Custom Layout for Client - identityserver4

I've installed an Identity Server 4 server with the ASP.NET Identity bits enabled.
When the user is redirected over to the Identity Server's log in page (which is now the ASP.NET Identity login page) is there a way to determine which Client the user has come from?
My particular use-case is to enabling some customization of the login page (a different MVC layout) for different clients.

Our sample UI shows how to do that -
inject IIdentityServerInteractionService into the account controller
call the GetAuthorizationContext method to get information like e.g. the client id.
https://github.com/IdentityServer/IdentityServer4.Quickstart.UI/tree/release/Quickstart/Account/AccountController.cs

Related

Identity Server 4 - User Authentication - Confidential App - Multiple Client Secret - One Client_ID

I've a scenario for a Third Party Client App (Mobile App - With Client Secret) to connect to the Identity Server for getting access to a Resource Server. During the user login the Client App display multiple store location for the user to sign in.
The Client App is designed to have a unique secret for each store location and one Client_ID.
When a store is selected by the end user for login - the ID Server gets a request from the client app with the Client_ID and the specific secret matching to the store location.
The Question I've over here is, how to make the Identity Server (3 or 4) to perform the User Login based on the Store Location.
I'm thinking of intercepting the Client_Secret to use it during the User Login to map to the correct store id by having a lookup table in place.
Is this a good approach to get this scenario worked out, or can someone shed some light with any possible suggestions to make this scenario work with the Identity Server.
The Expected flow:
Client App Displays the Store Location's in the Login Screen
User Selects the specific store location
User is directed to the Identity Server Authorization Endpoint and Client Validation is taken place.
Authorization Server Displays - User Login Screen
The Authorization Server authenticates the end User based on the store location. (Need to figure out a way to achieve this)
If you intend the login flow to be completed within mobile app itself and not within browser client, then you will need to use resource owner credentials grant type, in which case, it doesn't really matter if you have one or many secrets per store as it authenticates a single client based on your scenario.
On the other hand, if you intend the login flow to be completed within browser client, then it also doesn't matter if you have many secrets or one because in that case I assume the store selection would be done within the login screen like you mentioned which would part of the auth server.
All in all, nowhere in your flow the store location seem to matter unless there is some kind linkage between user credentials and store id. If that is the case, then this is essentially a multitenancy question for Identity Server 4 for which there are discussions already open with suggestions.
https://github.com/IdentityServer/IdentityServer4/issues/2673
How should you secure a multi-tenant API with Identity Server?

Identity Server 4 Cookie Auth vs Silent renew

tldr: question: What is proffered way of authentication cookie or silent renew and why ?
I have a react app with .net core backend and identity server 4 as authentication.
Basically I have two apps
identity server (ef core, asp identity, own database)
web app(react + .net core backend, own database)
And now I need to make authentication. I used cookie auth with long cookie expiration (180 days), so user doesn't need to sign in every time. And it is working well. The only problem is that I can't sign out user when I want. I mean if user changes password (because he changes it in identity server not web app) I should sign out him from web app. But I can't since he has still valid cookie.
And now I'm reading something about silent renew method. I guess that silent renew would solve this problem. But doesn't it overload the server ?
Or what is the correct way of doing authentication in react app and why ?
thank you very much
For AspNet identity, you will want to look at the SecurityStamp. This is a column in the user table and stored in the encrypted cookie, and is validated against the server at regular intervals. It changes when a user updates their password, and you can also trigger the change manually as well (for example, having a “sign out everywhere” link that will effectively invalidate all existing cookies.
Here is a great explanation of what is is and how to overrride the validation interval if needed: What is ASP.NET Identity's IUserSecurityStampStore<TUser> interface?
For initial testing you will probably want to set this interval to a very low time to actually see the change taking effect.

Cannot get username in client MVC app

I have 2 projects, one is the identity server 4 and one is the client AspNetCore MVC.
On client app, how I can get the current user name or current user email ?
More specific, I would like to put it on _Layout.cshtml .
Thank you,
Mihai
You can make a rest call to the server and have it return the authorized user.
Make sure you have the correct claims.
Get current user name in IdentityServer4 & ASP.net Core
For the official docs to getting user info check here:
http://docs.identityserver.io/en/release/endpoints/userinfo.html
If your MVP app requests the scopes email and profile then these 2 properties should be available in the user claims (available through this.User.Claims in the MVC controller).

Post Identity Server 4 Registration

I have identity server 4 setup and my asp net core app working with it. If you hit a secure endpoint it redirects to Identity Server and you can login. Once you login it then redirects back to the url you were originally trying to access. What I would like to do is check that you have registered in my database before you get redirected. I thought that I could change 'RedirectUris' to a url of my choice but when I do that it has no effect. A breakpoint on that end point is never hit. What do I need to do in order to setup a post identity server login registration screen?
Is this the right way of doing it?
Thanks
Michael
If I understand your problem correctly, you want to get the user details in your application.
IdentityToken contains user name if you include Name scope.
If it is a web application then you may find the name on ((System.Security.Claims.ClaimsIdentity)User.Identity)
You can also add claims as you need, like userid, role etc
Comment
should each client have to 'register' a user with my api specifically?
What's the norm?
Depends on your requirements and what you are requesting for. On my case user must have allowed scope to access the api

Silverlight XAP is getting shared across 2 session in the same machine

I have a problem on my silverlight application.
I login in my application using my ID (assume x) (using Internet explore 8),
so assume i can see some reports which is releated to my ID.
Without closing the above browser in another Internet explore 8 in the same machine i am login into the
same application using another ID(assume y), so now i can see 2nd set of reports which is related to this ID.
Now If i refresh the report page of the first browser which is got logged with the ID (x), I am seeing the (y)
userid's report not the earlier.
How to fix this?
Thanks
In internet explorer choose "New Session" from the "File" menu. This will create a new IExplore.exe process tree which manages its own set of session level cookies. This should allow you to maintain two separate logins at the same time.
Sounds like you are using the ASP membership provider... if so that is limited to 1 session per browser/user on the same PC (same limitation if it was a web app).
Why are you trying to login 2 different users from the same machine? If it is for testing you can probably open two different browsers (IE and FireFox?) and get two session that way.
Update (based on comments below):
Option A. As you need multiple user logins on the same machine in the same browser type, you cannot use the asp membership provider and will have to replace that provider with a Silverlight-specific credential/login system.
Option B. The alternative is to change your application to allow selection of client from within the app (this would be my choice as you are misusing users as a convenience).

Resources