openid-connect

I'm writing an API back-end that I want to use OpenID Connect (OIDC) to secure. I've been reading the documentation but I'm still a bit confused what process applies to each and every API request. The Open ID Connect code flow appears to be: Which I'm fine with, as a one-time process. My back-end API sees an authorization code in the HTTP headers, and sends a request to the authorization server to get the id token. Assuming this validates OK, the data requested is returned in the API response. But assuming the same user will then be making lots of requests to this API, what happens in

I am writing a REST API to be consumed by our internal applications. I need to login and logout users of the identity server using code grant via http requests presentation I need to know how to call the following endpoints: /authorize (invoked from server-side) /accesstoken (invoked from server-side) /login /logout CASE: Our company has many applications. I want one point of authentication which will happen in their company-x account like how you only need to login to atlassian account to access jira and confluence cloud. The REST API I'm working is for our front-end developers (as of now).

When using any of the standard identity providers (Google, Facebook) after logging in and consent they redirect to my primary Identity Server and let it redirect to implicit client registered within it. How can I achieve the same behavior with another Identity Server serving as external identity provider? My security architecture consists of two Identity Servers, primary one (v3) using the other (v4) as an external identity provider. The implicit client opens a popup with primary IdentityServer. I have trouble with following flow: Identity Server acting as external IdP gets stuck on endpoint:

In my application I have integrated Identity server 3 with openid-connect . On our production server our website is behind a reverse proxy which is causing problems; When the user logs in and is redirected back by identity server, our application wants to redirect the user to his original location (the page with the AuthorizeAttribute ). The problem here is that the user is redirected to the hidden url instead of the public url used by the reverse proxy . How can I redirect the user to the public url? After a long search this is the fix: The OWIN middleware UseOpenIdConnectAuthentication has a

I am getting user undefined in following code. I have already authenticated user from MVC. But when I use signinSilentCallback to get detail of that user, it is getting undefined using oidc-client in js. It doesn't give any error as well. var mgr = new UserManager({ authority: "http://localhost:5000", client_id: "js", redirect_uri: "http://localhost:50144/signin-oidc", silent_redirect_uri: "http://localhost:50144/signin-oidc", response_type: "id_token token", post_logout_redirect_uri: "http://localhost:50144/signout-callback-oidc", }); mgr.signinSilentCallback().then(function (user) { //**Here

I have an OpenIdDict authentication server which is based on AspNet.Security.OpenIdConnect.Server . The setup works as expected. Now to do some in process integration;system tests which span the whole backend architecture I use the TestServer class. Why I test like this is another question Most test code coverage with least amount of work It has been decided to not do unit tests... (too much work they say) Real integration tests which span much less code where also seen as to much work when I want to achieve a good coverage The test are based on an framework that is build using a domain

I am working on a multi-tenant solution with Azure AD with web apps and a web api. The web app uses OpenIdConnect to retrieve a bearer token (which is cached in Azure Redis Cache), which is used in Angular to get JSON from the web api. User impersonation is used between the web app and web api (set up in Azure AD applications). Problem: This works fine for about an hour, then the Identity suddenly disappears on the web api side. If I refresh the web app, I see that the page is redirected to the Microsoft login page, but no action is required since the user is just redirected back to the web

We are developing a multi-tenant web application. Our tenants will be using Windows Azure Active Directory for authentication. We are using OWIN OpenIdConnect middleware to authenticate users. The response we receive after authentication process has id_token and authorization code. We also want to get the refresh token so that we can acquire new tokens once the id_token expires. Therefore in AuthorizationCodeReceived handler we use AcquireTokenByAuthorizationCode method in ADAL library to acquire the refresh token. The response contains id_token, access_token and refresh_token. We then