We Keep Coding

Single sign out in identity server 4

###I am using identity server 4 for authentication for .net and angular apps.
if I log out from one client it does not log out from others.###
how can I delete the user session and implement single-signout for all clients
#the config class in identity server#
//MVC Client
new Client
{
ClientName = ".NET 4 MVC website",
ClientId = "net4mvcclient",
ClientSecrets =
{
new Secret("secret3".Sha256())
},
//Grant types are a way to specify how a client wants to interact with IdentityServer
AllowedGrantTypes = GrantTypes.Implicit,
RequireConsent = false,
AllowOfflineAccess = true,
AllowAccessTokensViaBrowser = true,
RedirectUris = { $"{_config.GetValue<string>("IdentityServerSettings:MVCBaseUri")}/signin-oidc" },
PostLogoutRedirectUris = { $"{_config.GetValue<string>("IdentityServerSettings:MVCBaseUri")}/" },
AllowedScopes = {"openid", "profile", "offline_access", "api1", "api2" } ,
AllowedCorsOrigins = {$"{_config.GetValue<string>("IdentityServerSettings:MVCBaseUri")}"},
AccessTokenLifetime = 50000
},
//angular_spa
new Client {
RequireConsent = false,
ClientId = "angular_spa",
ClientName = "Angular SPA",
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "offline_access", "api1", "api2" },
RedirectUris = { $"{_config.GetValue<string>("IdentityServerSettings:AngularBaseUri")}/#auth-callback/#" },
PostLogoutRedirectUris = { $"{_config.GetValue<string>("IdentityServerSettings:AngularBaseUri")}/" },
AllowedCorsOrigins = { $"{_config.GetValue<string>("IdentityServerSettings:AngularBaseUri")}" },
AllowAccessTokensViaBrowser = true,
AccessTokenLifetime = 3600
}
};
startup class in MVC client
public void ConfigureIdentityServer(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "Cookies"
});
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationType = "oidc",
Authority = ConfigurationManager.AppSettings["IdentityServerUrl"], //Identity server Url
ClientId = "net4mvcclient",
ClientSecret = "secret3",
RedirectUri = ConfigurationManager.AppSettings["HourlyMVCUrl"] +"/signin-oidc", //Net4MvcClient's URL
PostLogoutRedirectUri = ConfigurationManager.AppSettings["HourlyMVCUrl"]+"/", //MVC Client URL
ResponseType = "id_token token",
RequireHttpsMetadata = false,
Scope = "openid profile api1 api2 offline_access",
TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
NameClaimType = "name"
},
SignInAsAuthenticationType = "Cookies",
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = n =>
{
n.AuthenticationTicket.Identity.AddClaim(new Claim("access_token", n.ProtocolMessage.AccessToken));
n.AuthenticationTicket.Identity.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));
return Task.FromResult(0);
},
RedirectToIdentityProvider = n =>
{
if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.Logout)
{
var id_token_claim = n.OwinContext.Authentication.User.Claims.FirstOrDefault(x => x.Type == "id_token");
if (id_token_claim != null)
{
n.ProtocolMessage.IdTokenHint = id_token_claim.Value;
}
}
return Task.FromResult(0);
}
}
});
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
app.UseNLog((eventType) => LogLevel.Debug);
}
#the logout function in identity server#
public async Task<IActionResult> Logout(LogoutInputModel model)
{
// build a model so the logged out page knows what to display
var vm = await BuildLoggedOutViewModelAsync(model.LogoutId);
if (User?.Identity.IsAuthenticated == true)
{
// delete local authentication cookie
// Request.GetOwinContext().Authentication.SignOut();
await HttpContext.SignOutAsync();
await _signInManager.SignOutAsync();
// raise the logout event
await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName()));
}
// check if we need to trigger sign-out at an upstream identity provider
if (vm.TriggerExternalSignout)
{
// build a return URL so the upstream provider will redirect back
// to us after the user has logged out. this allows us to then
// complete our single sign-out processing.
string url = Url.Action("Logout", new { logoutId = vm.LogoutId });
// this triggers a redirect to the external provider for sign-out
return SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme);
}
if (vm.PostLogoutRedirectUri != null)
{
return SignOut(new AuthenticationProperties { RedirectUri = vm.PostLogoutRedirectUri }, vm.ExternalAuthenticationScheme);
}
return View("LoggedOut", vm);
}

