openid-connect

问题 I was using the OAuth Playground to better understand the OpenID Connect flow, and it has this to say about verifying the state parameter: The user was redirected back to the client, and you'll notice a few additional query parameters in the URL: ?state=7ymOWcwttpCfDNcs&code=Tav2TPBjSNvR8aowA3oe Since it's possible for an attacker to craft a GET request that looks similar to this, an attacker could provide your application with junk authorization codes. You need to first verify that the state

问题 I need a way to validate users within my organization (using LDAP and Active Directory) through IdentityServer3 and grant them access to a resource. IdentityServer3 appears to be an implementation framework of the OpenID Connect protocol which holds good for authentication and authorization. So far, I have been able to validate hard-coded users and get a JWT (JSON Web Token) access token using the InMemory implementation. Please refer to this example: https://rajdeep.io/2015/05/07/creating-a

问题 In OpenID Connect, the ID token is a cryptographically signed, self-contained token which allows resource owners to authorize access without a call to the authorization server. So, if the Authorization server isn't necessary to validate the token, how can it be revoked in a session management scenario? It seems like the only thing that can be revoked is the refresh token at which point the ID token would just expire and the user would have to reauthenticate. Is this correct? Also, does it

问题 In OpenID Connect, the ID token is a cryptographically signed, self-contained token which allows resource owners to authorize access without a call to the authorization server. So, if the Authorization server isn't necessary to validate the token, how can it be revoked in a session management scenario? It seems like the only thing that can be revoked is the refresh token at which point the ID token would just expire and the user would have to reauthenticate. Is this correct? Also, does it

问题 When using any of the standard identity providers (Google, Facebook) after logging in and consent they redirect to my primary Identity Server and let it redirect to implicit client registered within it. How can I achieve the same behavior with another Identity Server serving as external identity provider? My security architecture consists of two Identity Servers, primary one (v3) using the other (v4) as an external identity provider. The implicit client opens a popup with primary

问题 I am working on a multi-tenant solution with Azure AD with web apps and a web api. The web app uses OpenIdConnect to retrieve a bearer token (which is cached in Azure Redis Cache), which is used in Angular to get JSON from the web api. User impersonation is used between the web app and web api (set up in Azure AD applications). Problem: This works fine for about an hour, then the Identity suddenly disappears on the web api side. If I refresh the web app, I see that the page is redirected to

问题 An app is communicating via the Open ID Connect protocol with AWS Cognito , which is connected to ADFS , communicating via SAML. Cognito is essentially "proxying" the ADFS server. ADFS holds a group mapping that the app requires, and I would like to import these groups into Cognito as actual Cognito Group - which will then be read by the app from the cognito:groups from the ID-token Cognito provides. In the AWS Cognito User Pool setup, I don't see a way to map ADFS groups to Cognito Groups -

问题 I have a local instance of Identity Server 4 and I'm trying to follow this guide to create a Javascript client. This uses the oidc-client-js library and I'm using the signin popup approach so my sign in event handler looks like this: signin(e) { e.preventDefault(); this.oidcUserMgr.signinPopup({state:'some data'}).then(function(user) { console.log("signed in", user.profile); }).catch(function(err) { console.log(err); }); } Authentication appears to work fine - I'm redirected to my Identity

问题 I am testing a webproject using OWIN and OpenID Connect against Azure AD. I am using much of the code from this sample: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect I have an issue where i get a null exception on line 27 of this file: https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-openidconnect/blob/master/TodoListWebApp/Utils/NaiveSessionCache.cs I get the exception because HttpContext.Current is null. I can see that Load() is

问题 I am attempting to integrate Ping Federate as an external OIDC provider for my IdentityServer4 instance. When I initiate the external login flow I am getting the following error: System.Exception: Correlation failed. at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRequestAsync>d__12.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime