1

I have a working identity provider. The client I have designed to authenticate against it is a single project combining MVC and web API. The initial authentication is done me the MVC. If the access token becomes invalid it refreshes as expected.

MVC side:

public partial class Startup {

    public void ConfigureAuth(IAppBuilder app)
    {
        //AntiForgeryConfig.UniqueClaimTypeIdentifier = "sub";
        JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationType = "Cookies",
            CookieName = "CookieName",
            ReturnUrlParameter = "/Dashboard",
            LogoutPath = new PathString("/"),
        });
app.UseOpenIdConnectAuthentication(GetOpenIdConnectAuthenticationOptions());

    }


    private OpenIdConnectAuthenticationOptions GetOpenIdConnectAuthenticationOptions()
    {
        var options = new OpenIdConnectAuthenticationOptions
        {
            ClientId = "client.id",
            Authority = AuthorityUrl,
            RedirectUri = RedirectUri,
            PostLogoutRedirectUri = RedirectUri,
            ResponseType = "code id_token",
            Scope = "openid profile email offline_access roles company utc_offset service_api",

            TokenValidationParameters = new TokenValidationParameters
            {
                NameClaimType = "name",
                RoleClaimType = "role"
            },

            SignInAsAuthenticationType = "Cookies",
            Notifications = GetOpenIdConnectAuthenticationNotifications()
        };
        return options;
    }

    private OpenIdConnectAuthenticationNotifications GetOpenIdConnectAuthenticationNotifications()
    {
        var container = UnityLazyInit.Container;
        var authorizationProvider = container.Resolve<AuthorizationProvider>();
        var notifications = new OpenIdConnectAuthenticationNotifications
        {
            AuthorizationCodeReceived = async n =>
            {
                authorizationProvider.Authority = Authority;
                authorizationProvider.LoginMethod = LoginMethod;
                var tokenResponse = await authorizationProvider.GetAccessAndRefreshTokens(n);

                var userInfoClaims = await authorizationProvider.GetUserInfoClaims(tokenResponse);

                userInfoClaims = authorizationProvider.TransformUserInfoClaims(userInfoClaims);

                // create new identity
                var id = new ClaimsIdentity(n.AuthenticationTicket.Identity.AuthenticationType);
                id.AddClaims(userInfoClaims);

                id.AddClaim(new Claim("access_token", tokenResponse.AccessToken));
                id.AddClaim(new Claim("expires_at", DateTime.Now.AddSeconds(tokenResponse.ExpiresIn).ToLocalTime().ToString()));
                id.AddClaim(new Claim("refresh_token", tokenResponse.RefreshToken));
                id.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
                id.AddClaim(new Claim("sid", n.AuthenticationTicket.Identity.FindFirst("sid").Value));

                var user = authorizationProvider.GetUser(id);

                var applicationClaims = authorizationProvider.GetApplicationClaims(user);
                id.AddClaims(applicationClaims);

                var permisionClaims = authorizationProvider.GetPermisionClaims(user);
                id.AddClaims(permisionClaims);

                n.AuthenticationTicket = new AuthenticationTicket(
                    new ClaimsIdentity(id.Claims, n.AuthenticationTicket.Identity.AuthenticationType, "name", "role"),
                    n.AuthenticationTicket.Properties);
            },

            RedirectToIdentityProvider = n =>
            {
                // if signing out, add the id_token_hint
                if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                {
                    var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");

                    if (idTokenHint != null)
                    {
                        n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
                    }
                }

                return Task.FromResult(0);
            }

        };

        return notifications;
    }

}

The presentation layer (browser side) leverages angulerjs however I have not incorporated any support for authentication. I am relying on the MVC.

When you presentation layer makes calls to the API it automatically validates against the access token retrieved by the MVC but if it expires it is unable to refresh the access token. It also doesn’t return unauthorized. It appears to be trying to refresh but fails. The presentation receives the HTML for the error page of the identity provider when the api calls attempt to refresh the token.

How do I fix this? It seems to me is supposed to authenticate and refresh automatically for the MVC and the API when they are combined but this is not working for me.

note to clarify the start up configuration above is shared but the MVC and the API.

          new Client
            {
                ClientName = "MVC Client",
                ClientId = "client.id",
                ClientSecrets = new List<Secret> {
                    new Secret("secret".Sha256())
                },
                Flow = Flows.Hybrid,

                AllowedScopes = new List<string>

                {

                    Constants.StandardScopes.OpenId,

                    Constants.StandardScopes.Profile,

                    Constants.StandardScopes.Email,

                    Constants.StandardScopes.OfflineAccess,

                    "roles",

                    "company",

                    "utc_offset",

                    "service_api

" },

                RequireConsent = false,


                RedirectUris = new List<string>

                {

                    REMOVED
                },


                PostLogoutRedirectUris = new List<string>
                {
                    REMOVED
                },


                AllowedCorsOrigins = new List<string>
                {
                    REMOVED
                },

                AccessTokenLifetime = 60,
                IdentityTokenLifetime = 60,
                AbsoluteRefreshTokenLifetime = 60 * 60 * 24,
                SlidingRefreshTokenLifetime = 60 * 15,
            },

@brockallen - The short of this is. I have an application that is MVC and WEBAPI and Anjulgarjs. I do not think a hybrid like this is wise but I inherited this application and now I have to find a way to make it work with Idnetity Server 3.

I would be grateful for any guidance. Please.

Jeremy R Heckathorn
  • 23
  • 6

1 Answers1

1

I was having the same issue as you. The problem is that you are setting a cookie for MVC, but you are not setting the expiration date, thus MVC does not know that the cookie has expired. What you need to do is set the expiration date for the AuthenticationTicket in the following way:

                    n.AuthenticationTicket.Properties.ExpiresUtc = DateTimeOffset.UtcNow.AddSeconds(int.Parse(n.ProtocolMessage.ExpiresIn));
                    n.AuthenticationTicket.Properties.IssuedUtc = DateTime.Now;
                    //Add encrypted MVC auth cookie
                    n.AuthenticationTicket = new AuthenticationTicket(
                        nid,
                        n.AuthenticationTicket.Properties);

I've also set the issued date, but that's not mandatory

Radigeco
  • 11
  • 3