I am using Identity server 4 with Asp.net application MVC 4.5
when I run mvc application its comes to identity server 4 and shows login page. then after filling the credentials it validates the credentials and i have taken redirect uri as https://localhost:44367/Home/Secure. it shows the same uri in the browser but giving error
IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause
)
Why is this error coming?
Related
_Host.cshtml.cs:
return RedirectToPage("/Account/Login/Index", new { area = "Identity" });
Error:
An unhandled exception occurred while processing the request.
AmbiguousMatchException: The request matched multiple endpoints. Matches:
/Account/Login/Index
/Account/Login
/_Host
Microsoft.AspNetCore.Routing.Matching.DefaultEndpointSelector.ReportAmbiguity(CandidateState[] candidateState)
It's because I use ASP.Net Core Identity scaffolded pages which has the Login in Areas/Identity/Pages/Account/<foo>.cshtml. I tried to move them into Areas/Identity/Pages/Account/Login/<foo>.cshtml and ASP.Net Core is confused by that! Duh!
I build a blazor server application that supports Azure AD login and Azure B2C login. This works fine and I can decide what is displayed to the user using the authentication scheme.
If I login with Azure AD everything works fine. If I login with Azure B2C events (like onclick) are not raised.
After starting the application the user is sent to a login page. On this page he can decide to login with AD or B2C.
On this page I get the following error:
[2022-09-07T12:09:46.429Z] Error: Failed to start the connection: Error
[2022-09-07T12:09:46.430Z] Error: Error
Error: Cannot send data if the connection is not in the 'Connected' State.
at e.send (https://localhost:5001/_framework/blazor.server.js:1:51662)
at e.sendMessage (https://localhost:5001/_framework/blazor.server.js:1:22519)
at e.sendWithProtocol (https://localhost:5001/_framework/blazor.server.js:1:22581)
at https://localhost:5001/_framework/blazor.server.js:1:23244
at new Promise (<anonymous>)
at e.invoke (https://localhost:5001/_framework/blazor.server.js:1:23041)
at e.<anonymous> (https://localhost:5001/_framework/blazor.server.js:21:27207)
at https://localhost:5001/_framework/blazor.server.js:21:26507
at Object.next (https://localhost:5001/_framework/blazor.server.js:21:26612)
at https://localhost:5001/_framework/blazor.server.js:21:25524
After login with AD, the error is cleared and everything works fine. If I log in with B2C this error still occurs and it seems that the application is not longer connected to the server.
I think this is the reason why the application does fire events.
I was able to fix the problem.
Needed add the following:
endpoints.MapRazorPages().RequireAuthorization(
new AuthorizeAttribute
{
AuthenticationSchemes = $"{OpenIdConnectDefaults.AuthenticationScheme},{FischerLib.Extensions.Constants.B2CAuthenticationScheme}"
}
);
endpoints.MapBlazorHub().RequireAuthorization(
new AuthorizeAttribute
{
AuthenticationSchemes = $"{OpenIdConnectDefaults.AuthenticationScheme},{FischerLib.Extensions.Constants.B2CAuthenticationScheme}"
}
);
Is there a way to get the access token from identityserver4, preferably in the Login.cshtml.cs post function. I am using the default react with authentification template (asp.net core 3.1) from visual studio. Thank you!
You can't get the issued tokens in Login.cshtml.cs post function .
That is because Asp.net Identity credential validation logic is fired before Identity Server's token issue logic . In OnPostAsync event of Login.cshtml.cs , the identity system will check user in database and sign in user using :
var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: true);
If user validation passed , it will redirect to local url like /connect/authorize/callback?client_id=react&redirect_uri=https%3A%2F%2Flocalhost%3A44362%2Fauthentication%2Flogin-callback&response_type=code&scope=reactAPI%20openid%20profile&state=xxxxx&code_challenge=xxxxx&code_challenge_method=S256&response_mode=query , that url in fact is OpenID Connect Authorzation Code Flow(PKCE) request . After redirecting , identity server 4 middleware will handle the code and token request and at last issue tokens . So that in OnPostAsync function you can't get the tokens .
If you want to get the tokens , you can get tokens from identity server's built-in events like TokenIssuedSuccessEvent , you can also get tokens from React client side , in which event/place to get tokens is based on your requirement .
I'm testing out the OneDrive SDK .NET sample app here. However it's unclear to me what values I need for the AadReturnUrl and AadTargetUrl constants which are used with the AdalAuthenticationProvider and OneDriveClient classes respectively. The GitHub readme for the project refers to this page, but that page isn't clear either.
Also: for a native client app, what value do you use for the the Redirect URI when you configure the app in Azure AD? Is this value related to the required URLs above?
Edit: I tried the suggestion from the first comment and received the following error, from this code in FormBrowser.SignIn (where AadReturnURL = http://myactualdomain.onmicrosoft.com; this is a native app, and I assume this can be a 'dummy' URL if I don't have the means to display a web page):
var adalAuthProvider = new AdalAuthenticationProvider(FormBrowser.AadClientId, FormBrowser.AadReturnUrl);
this.oneDriveClient = new OneDriveClient(FormBrowser.AadTargetUrl + "/_api/v2.0", adalAuthProvider);
authTask = adalAuthProvider.AuthenticateUserAsync(FormBrowser.AadTargetUrl);
Exception thrown: 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Microsoft.IdentityModel.Clients.ActiveDirectory Error: 4 : 10/24/2016 22:05:41: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a - d__0: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50001: The application named https://myactualdomain-my.sharepoint.com/_api/v2.0 was not found in the tenant named myactualdomain.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 16192303-40e9-4944-b376-d25d4ff52b73
Correlation ID: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a
Timestamp: 2016-10-24 22:05:40Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.PreTokenRequest()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__0.MoveNext()
ErrorCode: invalid_resource
StatusCode: 0
OneDriveApiBrowser.vshost.exe Error: 0 : 10/24/2016 22:05:41: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a - d__0: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS50001: The application named https://myactualdomain-my.sharepoint.com/_api/v2.0 was not found in the tenant named myactualdomain.onmicrosoft.com. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
Trace ID: 16192303-40e9-4944-b376-d25d4ff52b73
Correlation ID: e9c2c5cd-1750-4d0f-b3a2-f373f7de309a
Timestamp: 2016-10-24 22:05:40Z
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.VerifyAuthorizationResult()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenInteractiveHandler.PreTokenRequest()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AcquireTokenHandlerBase.d__0.MoveNext()
ErrorCode: invalid_resource
StatusCode: 0
AadTargetUrl should be the URL of your service. For example, https://contoso-my.sharepoint.com/_api/v2.0/ would be the URL for your OneDrive for Business on the Contoso tenant. You can get more information about getting your target URL using the Discovery Service.
AadReturnUrl is the redirect URL you configured in the Azure Management Portal (as you correctly surmised). It's commonly something like http://localhost:8080 for local apps, but could be something different for web apps. You can get more information about that in the article you already linked.
I'm using MVC 5 default template with "Individual Accounts" selected for authentication. it uses ASP .NET Identity with Entity Framework.
Using Chrome I opened the app and Registered a user and then login with the user. I accidentally deleted the database. Now when I open the app again in Chrome it still shows me signed in since auth cookie persists in browser. However the user that is logged in doesn't exists in the database.
Is it the correct behavior?If not then any suggestions on how to prevent it?
That's correct behaviour. As long as the auth cookie is valid and not expired your app assumes the user is authenticated.
When you disable or (soft) delete a user, you should call UserManager.UpdateSecurityStamp(string userId) which causes the auth cookie to be invalid on next check.