search

IdentityManager / IdentityManager.AspNetIdentity

ASP.NET Identity support for Thinktecture IdentityManager
Apache License 2.0
60 stars 51 forks source link

API returns 401 when using SecurityMode.OAuth2 with AspNetIdentity after logging into IDS correctly with the default role claim #4

Closed jameskeongchen closed 9 years ago

jameskeongchen commented 9 years ago

Hey been playing with the beta and observed the following behaviour

When using SecurityMode.OAuth2 and the following OAuth2Configuration I am not able to login to IdentityManager. The login UI correctly redirects to the IDS but then returns to IDM and asks me to login again.. I remain in this loop unable to see the menu and API endpoint returns a 401 for my requests. I am using the default role claim, IdentityManagerAdministrator and login to the IDS using an InMemoryUser user (admin/admin).

IDM conf:

            var factory = new Thinktecture.IdentityManager.Host.AspNetIdentityIdentityManagerFactory("AspId");

            idm.UseIdentityManager(new IdentityManagerConfiguration
            {
                //IdentityManagerFactory = () => svc,
                IdentityManagerFactory = factory.Create,
                SecurityMode = SecurityMode.OAuth2,
                OAuth2Configuration = new OAuth2Configuration
                {
                    AuthorizationUrl = "http://localhost:17457/ids/connect/authorize",
                    Issuer = "https://idsrv3.com",
                    Audience = "https://idsrv3.com/resources",
                    ClientId = "idmgr",
                    SigningCert = Cert.Load(),
                    Scope = "idmgr",
                    //PersistToken = true,
                    //AutomaticallyRenewToken = true
                },
            });

IDS conf:

        var factory = InMemoryFactory.Create(users:GetUsers(), scopes:GetScopes(), clients:GetClients());
        var idsrvOptions = new IdentityServerOptions
        {
            IssuerUri = "https://idsrv3.com",
            SiteName = "Thinktecture IdentityServer v3",
            SigningCertificate = Cert.Load(),
            CspOptions = new CspOptions{
                ReportEndpoint = EndpointSettings.Enabled, 
            },
            PublicHostName = "http://localhost:17457",
            RequireSsl = false,
            Factory = factory,
            CorsPolicy = CorsPolicy.AllowAll,
        };
        app.UseIdentityServer(idsrvOptions);

My user, client and scope are all default from the provided samples.

Am I missing something or is this a bug when enabling SecurityMode.OAuth2 and trying to use the IDS to protect IDM with the same AspNetIdentity DB? Is this possible?

Are you able to show a simple sample where IDM is protected by the IDS which both read from the same AspNetIdentity DB?

brockallen commented 9 years ago

Ok, not sure. I agree there needs to be something better to diagnose these problems. I'll keep this on my TODO list.

iltera commented 9 years ago

I have the exact same issue.

Played with IDM and IDS for a few days locally. I used the code in the "MVC OWIN Client (Implicit)" sample for client and scope classes and used the "Thinktecture.IdentityManager.AspNetIdentity-1-beta2-2" with "Thinktecture.IdentityServer.v3.AspNetIdentity-beta4" to build the IDM & IDS configuration on the same project.

Everything I wanted, worked all right on IIS Express (with SecurityMode.LocalMachine). When I change SecurityMode to OAuth2, change all "localhost" endpoints to real domain names (with Self Signed SSL for Http encryption) and deploy the solution on IIS 8.5, I cannot get a respond for IDM Api other than 401.

Here is what happens... I can login to IDM, see the consent page (I see the user name at the upper right corner), and then IDM menu is there but all I get is "Authorization has been denied for this request." errors when I try sending api commands using Web UI.

The wierd thing is, everything works all right when I login to my server over RDC and open a browser there. On the same machine the IIS is hosted everything work. But commands from the client machines fail all the time.

I feel totally lost here. I didn't sleep all night trying to figure this out and finally decided to ask you whether or not continue bumping my head on this.

Is there a proper real world example (IIS ready for OAuth) using IdentityManager with IdentityServer3 on the same project (Preferably with AspNetIdentity)? How can I debug that issue? Because I kind of wondered around blind till now trying and building and publishing things over and over...

By the way, trace.log shows no errors on that issue. As in after the consent screen, nothing is happening.

kinimatt commented 9 years ago

I'm facing same issue, basically done what "iltera" tried. Has anyone got this working?

brockallen commented 9 years ago

Sorry for delays. Does the sample work for you? If so, then it's possible to get it working. If it's not working, then it's likely a configuration issue either between the OAuth2 authorization server or IdenttyManager's config. And yes, it requires understanding some OAuth to get it configured.

Right now IdentityManager is not getting as much attention because we're releasing IdentityServer this month. Once it's out, then I will have more time to work on IdentityManager and make this configuration easier.

pankajgour commented 9 years ago

Am I missing something or is this a bug when enabling SecurityMode.OAuth2 and trying to use the IDS to protect IDM with the same AspNetIdentity DB? Is this possible? please Show the Sample how to Contention to My Server DB

brockallen commented 9 years ago

I just updated the security model today, so I'll close this issue. If you have any problems with the new approach feel free to open a new issue.