Thinktecture Identity Server HRD - thinktecture-ident-server

I would like to use Thinktecture identity server V2 "WS-Federation HRD" to let users can login with Facebook account or the identity server I created by Thinktecture identity server.
the following is my use case. I also refer the https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/484 to try to config my Thinkecture identity server,
it can show the HRD login page and I can login successful but it always redirect to the Thinktecture identity server Home page not to the client application after I login successful.
Can anyone tell me the how can I configurate it on Thinktecture Identity Server and the ASP.NET MVC Client Application configuration?
use case:
1.(APP Client)abc.cloudapp.net/oauthclient2/
2.=> Thinktecture identity server "hrd" page (https://def.cloudapp.net/identityserver/ )
3.=> login with facebook or IDP(identity server) if successful then
4.=> redirect to (APP Client)abc.cloudapp.net/oauthclient2/

The guide that you mentioned is OK. The problem you might have is at the last screen.
Try to set Redirect URL back to your application (abc.cloudapp.net/oauthclient2/) in the relaying party for your application (abc.cloudapp.net/oauthclient2/).

Related

IdentityServer4 without UI using Asp Core Identity Scaffolded

I really need your help. I am trying to implement IdentityServer4to generate tokens for authenticated users giving them access to the web application. However, I have set my IdentityServer Project in its own solution. Then I have a web application that runs. What I need to implement is:
1.Using Identity user signs in.
2. if successful redirect to identity server4 to generate token
3. Redirect back to application with genrated tok
You will have to add in IdentityServer configuration web application as a client with scopes. Please see here:
http://docs.identityserver.io/en/latest/topics/clients.html
https://github.com/IdentityServer/IdentityServer4/tree/main/samples/Quickstarts/2_InteractiveAspNetCore/src

IdentityServer4 w/ Vue SPA - Silent Renew to External OIDC Provider

I have an Asp.Net Core IdentityServer4 instance securing an API that is fronted by a Vue.js SPA (using oidc-client). The IS4 server is setup to manage "local" account itself for my companies users, but we also have an external OIDC provider setup for a trusted partner that allows their users to access our site using their single sign-on server (OIDC identity server). The partner's portal has a link to our app, so if they are already authenticated by their own OIDC server, then no additional login prompt is displayed.
Overall, this process works. I can login "locally" (an account that is only on our identity server), or use the external OIDC provider that authenticates the user and goes through the auto-provisioning on our local IS4 server. The Vue app has its tokens and silent refresh is enabled, which keeps the user's credentials updated against our IS4 server.
However, if a user from our partner comes to our app, spends some time there, and then returns to their own portal via a link on our site, it's likely that their access will have timed out and they see their own SSO login again. This is because the silent refresh on our site is only refreshing our local IdentityServer4 credentials.
Is it possible to somehow maintain BOTH "sessions" while the partner user is on our site? Silently refreshing both our IS4 token and their OIDC SSO credentials?

Identity Server4, Redirect to MVC client using Google Authentication not working

I am using Identity server 4 for authentication. When I use my IS4 login then after authentication of the user, user get redirected to the MVC client. But when the user uses Google Authentication for the same MVC client. Then after google authentication user don't get redirected to the MVC client, the user stays on the authentication server's login page?

Authenticating AD user automatically and manually - WebAPI 2 server and SPA client

I'm developing an Enterprise/Internet Application with WebAPI 2 RESTful server and SPA web client (Angular2) —So I have two separated projects created using ASP.NET 4.6 Empty template and both use OWIN and are IIS hosted.
The requirement for Authentication is:
Active Directory user which is logged in to the workstation will authenticated automatically once she opens any page from app in the browser if user id/name found in the database, with no need to enter her user/pass. Let name this as auto-login. Else if it's not found in the DB it will redirected to the login page.
Also there should be a logout option which redirects user to the login page after logging she out.
In the login page any AD user can enter her/his AD user&pass and after successful check against database (existed) and AD (valid credential) she/he will logged in to the system (Obviously it may be different than user currently is logged in to the workstation)
In addition to the web client it will have other clients such mobile apps which will connect and be served by the WebAPI back-end. Users will login there using their AD user & pass too. Let name it manual-login.
According to the REST architecture and having both AD enterprise and internet/mobile users together, the authentication should be token based —this is what I found till now but I'm not sure.
I read about OWIN Authentication architecture and Windows Authentication and I checked MixedAuth, Now I think it is the nearest solution for this requirement as it lets app-defined users to authenticate side by side of windows/AD users. But even after dig into it and its SPA sample I didn't found my way yet and confused.
Anyone can help?
What should I actually do on the WebApi server and SPA Client to accomplish those authentication requirements?
Which middlewares should I add and how should config/manipulate them?
UseCookieAuthentication ?
UseExternalSignInCookie ?
UseOAuthBearerTokens ?
Can I rely just on Bearer tokens (using OAuthBearerTokens MW) and get same token for authenticated windows users to unify authentication model based on bearer tokens? If so, how?
How and where should I put my code for checking that AD user exists in the DB and if not so reject the authentication?
Thanks a lot.

Azure B2C as external identity provider for Thinktecture Identity Server

I have a setup consisting of my relying party app -> thinktecture identity server -> azure ad b2c. This is working as expected for login and signup using a signin or signup policy. The issue I am running into is that the password reset link on azure b2c page is sending back to my thinktecture identity server, instead of to azure b2c where it should go? Has any one encountered this and found a solution? I am also unable to submit a profile edit policy request to azure b2c through thinktecture identity server. My thinktecture identity server instance, just sees that the user is logged in and returns them directly back to my relying party.
So my questions are this...
How do I get the password reset functionality working correctly fron azure b2c?
How can I handle profile edit requests from my relying party and pass it in appropriately in thinktecture identity server?
It was suggested that I use ACR_values, but I don't see how that is going to help any. Any suggestions/ideas would be helpful as I seem to have run up against a brick wall here.