Identityserver4 not authorized api in blazor client

I use identity server 4 with blazor server side client
everything is ok but token not authorized api methods but token works in server authorized controllers
is something wrong with grant type or code flow ?
server config class :
public static class Configurations
{
public static IEnumerable<IdentityResource> GetIdentityResources() =>
new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
};
public static IEnumerable<ApiResource> GetApis() =>
new List<ApiResource> {
new ApiResource("api1")
};
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
// backward compat
new ApiScope("api1")
};
}
public static IEnumerable<Client> GetClients() => new List<Client>
{
new Client
{
ClientId = "client",
AllowedGrantTypes = GrantTypes.Code,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AllowedScopes = {
"api1" ,
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
},
RedirectUris = { "https://localhost:44372/signin-oidc" },
AlwaysIncludeUserClaimsInIdToken = true,
AllowOfflineAccess = true,
RequireConsent = false,
RequirePkce = true,
}
};
}
server start up class :
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<AppDbContext>(config =>
{
config.UseInMemoryDatabase("Memory");
});
// AddIdentity registers the services
services.AddIdentity<IdentityUser, IdentityRole>(config =>
{
config.Password.RequiredLength = 4;
config.Password.RequireDigit = false;
config.Password.RequireNonAlphanumeric = false;
config.Password.RequireUppercase = false;
})
.AddEntityFrameworkStores<AppDbContext>()
.AddDefaultTokenProviders();
services.ConfigureApplicationCookie(config =>
{
config.Cookie.Name = "IdentityServer.Cookie";
config.LoginPath = "/Auth/Login";
config.LogoutPath = "/Auth/Logout";
});
services.AddIdentityServer()
.AddAspNetIdentity<IdentityUser>()
//.AddInMemoryApiResources(Configurations.GetApis())
.AddInMemoryIdentityResources(Configurations.GetIdentityResources())
.AddInMemoryApiScopes(Configurations.GetApiScopes())
.AddInMemoryClients(Configurations.GetClients())
.AddDeveloperSigningCredential();
services.AddControllersWithViews();
}
api start up class :
services.AddAuthentication("Bearer").AddIdentityServerAuthentication(option =>
{
option.Authority = "https://localhost:44313";
option.RequireHttpsMetadata = false;
option.ApiName = "api1";
});
blazor server side start up class:
services.AddAuthentication(config =>
{
config.DefaultScheme = "Cookie";
config.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookie")
.AddOpenIdConnect("oidc", config =>
{
config.Authority = "https://localhost:44313/";
config.ClientId = "client";
config.ClientSecret = "secret";
config.SaveTokens = true;
config.ResponseType = "code";
config.SignedOutCallbackPath = "/";
config.Scope.Add("openid");
config.Scope.Add("api1");
config.Scope.Add("offline_access");
});
services.AddMvcCore(options =>
{
var policy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser() // site-wide auth
.Build();
options.Filters.Add(new AuthorizeFilter(policy));
});

To fix this issue, you have 2 options:
1- (Recommended) To add the scopes to API resource like this:
public static IEnumerable<ApiResource> GetApis() =>
new List<ApiResource> {
new ApiResource("api1")
{
Scopes = new []{ "api1" }
}
};
public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
// backward compat
new ApiScope("api1")
};
}
2- On API change your code to set ValidateAudience = false, like this:
services.AddAuthentication("Bearer").AddJwtBearer("Bearer",
options =>
{
options.Authority = "http://localhost:5000";
options.Audience = "api1";
options.RequireHttpsMetadata = false;
options.TokenValidationParameters = new
TokenValidationParameters()
{
ValidateAudience = false
};
});
Here is my blog about migrating IdentityServer4 to v4 https://nahidfa.com/posts/migrating-identityserver4-to-v4/

