search

IdentityServer / IdentityServer3.AccessTokenValidation

OWIN Middleware to validate access tokens from IdentityServer3
Apache License 2.0
91 stars 149 forks source link

Can we validate token issues by 3rd party OP? #100

Closed estalldecker closed 8 years ago

estalldecker commented 8 years ago

Hi

We have the following scenario. We are developing a SPA with Angularjs (using the implicit flow), and on the BE side, we hit an ASP WebApi. We have setup Identity server for the dev environment, and everything is working fine; on the web api controller we have 

app.UseIdentityServerBearerTokenAuthentication(
             new IdentityServerBearerTokenAuthenticationOptions
             {
                 Authority = "url to identity server",
             });

then, if we use 

var identity = HttpContext.Current.User.Identity as ClaimsIdentity;

we have access to the claims and the identity information. The "problem" we have is that we should deploy to a closed environment in which the client uses a closed OIDC provider. We analyzed the access_token their OP is sending, and is not a JWT. My questions are: 1) Can we use your token validation middleware? 2) If your answer is no, can we use any other middleware? Maybe the one from MS? Would it be still an implicit flow? 3) If no other existing middleware will work? What are the suggested steps? Should we create a middle ware that fires a request with that access_token to the user info endpoint? They don't provide a token introspection endpoint (that's for sure :( )

Sorry if I'm making dumb questions, we can't test right now since they're fixing bugs and the server is down, but we would like to know beforehand. Thank you!

brockallen commented 8 years ago

UseIdentityServerBearerTokenAuthentication supports JWTs or the token introspection spec. Does the OP do one of those?

estalldecker commented 8 years ago

AFAIK, none of those, that's why I'm asking what to do. To add more information so you have at least a small picture of what's going on; they are fixing issues we are detecting in the implicit flow because their implementation doesn't follow the spec (it's buggy) but the worst thing is that they mentioned that JWT for access_token wont be supported (at least in short term) and that the introspection endpoint is recommended, not required, so that wont be implemented either.

brockallen commented 8 years ago

Well, then you're on your own.

estalldecker commented 8 years ago

Thank you for your time! One last question, what flow do you recommend from the web api to the OP to validate the token, and get the user info (claims) that we need? Sorry, I'm not a security expert but I want to make a right implementation, based on what they provide.

brockallen commented 8 years ago

I have no idea what OP you're talking about -- you'd have to ask the vendor.

estalldecker commented 8 years ago

Thank you! Great project! Keep the good work!