i have been picking apart identity server and enjoying it.
My big issue at the moment is, I have a multiple SPA(react) a web api which is microservice based and a seperate identity server(ISP)(another microservice)
now the spa's all use oath2 when a user first opens it with no history which gets authorisation to the api's directly from ISP
however the open id connect flow is the big problem
I would like to understand the granular flow of login and 2fa, the diagrams breeze over it (i understand there will be multiple ways of doing it it, and alot of it depends onmy choices but....)
the openid connect docs say its out of the scope of the document, any information would be appriciated.
Also if anyone could recommend abook i can read and keep for referenc with Oauth2, openidconnect and fido2,i would appriciate it,although a lot of books i have seen are a few years old.
I read your post several time and I'm not sure what question you are asking.
EnenDaveyBoy
however the open id connect flow is the big problem
Open Id connect is protocol or a specification it uses scopes to grants access to resources. Resources are items like the client identity and APIs.
EnenDaveyBoy
I would like to understand the granular flow of login and 2fa, the diagrams breeze over it (i understand there will be multiple ways of doing it it, and alot of it depends onmy choices but....)
the openid connect docs say its out of the scope of the document, any information would be appriciated.
Are you asking how to implement two factor authentication (2fa)? Two factor auth is built in to Identity. If you are using Identity as your backing store and account management API then then just read the Identity docs to turn on two factor. https://docs.microsoft.com/en-us/aspnet/core/security/authentication/mfa?view=aspnetcore-3.
Basically, the user must complete both auth factors before Identity server redirect back you your application.
EnenDaveyBoy
Also if anyone could recommend abook i can read and keep for referenc with Oauth2, openidconnect and fido2,i would appriciate it,although a lot of books i have seen are a few years old.
thanks for the info, i know how 2fa works in identity,and i know how to make a call to the authorize endpoint, but what i am missing is how to connect them both in a microservice enviroment and what are the different approaches.
The methods used by the Authorization Server to Authenticate the End-User (e.g. username and password, session cookies, etc.) are beyond the scope of this specification.
mgebhard
Basically, the user must complete both auth factors before Identity server redirect back you your application.
I don't want the basically, i am after the nitty gritty, i know its to much for a reply on the forum but has hoping for a link to recommendation to a book(s), I am also interested in fido2.
thanks for the info, i know how 2fa works in identity,and i know how to make a call to the authorize endpoint, but what i am missing is how to connect them both in a microservice enviroment and what are the different approaches.
The user must pass both forms of authentication before being receiving a token from the token server. I'm not sure how 2FA has anything to do with microservices.
The methods used by the Authorization Server to Authenticate the End-User (e.g. username and password, session cookies, etc.) are beyond the scope of this specification.
Consent happens after the user completes the two forms of authentication. As far as I understand 2FA has nothing to do with OAuth/OIDC. 2FA is a feature that you get to add to your application.
EnenDaveyBoy
like does the spa or does the api contact the ISP
I have no idea what you're asking. Typically, the API is the secured resource. The SPA redirects the browser to the remote token server where the user logs in. The user completes the second form of authentication is 2FA while still on the remote token
server. The browser is redirected back to the SPA application after a successful 2FA. You're simply adding a step between the login and consent. This is code that you must design and implement. If you are using Identity then 2FA is built in.
lets say I have an spa, and I want to login, does the login form submit to the API or the ISP,
in the IdentityServer4 and Identity example it submits the MVC controller not the ISP endpoint, the thing I am interested in is what happens after you valided the user which is hidden behind the API. And what are the other options if any. Is the user information
sent to the authorize endpoint and how is the user managed since the subject information is not passed in the request.
if the API sends the request to the ISP, how does the redirect work to the redirecturl?
I also have a similar mental block is the prompt field is populated with login whats the process of getting the form and receiving the form details.
Everytimei try and good it,i endup on a 3 party identity providers web site telling me about their services not the actual information i am looking for.
lets say I have an spa, and I want to login, does the login form submit to the API or the ISP,
in the IdentityServer4 and Identity example it submits the MVC controller not the ISP endpoint, the thing I am interested in is what happens after you valided the user which is hidden behind the API. And what are the other options if any. Is the user information
sent to the authorize endpoint and how is the user managed since the subject information is not passed in the request.
if the API sends the request to the ISP, how does the redirect work to the redirecturl?
As far as I can tell, you are not following OAuth/OIDC standards or the IdentityServer4 documentation. since you are referring to Single Page applications (SPA), the subject browser based applications - a user-agent. In this scenario, IdentityServer4
hosts the login page, 2FA, and consent page - Interactive Application. Page templates are provided by IdentityServer4 as
well as a
JavaScript library for SPAs. The JavaScript client handles the OAuth/OIDC flow in the client app.
