Closed nhumby closed 1 year ago
The logs show that you successfully externally authenticate and this signs you in to the "Identity.External" scheme. The external login callback is trying to use a different cookie scheme, and so it is failing to read the Identity.External cookie.
You can solve this by changing the external login callback's code to use the scheme you logged in to:
var result = await HttpContext.AuthenticateAsync("Identity.External");
That fixed it, thank you. What made it come back as "Identity.External" rather than the expected "idsrv.external"? Is this Callback page also the best place to modify the claims transformation that takes place from external claims to Identity Server claims?
What made it come back as "Identity.External"
I saw in your logs that Identity.External has been set as the default sign in scheme, which means that when the external identity provider starts a session, it is going to use the Identity.External scheme. You probably have code like this:
builder.Services
.AddAuthentication(opt =>
opt.DefaultSignInScheme = "Identity.External";
// ... maybe more auth options
)
.AddCookie("Identity.External", opt => { /* cookie handler options ... */ })
// ... maybe more handlers
Is this Callback page also the best place to modify the claims transformation that takes place from external claims to Identity Server claims?
Yes, that's exactly the intended purpose of the callback page. We recommend this pattern of creating a page to do the mapping from external to internal users because it gives you a place where you can perform user interaction (if you've never seen this external user, you need to onboard them, and that might require a UI), and because it is convenient to inject dependencies and test.
Any update here? Can we close this issue?
Which version of Duende IdentityServer are you using? 6.1
Which version of .NET are you using? .Net 7.0
Describe the bug I am setting up an external authentication using an on-premise ADFS server. When I click the button on the Duende IdentityServer login page to go to ADFS it does take me there and I am able to log in to ADFS. From there the ADFS server returns me to "/identity/signin-oidc". This gets a 302 response and is redirected to "/identity/ExternalLogin/Callback". This then displays an error message saying "Exception: External authentication error" and references line 45 of that Callback,cshtml.cs file. Looking at that file it's not immediately clear to me what has gone wrong or what I need to change to get it working?
I've pasted below the contents of the SeriLog file generated during the steps mentioned above, though I don't see anything there that helps me understand what needs to be fixed:
[13:35:16 Information] Duende.IdentityServer.Startup Starting Duende IdentityServer version 6.1.0+6f2cfe8cbe32c45c269d330d60da0016985fc99b (.NET 7.0.1)
[13:35:16 Debug] Duende.License The validated licence key details:
[13:35:16 Information] Duende.License You have a valid license key for the Duende software "Enterprise" edition
[13:35:16 Information] Duende.IdentityServer.Startup You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.
[13:35:16 Information] Duende.IdentityServer.Startup Using the default authentication scheme Identity.Application for IdentityServer
[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.Application as default ASP.NET Core scheme for authentication
[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.External as default ASP.NET Core scheme for sign-in
[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.External as default ASP.NET Core scheme for sign-out
[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.Application as default ASP.NET Core scheme for challenge
[13:35:16 Debug] Duende.IdentityServer.Startup Using Identity.Application as default ASP.NET Core scheme for forbid
[13:35:16 Information] Microsoft.Hosting.Lifetime Application started. Press Ctrl+C to shut down.
[13:35:16 Information] Microsoft.Hosting.Lifetime Hosting environment: Development
[13:35:16 Information] Microsoft.Hosting.Lifetime Content root path:
[13:35:16 Debug] Duende.IdentityServer.Startup Login Url: /Account/Login
[13:35:16 Debug] Duende.IdentityServer.Startup Login Return Url Parameter: ReturnUrl
[13:35:16 Debug] Duende.IdentityServer.Startup Logout Url: /Account/Logout
[13:35:16 Debug] Duende.IdentityServer.Startup ConsentUrl Url: /consent
[13:35:16 Debug] Duende.IdentityServer.Startup Consent Return Url Parameter: returnUrl
[13:35:16 Debug] Duende.IdentityServer.Startup Error Url: /home/error
[13:35:16 Debug] Duende.IdentityServer.Startup Error Id Parameter: errorId
[13:35:16 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.