I have not actually used AddIdentityServerAuthentication in API but can you try the below code. Technically its same thing, but maybe this will work.
Change your api authentication from AddIdentityServerAuthentication to AddJwtBearer:
services.AddAuthentication("Bearer").AddIdentityServerAuthentication(option =>
{
option.Authority = "https://localhost:44313";
option.RequireHttpsMetadata = false;
option.ApiName = "api1";
});
to
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", option =>
{
option.Authority = "https://localhost:44313";
option.Audience = "api1";
option.SaveToken = true;
});

Configure blazor wasm and separate identityserver4

I have a solution named Messenger which contains 3 projects:
Messenger.IdentityServer
Messenger.Api
Messenger.BlazorWasmClient
This is my IdentityServer Startup.cs:
public class Startup
{
public IWebHostEnvironment Environment { get; }
public IConfiguration Configuration { get; }
public Startup(IWebHostEnvironment environment, IConfiguration configuration)
{
Environment = environment;
Configuration = configuration;
}
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
// configures IIS out-of-proc settings (see https://github.com/aspnet/AspNetCore/issues/14882)
services.Configure<IISOptions>(iis =>
{
iis.AuthenticationDisplayName = "Windows";
iis.AutomaticAuthentication = false;
});
// configures IIS in-proc settings
services.Configure<IISServerOptions>(iis =>
{
iis.AuthenticationDisplayName = "Windows";
iis.AutomaticAuthentication = false;
});
services.AddDbContext<IdentityServerDbContext>(options =>
options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));
services.AddIdentity<IdentityServerUser, IdentityRole>()
.AddEntityFrameworkStores<IdentityServerDbContext>()
.AddDefaultTokenProviders();
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
})
.AddInMemoryIdentityResources(Config.Ids)
.AddInMemoryApiResources(Config.Apis)
.AddInMemoryClients(Config.Clients)
.AddAspNetIdentity<IdentityServerUser>();
// not recommended for production - you need to store your key material somewhere secure
builder.AddDeveloperSigningCredential();
}
public void Configure(IApplicationBuilder app)
{
if (Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
app.UseStaticFiles();
app.UseRouting();
app.UseIdentityServer();
app.UseAuthorization();
app.UseEndpoints(endpoints =>
{
endpoints.MapDefaultControllerRoute();
});
}
}
Config.cs:
public static class Config
{
public static IEnumerable<IdentityResource> Ids =>
new IdentityResource[]
{
new IdentityResources.OpenId(),
// let's include the role claim in the profile
new ProfileWithRoleIdentityResource(),
new IdentityResources.Email()
};
public static IEnumerable<ApiResource> Apis =>
new ApiResource[]
{
// the api requires the role claim
new ApiResource("messenger.api", "Messenger API", new[] { JwtClaimTypes.Role })
};
// machine to machine client (from quickstart 1)
public static IEnumerable<Client> Clients =>
new List<Client>
{
new Client
{
ClientId = "messenger.blazorwasmclient",
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
RequireClientSecret = false,
AllowedCorsOrigins = { "https://localhost:5001" },
AllowedScopes = { "openid", "profile", "email", "messenger.api" },
RedirectUris = { "https://localhost:5001/authentication/login-callback" },
PostLogoutRedirectUris = { "https://localhost:5001/" },
Enabled = true
}
};
}
In the BlazorWasmClient, I added an AddOidcAuthentication method to the Program.cs like this:
public class Program
{
public static async Task Main(string[] args)
{
var builder = WebAssemblyHostBuilder.CreateDefault(args);
builder.RootComponents.Add<App>("app");
builder.Services.AddTransient(sp => new HttpClient { BaseAddress = new Uri(builder.HostEnvironment.BaseAddress) });
builder.Services
.AddOidcAuthentication(options =>
{
builder.Configuration.Bind("oidc", options.ProviderOptions);
options.UserOptions.RoleClaim = "role";
})
.AddAccountClaimsPrincipalFactory<ArrayClaimsPrincipalFactory<RemoteUserAccount>>();
await builder.Build().RunAsync();
}
}
appSettings.json:
{
"oidc": {
"Authority": "https://localhost:5000/",
"ClientId": "messenger.blazorwasmclient",
"DefaultScopes": [
"openid",
"profile",
"email",
"messenger.api"
],
"PostLogoutRedirectUri": "/",
"ResponseType": "code"
}
}
But I don't understand why I have this error message every time I start my solution:

You need to configure the redirect URI and the PostLogoutUri must be an abosolut URI, not relative. Uris must exactly match what you setup in the IndentityServer4 client :
appsettings.json
{
"oidc": {
"Authority": "https://localhost:5000/",
"ClientId": "messenger.blazorwasmclient",
"DefaultScopes": [
"openid",
"profile",
"email",
"messenger.api"
],
"PostLogoutRedirectUri": "https://localhost:5001/",
"RedirectUri": "https://localhost:5001/authentication/login-callback",
"ResponseType": "code"
}
}

How to properly use claims with IdentityServer4?

I'm trying to understand how this works, so please bear with me.
Here is my config for identity server:
public static IEnumerable<ApiResource> GetApiResources(IConfiguration configuration)
{
return new []
{
new ApiResource
{
Name = "invoices.api",
ApiSecrets =
{
new Secret("invoices.api.secret".Sha256()),
},
Scopes =
{
new Scope("invoices.api.scope"),
},
UserClaims =
{
"custom_role",
}
}
};
}
public static IEnumerable<Client> GetClients(IConfiguration configuration)
{
return new []
{
new Client
{
ClientId = "invoices.ui",
RequireConsent = false,
AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
AccessTokenType = AccessTokenType.Reference,
AllowedCorsOrigins = configuration.GetSection("Redirect").Get<RedirectOptions>().AllowedCorsOrigins.ToList(),
RedirectUris = configuration.GetSection("Redirect").Get<RedirectOptions>().RedirectUris.ToList(),
PostLogoutRedirectUris = configuration.GetSection("Redirect").Get<RedirectOptions>().PostLogoutRedirectUris.ToList(),
ClientSecrets =
{
new Secret("invoices.ui.secret".Sha256())
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
"invoices.api.scope",
},
}
};
}
public static IEnumerable<TestUser> GetUsers(IConfiguration configuration)
{
return new []
{
new TestUser
{
SubjectId = "1",
Username = "alice",
Password = "123",
Claims =
{
new Claim("custom_role", "user"),
},
},
new TestUser
{
SubjectId = "2",
Username = "bob",
Password = "123",
Claims =
{
new Claim("custom_role", "admin"),
},
}
};
}
public static IEnumerable<IdentityResource> GetIdentityResources(IConfiguration configuration)
{
return new []
{
new IdentityResources.OpenId(),
};
}
And this is how my MVC client is setup:
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = "oidc";
})
.AddCookie(opts =>
{
//opts.ExpireTimeSpan = TimeSpan.FromSeconds(60);
})
.AddOpenIdConnect("oidc", opts =>
{
opts.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
opts.DisableTelemetry = true;
opts.Authority = Configuration.GetValue<string>("IdentityServer");
opts.RequireHttpsMetadata = false;
opts.ClientId = "invoices.ui";
opts.ClientSecret = "invoices.ui.secret";
opts.ResponseType = "code id_token";
opts.SaveTokens = true;
opts.GetClaimsFromUserInfoEndpoint = true;
opts.Scope.Clear();
opts.Scope.Add("openid");
opts.Scope.Add("invoices.api.scope");
});
After a user is authenticated, i'm trying to see it's claims in view like this:
#foreach (var claim in User.Claims)
{
<dt>#claim.Type</dt>
<dd>#claim.Value</dd>
}
But the list doesn't contain any "custom_role" claim.
The identity server logs shows that the user info has been requested by the client from user info endpoint, but my "custom_role" wasn't transfered there, however it shows in logs of identity server, that user has it.
How to access my custom claims in my MVC app?
I need to get them from user endpoint and use for authorization.

