IdentityServer / IdentityServer2

[deprecated] Thinktecture IdentityServer is a light-weight security token service built with .NET 4.5, MVC 4, Web API and WCF.
Other
409 stars 291 forks source link

Authenticating with Identity Server in the OWIN #810

Open mithun-daa opened 10 years ago

mithun-daa commented 10 years ago

I have an application that uses the Identity Server to authenticate users. This app is build on top of ASP.Net MVC and ASP.Net Web API. Everything works great here.

We started a new project and decided to use the same IdSrv to authenticate users but this time around we built our project using the new OWIN/Katana pipeline but hosted inside IIS (System.Web). The application is a SPA and has just one Index.html and all of the data is coming from the Web API middleware. I want to force users to be authenticated and if they are not and redirect them to the IdSrv. This is how my Startup.cs looks:

        public void Configuration(IAppBuilder app)
        {
            app.UseCookieAuthentication(new CookieAuthenticationOptions()
            {
                AuthenticationType = WsFederationAuthenticationDefaults.AuthenticationType
            });

            app.UseWsFederationAuthentication(new WsFederationAuthenticationOptions()
            {
                MetadataAddress = "https://IdSrv/FederationMetadata/2007-06/FederationMetadata.xml",
                Wtrealm = "http://localhost:55793"
            });

            app.Use(async (environment, next) =>
            {
                if (!environment.Authentication.User.Identity.IsAuthenticated)
                {
                    //What do I do here??
                }

                await next();
            });

            app.UseFileServer(new FileServerOptions()
            {
                FileSystem = new PhysicalFileSystem("public")
            });

            ConfigureWebApi(app);

            app.Run(context =>
            {
                context.Response.ContentType = "text/plain";
                return context.Response.WriteAsync("Hello, world.");
            });
        }

I followed the following blog post to set up WSFederation here. I have added an Authorize attribute over my Web API resource and when I try to reach it i get the following error

IDX10803: Unable to create to obtain configuration from: 'https://IdSrv/FederationMetadata/2007-06/FederationMetadata.xml'.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://IdSrv/FederationMetadata/2007-06/FederationMetadata.xml'.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace: 

[InvalidOperationException: IDX10803: Unable to create to obtain configuration from: 'https://IdSrv/FederationMetadata/2007-06/FederationMetadata.xml'.]
   Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() +1839
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
   System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +49
   Microsoft.Owin.Security.WsFederation.<ApplyResponseChallengeAsync>d__c.MoveNext() +681
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
   Microsoft.Owin.Security.Infrastructure.<ApplyResponseCoreAsync>d__8.MoveNext() +531
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
   Microsoft.Owin.Security.Infrastructure.<TeardownAsync>d__5.MoveNext() +318
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +1371
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +291
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
   Microsoft.Owin.Security.Infrastructure.<Invoke>d__0.MoveNext() +1107
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<RunApp>d__5.MoveNext() +291
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +84
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.<DoFinalWork>d__2.MoveNext() +293
   System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +32
   Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +208
   System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +443
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288

Any ideas? Am I missing something?

brockallen commented 10 years ago

Is the cert for that host correct and trusted?

mithun-daa commented 10 years ago

No, it's a self signed cert.

brockallen commented 10 years ago

So perhaps the call is failing because you simply don't have the SSL part done right.

mithun-daa commented 10 years ago

It works just fine if I point to the IdSrv from a MVC app. Exception only when i use OWIN.

leastprivilege commented 10 years ago

check if Katana logging shows more info: https://katanaproject.codeplex.com/wikipage?title=Debugging&referringTitle=Documentation

mithun-daa commented 10 years ago

Not get any trace info. Maybe it is happening even before all that kick in?

iampez commented 9 years ago

You may have already resolved this issue, but for future readers, I had the same problem today and it turned out to be my company's proxy server settings, so the issue was that the federationmetadata.xml file was not even being read. Hope this helps.

brockallen commented 9 years ago

Good point, @iampez -- see if you can even browse to the federation metadata in your browser.

mithun-daa commented 9 years ago

I can. I have a regular MVC app that works just fine talking the same IdSrv. Just doesn't work if set up as OWIN/Katana pipeline. On Nov 8, 2014 8:28 AM, "Brock Allen" notifications@github.com wrote:

Good point, @iampez https://github.com/iampez -- see if you can even browse to the federation metadata in your browser.

— Reply to this email directly or view it on GitHub https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/810#issuecomment-62259238 .

sevdaakgun commented 8 years ago

@iampez I use token authentication and have same issue with company's proxy server. How did you resolve your issue? Is there a way to pass proxy server as an option? Is it possible to configure it for accepting proxy?

austinajit commented 8 years ago

we are also having the same problem starting today. We have all SSL set correctly and the same setting is working for one site and not the other. Any suggestions?

brockallen commented 8 years ago

@austinajit if something "all of a sudden" stopped working, then perhaps it's the signing certificate is past its expiration?

KahuKirikiri commented 8 years ago

I know I'm a bit late here but if anyone is still experiencing this issue then you can resolve it by providing your own "proxy aware" implementation of the WsFederationAuthenticationOptions.BackchannelHttpHandler.

` public partial class Startup { private static string realm = ConfigurationManager.AppSettings["ida:Wtrealm"]; private static string adfsMetadata = ConfigurationManager.AppSettings["ida:ADFSMetadata"]; private static string proxyAddress = ConfigurationManager.AppSettings["ida:ProxyAddress"]; private static string proxyPort = ConfigurationManager.AppSettings["ida:ProxyPort"];

    public void ConfigureAuth(IAppBuilder app)
    {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions());

        app.UseWsFederationAuthentication(
            new WsFederationAuthenticationOptions
            {
                Wtrealm = realm,
                MetadataAddress = adfsMetadata,
                BackchannelHttpHandler = GetProxyAwareHttpMessageHandler()
            });
    }

    private HttpMessageHandler GetProxyAwareHttpMessageHandler()
    {
        if (string.IsNullOrWhiteSpace(proxyAddress) || string.IsNullOrWhiteSpace(proxyPort))
            return null;

        var address = string.Format("{0}:{1}", proxyAddress, proxyPort);
        var proxy = new WebProxy(address, false)
        {
            UseDefaultCredentials = true
        };

        return new HttpClientHandler()
        {
            Proxy = proxy,
            UseDefaultCredentials = true
        };
    }
}

`

brockallen commented 8 years ago

Ah, thanks for the update!