EnenDaveyBoy
i think i have found the identity provider 4 service which does it.
There's no IdentityServer4 service. There's an MVC app if that's what you mean. It seems like you stopped at the first quick start and made up your own protocol.
if you are using msal in a SPA, it opens an iframe. in the iframe it navigates to the login server. on successful login, the login server redirects to the spa hosing server, or the webapi server depending on the flow. the redirected server returns a page
that closes the iframe and passes data back to the SPA code.
if you are using msal in a SPA, it opens an iframe. in the iframe it navigates to the login server. on successful login, the login server redirects to the spa hosing server, or the webapi server depending on the flow. the redirected server returns a page
that closes the iframe and passes data back to the SPA code.
can you confirm that identity server 4 has to have a user/account api to manage users regarless of the setup? and if a user does any login either directly from its own api, or via a 3rd party site (eg if I login to gmail.com which is a direct login, or via
asp.net using a google login, they both get sumitted to the same api which isn't and authorise endpoint) then the api uses the authorise endpoint.
although if this is true it seems to make the authorize endpoint redundent as it would always be hit by the user/account service (except for OAuth2)
then the mainthing i can't figure out is the redirect_url if a user api contactsthe authorize endpoint how does it send response to the spa's return_url
can you confirm that identity server 4 has to have a user/account api to manage users regarless of the setup? and if a user does any login either directly from its own api, or via a 3rd party site (eg if I login to gmail.com which is a direct login, or via
asp.net using a google login, they both get sumitted to the same api which isn't and authorise endpoint) then the api uses the authorise endpoint.
The reason of implementing a central token server like IdentityServer4 is to manage user accounts and login. This includes 3rd party logins.
EnenDaveyBoy
although if this is true it seems to make the authorize endpoint redundent as it would always be hit by the user/account service (except for OAuth2)
You are describing a design bug on your end. IdentityServer4 works exactly as intended.
EnenDaveyBoy
then the mainthing i can't figure out is the redirect_url if a user api contactsthe authorize endpoint how does it send response to the spa's return_url
The IdentityServer4 folks built a JavaScript client library for SPAs. The client library handles the configuration; the redirect URL, authority, client Id, scopes, etc. The library also contains functions for fetching the
access token, login, logout and handling the callback after the user authenticates with Identity Server.
All you had to do is read the documentation or go through the QuickStart guide. It seems like you made up solution that does not follow any openly published standards.
Participant
1861 Points
2836 Posts
an issue with openid connect login
Jul 27, 2020 11:14 PM|EnenDaveyBoy|LINK
i have been picking apart identity server and enjoying it.
My big issue at the moment is, I have a multiple SPA(react) a web api which is microservice based and a seperate identity server(ISP)(another microservice)
now the spa's all use oath2 when a user first opens it with no history which gets authorisation to the api's directly from ISP
however the open id connect flow is the big problem
I would like to understand the granular flow of login and 2fa, the diagrams breeze over it (i understand there will be multiple ways of doing it it, and alot of it depends onmy choices but....)
the openid connect docs say its out of the scope of the document, any information would be appriciated.
Also if anyone could recommend abook i can read and keep for referenc with Oauth2, openidconnect and fido2,i would appriciate it,although a lot of books i have seen are a few years old.
All-Star
53751 Points
24069 Posts
Re: an issue with openid connect login
Jul 28, 2020 11:56 AM|mgebhard|LINK
I read your post several time and I'm not sure what question you are asking.
Open Id connect is protocol or a specification it uses scopes to grants access to resources. Resources are items like the client identity and APIs.
Are you asking how to implement two factor authentication (2fa)? Two factor auth is built in to Identity. If you are using Identity as your backing store and account management API then then just read the Identity docs to turn on two factor. https://docs.microsoft.com/en-us/aspnet/core/security/authentication/mfa?view=aspnetcore-3. Basically, the user must complete both auth factors before Identity server redirect back you your application.
I recommend referencing the RFC specs. The RFCs are far more useful than a book because the RFCs explain the protocol. Keep in mind the IdentityServer4 docs recommend the same; https://identityserver4.readthedocs.io/en/latest/intro/specs.html
Participant
1861 Points
2836 Posts
Re: an issue with openid connect login
Jul 28, 2020 02:05 PM|EnenDaveyBoy|LINK
thanks for the info, i know how 2fa works in identity,and i know how to make a call to the authorize endpoint, but what i am missing is how to connect them both in a microservice enviroment and what are the different approaches.
i have read the openid docs that state
https://openid.net/specs/openid-connect-core-1_0.html#Consent
3.1.2.3.
