openid-connect | 易学教程

Should I send the id token from my SPA to my rest backend?

阅读更多关于 Should I send the id token from my SPA to my rest backend?

问题 I have a SPA app which is backed by a rest api server. I use Auth0 for authentication and authorization using the implicit grant flow. All the examples I read explain that i should send the access token which I receive to the api for authorization purpose. For example : https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api On the other hand, I read that access token cannot be used as a proof for authentication: http://www.thread-safe.com/2012/01/problem-with-oauth-for

How to add token validation only for protected actions in ASP.NET 5 (ASP.NET Core)

阅读更多关于 How to add token validation only for protected actions in ASP.NET 5 (ASP.NET Core)

问题 I have added a JWT middleware to my application: app.UseJwtBearerAuthentication(options => { options.AutomaticAuthenticate = true;} ) Now if my token does not validate (e.g. expired), I still get an error that lifetime validation did not pass. Is there a way to make the middleware validate the token only for protected resources? And if not, then how and where should I call what middleware does myself (reading the token into HttpContext.User)? P.S This is how I add protection: services.AddMvc

How to configure UseCookieAuthentication behind a load balancer

阅读更多关于 How to configure UseCookieAuthentication behind a load balancer

问题 I am configuring a .netcore application to use OIDC authenication (provided by IdentityServer). I have included the following code in my StartUp app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationScheme = "Cookies", AutomaticAuthenticate = true, ExpireTimeSpan = TimeSpan.FromMinutes(60) }); JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions { AuthenticationScheme = "oidc", SignInScheme = "Cookies",

OIDC and PWA (add to home screen)

阅读更多关于 OIDC and PWA (add to home screen)

问题 Update: Basically the same issue as Standalone PWA breaks login but on iOS. If you add a web app to the home screen, Chrome on android shares the local storage with the same domain in the browser. You can test this by going to https://wilfrem.github.io/add_to_homescreen_test/ then adding to home screen and see you have the same id when opened from home screen. (I did Nexus 5x) If you do the same in iOS Safari you get a new id. (i did iPod iOS 12.1.1) The oidc-client-js library sets a session

OpenID Connect with stateless JWT Tokens

阅读更多关于 OpenID Connect with stateless JWT Tokens

问题 I would like to use a self-hosted OpenID Connect (OIDC) server in a combination with JWT as an authorization token (access token in OIDC terms). JWT would be used to protect REST services while the UI are a mix of classical and single-page applications (Angular). This way, the REST layer would be able to do the authorization based on a stateless JWT token so no extra DB connections are necessary, as described here: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs

Does OAuth “state” mitigate any genuinely dangerous attacks?

阅读更多关于 Does OAuth “state” mitigate any genuinely dangerous attacks?

I was using the OAuth Playground to better understand the OpenID Connect flow, and it has this to say about verifying the state parameter: The user was redirected back to the client, and you'll notice a few additional query parameters in the URL: ?state=7ymOWcwttpCfDNcs&code=Tav2TPBjSNvR8aowA3oe Since it's possible for an attacker to craft a GET request that looks similar to this, an attacker could provide your application with junk authorization codes. You need to first verify that the state parameter matches this user's session so that you can be sure you initiated the request, and are only

AngualrJS OIDC Client Silent Renew page

阅读更多关于 AngualrJS OIDC Client Silent Renew page

I am struggling to understand how this silent renew process works. as per what I Read I understood that the html page will be kept in an iframe and it keeps pinging server for renewing token. I have an angular application, typically we package everything into one simple index.html file and rest will be inserted based on route (ui-router, template caching). So In my context, should we keep this html packaged? or should it be separate html page lives alongside index.html? 来源： https://stackoverflow.com/questions/49500671/angualrjs-oidc-client-silent-renew-page

Implementing OpenIdConnectOptions Events when using Authentication.AzureAD.UI Library

阅读更多关于 Implementing OpenIdConnectOptions Events when using Authentication.AzureAD.UI Library

问题 I have been using a library I created from samples allowing me to authenticate a .NET core web app with Azure Active Directory and to take advantage of the various OpenIdConnectOptions events (e.g. OnTokenValidated ) to add certain claims to the principal as well as add that data to an identity-like database so that APIs can make policy-based determinations of the caller based on their token. But I would just rather use the Microsoft.AspNetCore.Authentication.AzureAD.UI NuGet package than my

Is LinkedIn OpenID Connect provider? How can it be used with AWS Cognito Federated Identity?

阅读更多关于 Is LinkedIn OpenID Connect provider? How can it be used with AWS Cognito Federated Identity?

问题 The AWS Cognito documentation is very sketchy when it comes to explaining OpenID Connect providers or how to implement auth using say LinkedIn. The nearest example is of SalesForce https://aws.amazon.com/blogs/security/building-an-app-using-amazon-cognito-and-an-openid-connect-identity-provider/ These steps did not work for LinkedIn using it Javascript SDK. Not able to retrieve id_token similar to FB or Google JS SDK. AWS needs id_token to return the AWS credentials. Anyone has successfully

OpenIddict - How do you obtain the access token for a user?

阅读更多关于 OpenIddict - How do you obtain the access token for a user?

I am working on a sample application for OpenIddict using AngularJs. I was told that you shouldnt use clientside frameworks like Satellizer, as this isnt recommended, but instead allow the server to deal with logging in server side (locally and using external login providers), and return the access token. Well i have a demo angularJs application and uses server side login logic and calls back to the angular app, but my problem is, how do i get the access token for the current user? here is my startup.cs file, so you can see my configuration so far public void ConfigureServices