read here Sending Custom Parameters to login screen

that I should retrieve parameteres from the returnUrl I get in the AccountController. The way I'm triggering the login flow right now is with the [Authorize] attribute in a controller method in my client code:

[Route("login")]
[Authorize]
public async Task<IActionResult> Login()

My questions are:

1.How can I send the projectId in the connect/authorize request to identity server?

2.Should I create the request manually for that?

2.a If so,then how can I handle the redirect uri action in the controller? Because now i'm using the /signin-oidc standard route.

My client definition looks like that:

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();
    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

    services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
        options.SignInScheme = "Cookies";

        options.Authority = "http://localhost:5001";
        options.RequireHttpsMetadata = false;

        options.ClientId = "BGServer";
        options.ClientSecret = "ThisIsTheBGServerSecret";
        options.ResponseType = "code id_token"; //"code";

        //set SaveTokens to save tokens to the AuthenticationProperties
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;

        options.Scope.Add("BG_API");
        options.Scope.Add("offline_access");
    });
}

And my client definition in the authentication server looks like that:

// OpenID Connect hybrid flow and client credentials client (BGServerClient)
new Client
{
    ClientId = "BGServer",
    ClientName = "BabyGiness Server",
    AllowedGrantTypes = GrantTypes.HybridAndClientCredentials, 
    RequireConsent = false,
    ClientSecrets =
    {
        new Secret("ThisIsTheBGServerSecret".Sha256())
    },

    RedirectUris = {"http://localhost:5005/signin-oidc"},
    PostLogoutRedirectUris = { "http://localhost:5005/signout-callback-oidc" },

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        "BG_API"
    },
    AllowOfflineAccess = true //used to be able to retrieve refresh tokens
};

Thank you very much for your help.

giokoguashvili
  • 2,013
  • 3
  • 18
  • 37
jcasas
  • 305
  • 4
  • 12
  • Is the projectid tied to the user or the client? – aaronR Mar 07 '18 at 14:10
  • It's related to the user in the external system. – jcasas Mar 07 '18 at 14:12
  • Why not add it to the user claims then? – aaronR Mar 07 '18 at 14:13
  • It comes from a user http request body. At which point should the projectId be added as a claim? Where? – jcasas Mar 07 '18 at 14:17
  • So when is the projectID associated to the user? – aaronR Mar 07 '18 at 14:18
  • In the external system. The users I want to login are in this external system – jcasas Mar 07 '18 at 14:34
  • I get that but when is the ProjectID tied to the User? Is this at the user creation? Is this per client? If it is anything like that you can create a claim "projectID" and put it with the user claims. – aaronR Mar 07 '18 at 14:36
  • Sorry for the misunderstaning. The client ties it to the user when it sends the login request. I will study your suggestion, altough for the moment I have no idea on how to do it. Thanks. – jcasas Mar 08 '18 at 07:06

1 Answers1

0

You should be able to simply add additional query string parameters to the authorize endpoint request and then parse them out of the returnUrl in your MVC controller for the login flow. Anything not part of the protocol will be ignored by by IDS4 I'm pretty sure.

mackie
  • 4,996
  • 1
  • 17
  • 17
  • I undestand that, but my question in my scenario is, how can I achieve that considering I'm not creating the request by myself but the 'authorize' attribute on the method in the controller does? – jcasas Mar 08 '18 at 07:07
  • 1
    You'd have to implement something custom. Either via the middleware events or simply craft up the authorize request yourself, adding anything extra that you need. Where does projectId come from? Is it something you can work out with no other context in place? – mackie Mar 08 '18 at 09:05
  • It comes from the end user to the client login request. Do you have any hint on how to craft up the authorize request? I tried from the controller in my client but couldn't get to the front channel correctly and start the oidc flow as expected. By middleware you refer to IdentityServer4? I don't see any way to hook this projectId in the events Identity Server is triggering. – jcasas Mar 08 '18 at 09:17
  • The middleware in the client. Check out the ManualMvc sample, that covers how to implement the implicit/hybrid flow in MVC – mackie Mar 08 '18 at 09:48
  • 1
    Thanks, I will also check that, seems what I need. Here's the link if somebody is as lost as me https://github.com/IdentityServer/IdentityServer4.Samples/blob/release/Clients/src/MvcManual/Controllers/HomeController.cs – jcasas Mar 08 '18 at 12:17
  • 1
    the URL to the sample project doesn't work. – Raha Sep 14 '21 at 04:42
  • This is the updated link - https://github.com/IdentityServer/IdentityServer4/blob/main/samples/Clients/old/MvcManual/Controllers/HomeController.cs – Irving Aug 16 '22 at 18:02