The methods used by the Authorization Server to Authenticate the End-User (e.g. username and password, session cookies, etc.) are beyond the scope of this specification.
I don't want the basically, i am after the nitty gritty, i know its to much for a reply on the forum but has hoping for a link to recommendation to a book(s), I am also interested in fido2.
a i have a couple of really silly mental blocks
like does the spa or does the api contact the ISP
All-Star
53751 Points
24069 Posts
Re: an issue with openid connect login
Jul 28, 2020 03:10 PM|mgebhard|LINK
The user must pass both forms of authentication before being receiving a token from the token server. I'm not sure how 2FA has anything to do with microservices.
Consent happens after the user completes the two forms of authentication. As far as I understand 2FA has nothing to do with OAuth/OIDC. 2FA is a feature that you get to add to your application.
I have no idea what you're asking. Typically, the API is the secured resource. The SPA redirects the browser to the remote token server where the user logs in. The user completes the second form of authentication is 2FA while still on the remote token server. The browser is redirected back to the SPA application after a successful 2FA. You're simply adding a step between the login and consent. This is code that you must design and implement. If you are using Identity then 2FA is built in.
Participant
1861 Points
2836 Posts
Re: an issue with openid connect login
Jul 29, 2020 01:01 AM|EnenDaveyBoy|LINK
lets say I have an spa, and I want to login, does the login form submit to the API or the ISP,
in the IdentityServer4 and Identity example it submits the MVC controller not the ISP endpoint, the thing I am interested in is what happens after you valided the user which is hidden behind the API. And what are the other options if any. Is the user information sent to the authorize endpoint and how is the user managed since the subject information is not passed in the request.
if the API sends the request to the ISP, how does the redirect work to the redirecturl?
I also have a similar mental block is the prompt field is populated with login whats the process of getting the form and receiving the form details.
Everytimei try and good it,i endup on a 3 party identity providers web site telling me about their services not the actual information i am looking for.
Participant
1861 Points
2836 Posts
Re: an issue with openid connect login
Jul 29, 2020 01:12 AM|EnenDaveyBoy|LINK
i think i have found the identity provider 4 service which does it.
All-Star
53751 Points
24069 Posts
Re: an issue with openid connect login
Jul 29, 2020 11:11 AM|mgebhard|LINK
As far as I can tell, you are not following OAuth/OIDC standards or the IdentityServer4 documentation. since you are referring to Single Page applications (SPA), the subject browser based applications - a user-agent. In this scenario, IdentityServer4 hosts the login page, 2FA, and consent page - Interactive Application. Page templates are provided by IdentityServer4 as well as a JavaScript library for SPAs. The JavaScript client handles the OAuth/OIDC flow in the client app.
There's no IdentityServer4 service. There's an MVC app if that's what you mean. It seems like you stopped at the first quick start and made up your own protocol.
All-Star
58484 Points
15810 Posts
Re: an issue with openid connect login
Jul 29, 2020 03:16 PM|bruce (sqlwork.com)|LINK
if you are using msal in a SPA, it opens an iframe. in the iframe it navigates to the login server. on successful login, the login server redirects to the spa hosing server, or the webapi server depending on the flow. the redirected server returns a page that closes the iframe and passes data back to the SPA code.
see:
https://github.com/AzureAD/microsoft-authentication-library-for-js
Participant
1861 Points
2836 Posts
Re: an issue with openid connect login
Jul 30, 2020 12:13 AM|EnenDaveyBoy|LINK
although if this is true it seems to make the authorize endpoint redundent as it would always be hit by the user/account service (except for OAuth2)
then the mainthing i can't figure out is the redirect_url if a user api contactsthe authorize endpoint how does it send response to the spa's return_url
(i don't think i will be using msal)
All-Star
53751 Points
24069 Posts
Re: an issue with openid connect login
Jul 30, 2020 12:23 PM|mgebhard|LINK
The reason of implementing a central token server like IdentityServer4 is to manage user accounts and login. This includes 3rd party logins.
You are describing a design bug on your end. IdentityServer4 works exactly as intended.
The IdentityServer4 folks built a JavaScript client library for SPAs. The client library handles the configuration; the redirect URL, authority, client Id, scopes, etc. The library also contains functions for fetching the access token, login, logout and handling the callback after the user authenticates with Identity Server.
All you had to do is read the documentation or go through the QuickStart guide. It seems like you made up solution that does not follow any openly published standards.