openid-connect

问题 I'm having a Client in my IdentityServer3 new Client { ClientName = "Client Credentials Flow Client", Enabled = true, ClientId = "clientcredentials.reference", Flow = Flows.ClientCredentials, ClientSecrets = new List<Secret> { new Secret("secret".Sha256()), }, AllowedScopes = new List<string>() { "read", "write" } } I hosted the Token Service in my local IIS and I tried to ping the Token using Postman, but it given an error {"error":"invalid_scope"} Host URL: https://localhost:5775/core

问题 I am starting to work with Dynamics 365 Portal add-on (Online, not on-prem), which I've configured to use an external authentication provider in the form of Identity Server with OpenId Connect. The problem with this is that I don't have access to the under-the-hood portal authentication process, there's just a few basic config settings and users can authenticate using the external IdP. I can't access roles, claims, or any custom info that might come back as part of the OpenId Connect user's

问题 Following on from this question, I am using the Spring Boot MitreID OIDC application from here. This runs OK I am trying to access it using simple-web-app. Simple-web-app now can see the OIDC app. It still asks for user/pwd even though I am logged in in the OIDC app. When I enter these I now get the following error. I can't find any help. Anyone have any idea? 2018-12-19 14:15:44.641 INFO 7632 --- [nio-8080-exec-1] o.m.o.c.web.AuthenticationTimeStamper : Successful Authentication of admin at

问题 I know that IdentityServer3 provides the whole stack of implementing OAuth 2.0, OpenId Conect etc. I don't know if I should use IdentityServer3. Because I have my own login server which authenticates the user using a membership provider which is already available. Can I integrate my already available login mechanism with IdentityServer3 and implement OAuth 2.0? Any suggestion will be highly appreciated. 回答1: Moving the membership part to identityserver is easy. If you want to keep the whole

问题 I am working on a aspnet core MVC project which calls an API which is secured by OAuth2.0. I was able to access the API and get the response properly with the code below, Startup.cs public void ConfigureServices(IServiceCollection services) { services.Configure<CookiePolicyOptions>(options => { options.CheckConsentNeeded = context => true; options.MinimumSameSitePolicy = SameSiteMode.None; }); services.AddAuthentication(options => { options.DefaultAuthenticateScheme =

问题 As recommend I would have register the authorize callback url/redirect_url at IdP, which it works. But what if a client using MVC app tries to access a page with an unauthorized state, will be redirect to idsrv login page. The redirect_url is always (Home page entry point) as configured. To change this behavior I would have to register all possible routes at IdP. That can not a be solution! On idsrv Login method I have tried: Login(string returnUrl) checking the value from returnUrl it gives

问题 I have tried implementing ASOS with .net core 2.1 and there were few things which were available in OAuthAuthorizationProvider but I couldn't find them in ASOS. Also I think the context is little different in ASOS, So is there any alternate of the following code in ASOS: OAuthBearerOptions = new OAuthBearerAuthenticationOptions(); var options = new OAuthAuthorizationServerOptions { AuthorizeEndpointPath = new PathString(AuthorizePath), TokenEndpointPath = new PathString(TokenPath),

问题 First off, I'm not looking for the access token of a facebook account. I (or my facebook messenger bot) need the access token of a linked 3rd party account. The account was successfully linked as described here: https://developers.facebook.com/docs/messenger-platform/identity/account-linking Slightly off topic: The first issue I noticed that does not meet the OIDC/OAuth2 specs is, that the redirect URI given to the /authorize endpoint expects a param " authorization_code " instead of "code"

问题 Suppose we have two users doing following operation - User1 requested to the auth server for access token and granted also. Now user1 save the token into localstorage/cookie for future api access. Now User2 approach User1 browswer and get the access_token some how. Now User2 call the api using user1's access_token and get the access too without login. Now Can we validate the token anyhow? 回答1: You can't avoid that happening. However, the token should have an expiration time, so the attacker

问题 I am using React as client and Web API core for back end interaction. For Authentication we are using Token based authentication using AspNet.Security.OpenIdConnect.Server (ASOS) . I have to implement refresh token scenario where on expiration of access token we use refresh token (returned by ASOS) to get new access Token. I know one way to achieve by calling method on client is in AXIOS interceptor like below. httpPromise.interceptors.response.use(undefined, err => { const { config, response