[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.
[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Request path /.well-known/openid-configuration matched to endpoint type Discovery
[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Endpoint enabled: Discovery, successfully created handler: Duende.IdentityServer.Endpoints.DiscoveryEndpoint
[13:35:17 Information] Duende.IdentityServer.Hosting.IdentityServerMiddleware Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
[13:35:17 Debug] Duende.IdentityServer.Endpoints.DiscoveryEndpoint Start discovery request
[13:35:17 Error] Duende.IdentityServer.Services.KeyManagement.KeyManager Error unprotecting key with kid 29AD4E83ACA0029C319654ED1D18DDE7. System.Security.Cryptography.CryptographicException: The key {dd3e9ed3-f47d-4c1b-9ea6-b77bd4d85a65} was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData) at Duende.IdentityServer.Services.KeyManagement.DataProtectionKeyProtector.Unprotect(SerializedKey key) in /_/src/IdentityServer/Services/Default/KeyManagement/DataProtectionKeyProtector.cs:line 56 at Duende.IdentityServer.Services.KeyManagement.KeyManager.b__200(SerializedKey x) in //src/IdentityServer/Services/Default/KeyManagement/KeyManager.cs:line 435
[13:35:17 Information] Duende.IdentityServer.Services.KeyManagement.KeyManager Active signing key found with kid F4D149FDFCA876E62909ECBE173C2FC6 for alg RS256. Expires in "74.01:39:47". Retires in "88.01:39:47"
[13:35:17 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/.well-known/openid-configuration responded 200 in 401.3436 ms
[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.
[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.
[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Request path /.well-known/openid-configuration/jwks matched to endpoint type Discovery
[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Endpoint enabled: Discovery, successfully created handler: Duende.IdentityServer.Endpoints.DiscoveryKeyEndpoint
[13:35:17 Information] Duende.IdentityServer.Hosting.IdentityServerMiddleware Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.DiscoveryKeyEndpoint for /.well-known/openid-configuration/jwks
[13:35:17 Debug] Duende.IdentityServer.Endpoints.DiscoveryKeyEndpoint Start key discovery request
[13:35:17 Information] Serilog.AspNetCore.RequestLoggingMiddleware HTTP GET /identity/.well-known/openid-configuration/jwks responded 200 in 40.6819 ms
[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.
[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.
[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Request path /connect/authorize matched to endpoint type Authorize
[13:35:17 Debug] Duende.IdentityServer.Hosting.EndpointRouter Endpoint enabled: Authorize, successfully created handler: Duende.IdentityServer.Endpoints.AuthorizeEndpoint
[13:35:17 Information] Duende.IdentityServer.Hosting.IdentityServerMiddleware Invoking IdentityServer endpoint: Duende.IdentityServer.Endpoints.AuthorizeEndpoint for /connect/authorize
[13:35:17 Debug] Duende.IdentityServer.Endpoints.AuthorizeEndpoint Start authorize request
[13:35:17 Debug] Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler AuthenticationScheme: Identity.Application was not authenticated.
[13:35:17 Debug] Duende.IdentityServer.Endpoints.AuthorizeEndpoint No user present in authorize request
[13:35:17 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Start authorize request protocol validation
[13:35:17 Debug] Duende.IdentityServer.Stores.ValidatingClientStore client configuration validation for client succeeded.
[13:35:17 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Checking for PKCE parameters
[13:35:17 Debug] Duende.IdentityServer.Validation.AuthorizeRequestValidator Calling into custom validator: Duende.IdentityServer.Validation.DefaultCustomAuthorizeRequestValidator
[13:35:17 Debug] Duende.IdentityServer.Endpoints.AuthorizeEndpoint ValidatedAuthorizeRequest