openid-connect

问题 Anyone know why if I make a call to /userinfo endpoint I obtain different JSON response? Specifically: When I make a call with curl from command line, like $curl -k -H "Authorization: Bearer 2bcea7cc9d7e4b63fd2257aa31116512" https://localhost:9443/oauth2/userinfo?schema=openid I obtain as response the JSON: {"sub":"asela","name":"asela","preferred_username":"asela","given_name":"asela","family_name":"asela"} If I make the call with a java client (a library that implement the Authorization

问题 I have been reading a lot about not saving the tokens in the user agent storage and I agree with the risks mentioned. But going through some of the Auth0 quickstart examples, I see the tokens being saved in the session and using session cookies to track them. Others mention saving the actual token as an httpOnly cookie with lower risks involved. My questions are: How is that considered stateless? especially with scalability and the potential use of load balancers. Are the alternatives, memory

问题 I'm having a strange issue with identity server 4 (deployed as an Azure app service) and authentication on mobile devices. I'm using an OpenId connect .NET core MVC client to authenticate against my identity server (which is configured with AspNetIdentity). This is working absolutely fine with a desktop browser, but on an iphone when I log in it goes into an infinite loop bouncing back and fourth between id server and client (with mobile safari or chrome). If I stop the loop and interrupt

问题 I'm using the system browser for authentication. Identity Provider - Google Steps 1 - user gets authorized by entering user name and password. I get the authentication_code at this point. 2 - I call the token end point and get access token, id token and refresh token. When the ID token expires, I need to get a new valid ID token. I need to do this without prompting the user to enter a his credentials. Question - Is it possible to get a new id token without prompting the user? Refresh token

问题 I need to add some fields in the response of the connect/token endpoint on identityserver. I want to add some claims. Is there any way to do that? I dont want to use the connect/userinfo endpoint, My Client is using resource owner password flow. I just want the respose something like this { "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjcxQkQwM0MxRUFBOUM3NDc3RkEwMDhFMTY4M0VCMkI4NjQ3Mjg0QjgiLCJ0eXAiOiJKV1QiLCJ4NXQiOiJjYjBEd2VxcHgwZF9vQWpoYUQ2eXVHUnloTGcifQ

问题 We are using OIDC library and for now we allow only MSA account login. So we have configured parameters ValidateIssuer = true and Validissuers = https://login.microsoftonline.com/..” However, we now need to onboard other AAD tenants (for example : abc@dell.com) to our application so we decided to set ValidateIssuer = false . Since my application is already backed up by custom authorization, I am finding it difficult to understand the purpose of this flag altogether. Basically my question is

问题 This question is actually a continuous question of this SO question of mine. I am trying to get access_token and id_token from Identityserver4 by using Authorization code flow. But, If I try to access "Authorize" endpoint, I got 405 (method not allowed) HTTP error. HTTP GET Request http://localhost:2000/connect/authorize? client_id=client &client_secret=secret &grant_type=authorization_code &username=admin &password=admin &response_type=id_token+token &scope=openid+profile+offline_access

问题 I'm try to integrate Zabbix UI with Keycloak SSO, using keycloak-proxy. My setup is the following: Nginx is the entry point: it handles the "virtual host", forwarding the requests to keycloak-proxy. Keyclock-proxy is configured with client_id, client_secret, etc. to authenticate the users to Keycloak; Zabbix dashboard on Apache, default setup: I enable the HTTP authentication. I've created a test user both in Keycloak and Zabbix. The authentication flow is ok: I'm redirected to KeyCloak, I do

问题 I am currently involved in development of an Angular4 SPA application connected to a .NET CORE 1.1 WebApi using IdentityServer4 as it's authentication service. On the Angular side we are using the Oidc client from Damien Bod 1.2.1 - https://github.com/damienbod/angular-auth-oidc-client. We have managed to successfully setup and login via IdentityServer. The problem arises that are exactly 30min we are getting a SessionTimeout on the IdentityServer and from there the Oidc client obtains a 401

问题 Currently trying to get Azure AD integrated with a Spring Boot application I'm working on. I'm utilizing the azure-active-directory-spring-boot-starter package, and following the example laid out in the official documentation on Microsoft's website. However, when following the example, I'm receiving the following error: o.s.s.o.c.r.UserRedirectRequiredException: A redirect is required to get the users approval The full stack trace is as follows: org.springframework.security.oauth2.client