If you ask for an Access Token and Identity Token ("code id_token") Identity Server will not include user claims by default.
The solution is to set AlwaysIncludeUserClaimsInIdToken to true. See http://docs.identityserver.io/en/release/reference/client.html
The explanation on why this settings exists is here: https://leastprivilege.com/2016/12/14/optimizing-identity-tokens-for-size/

Seems that adding an identity resource with specified claims solves the problem even with built-in ProfileService implementation:
public static IEnumerable<IdentityResource> GetIdentityResources(IConfiguration configuration)
{
return new []
{
new IdentityResources.OpenId(),
new IdentityResource
{
Name = "roles.scope",
UserClaims =
{
"custom_role",
}
}
};
}
Also added it as a scope for a client:
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
"invoices.api.scope",
"roles.scope",
},

The function IntrospectionClient in Identityserver4 always returns Unauthorized

I want to use the function IntrospectionClient to verify the token in identity server, but it always returns: Unauthorized
Identity server startup code:
services.AddIdentityServer()
.AddSigningCredential(myPrivatecert)
.AddInMemoryApiResources(Config.GetResources())
.AddInMemoryClients(Config.GetClients())
.AddTestUsers(Config.GetTestUsers())
.AddValidationKey(myPubliccert)
.AddJwtBearerClientAuthentication()
.AddValidators();
I add a api resource, a client info and a test user in config file
My Config is :
public class Config
{
//ApiResource
public static IEnumerable<ApiResource> GetResources()
{
return new List<ApiResource>
{
new ApiResource("api")
};
}
//Client
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client()
{
ClientId = "site",
AccessTokenLifetime = 180,
RefreshTokenExpiration = TokenExpiration.Absolute,
AbsoluteRefreshTokenLifetime = 1800,
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
ClientSecrets =
{
new Secret("secret".Sha256())
},
AlwaysSendClientClaims = true,
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
AllowedScopes =
{
"api"
},
AccessTokenType = AccessTokenType.Jwt,
AllowOfflineAccess = true
},
};
}
//TestUser
public static List<TestUser> GetTestUsers()
{
return new List<TestUser>{
new TestUser{
SubjectId="1",
Username="wyt",
Password="123456",
Claims = new List<Claim>()
{
new Claim("wawa", "aoao"),
}
}
};
}
}
My Client Startup is:
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).
AddIdentityServerAuthentication(options =>
{
options.Authority = "http://localhost:6001";
options.RequireHttpsMetadata = false;
options.ApiName = "api";
});
get token :
//token
var tokenClient = new TokenClient(dico.TokenEndpoint, "site", "secret");
var tokenResponse = tokenClient.RequestResourceOwnerPasswordAsync("wyt", "123456").Result;
want use introspection:
var introspectionClient = new IntrospectionClient(
dico.IntrospectionEndpoint,
"api",
"secret");
var vresponse = await introspectionClient.SendAsync
(
new IntrospectionRequest { Token = tokenResult.AccessToken }
);
but the vresponse is always Unauthorized
where is wrong?

I ran into the same issue, the documentation is not very clear.
You need to add an ApiSecret to your ApiResource:
public static IEnumerable<ApiResource> GetResources()
{
return new List<ApiResource>
{
new ApiResource("api")
{
ApiSecrets = { new Secret("secret".Sha256()) }
}
};
}
And then you call the introspection endpoint passing the api name and the api secret, like you did:
var introspectionClient = new IntrospectionClient(
dico.IntrospectionEndpoint,
"api",
"secret");