search

IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
410 stars 291 forks source link

Return URL not working when acting as gateway #714

Closed mtuplin closed 10 years ago

mtuplin commented 10 years ago

Hi,

I have my Thinktecture IdentityServer setup as a gateway through to a custom Identity Provider. All seems to be working accept redirection back my application.

When an unauthenticated user requests a web page in my application they are redirected to the Thinktecture IdentityServer using a custom .NET WSFederationAuthenticationModule that sets the SignInRequestMessage Reply property. This results in a browser redirect to url:

https://localhost/ThinktectureIdSrv/issue/hrd?wa=wsignin1.0&wtrealm=http%3a%2f%2flocalhost%2fMyWebApp&wctx=rm%3d0%26id%3dpassive%26ru%3d%252fMyWebApp%252fAdministration%252fOrganisationUnitTypes&wct=2014-06-03T15%3a37%3a29Z&ru=https%3a%2f%2flocalhost%2fMyWebApp%2fAdministration

The IdentityServer intercepts the request and successfully forwards the browser on to my Identity Provider with url:

https://localhost/MyIdentityProvider/default.aspx?wa=wsignin1.0&wtrealm=https%3a%2f%2flocalhost%2fThinktectureIdSrv

The user is authenticated then redirected back to https://localhost/ThinktectureIdSrv which I would expect given the return url has not been passed on.

If I switch off the gateway feature so the Thinktecture IdentityServer acts as the Identity Provider my user is authenticated and redirected back to my application as expected.

Am I missing something? Have I set the return URL incorrectly in my initial redirect to the Thinktecture IdentityServer? I have watched the screencast for setting this up a couple of times and it seems to redirect correctly but cannot see what I have done wrong.

Thanks.

brockallen commented 10 years ago

Yes, you are correct -- when we do HRD the ReplyTo is not preserved across the redirect to the IdP. We don't support this in gateway mode and we'd prefer for you to use the registered ReplyTo URL in the RP config.

Where do you need the reply to? A different server?

brockallen commented 10 years ago

Also, if you're just using it to redirect back into the RP somewhere, normally it's recommended that you use WIF's RP redirect mechanism via the wctx param.

mtuplin commented 10 years ago

Indeed this is to redirect the user back into the RP so I will look at the context parameter. I assume this context will get passed to the IdP, then back through the gateway to my RP where I can pull it out using the authentication module?

Going down that route it will be fine for me to use the registered ReplyTo URL in the RP config. Have I done something wrong as I have set-up the config as per the below and it still only sends me back to https://localhost/ThinktectureIdSrv not https://localhost/MyWebApp/?

thinktecture identityserver rp setup

brockallen commented 10 years ago

WIF on the RP side will track what the current URL is and will keep track of that so that when you return to the configured Redirect URL in the RP to process the token it will redirect the user to that original URL.

brockallen commented 10 years ago

And your config looks fine, AFAICT