search

IdentityServer / IdentityServer3.AccessTokenValidation

OWIN Middleware to validate access tokens from IdentityServer3
Apache License 2.0
90 stars 149 forks source link

Use `UseIdentityServerBearerTokenAuthentication` in the same app with IdSrv #38

Closed buybackoff closed 9 years ago

buybackoff commented 9 years ago

I have an Id server from examples:

app.Map("/id", idsrvApp => {
                var factory = new IdentityServerServiceFactory();
                var scopeStore = new InMemoryScopeStore(Scopes.Get());
                factory.ScopeStore = new IdentityServer3.Core.Configuration.Registration<IScopeStore>(scopeStore);
                var clientStore = new InMemoryClientStore(Clients.Get());
                factory.ClientStore = new IdentityServer3.Core.Configuration.Registration<IClientStore>(clientStore);
                var userStore = new InMemoryUserService(Users.Get());
                factory.UserService = new IdentityServer3.Core.Configuration.Registration<IUserService>(userStore);

                idsrvApp.UseIdentityServer(new IdentityServerOptions {
                    IssuerUri = "https://localhost:44333",
                    PublicOrigin = "https://localhost:44333",
                    SiteName = "Embedded IdentityServer",
                    SigningCertificate = Certificate.Get(),
                    RequireSsl = false,
                    Factory = factory
                });
            });

When I add this to either top-level pipeline or just to app.Map("/api", appApi => { I have an error "IDX10803: Unable to create to obtain configuration from... "

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions {
                Authority = "https://localhost:44333/id",
                //RequiredScopes = new[] { "api" },
            });

I looked into existing issues about bad SSL etc., but after I added all source code to my project I realized that UseIdentityServerBearerTokenAuthentication calls RetrieveMetadata() synchronously, but this is not possible because we are in the Startup and IdSrv is not yet working until we finish the entire startup config. So there is a deadlock.

In the MVC example I see that API in a separate project, but this is less convenient. I have a project based on the standard MVC5 template. I have WebAPI controllers in a separate assembly, but they are all hosted together with a couple of MVC controllers in a WebHost project.

Is there a way to use bearer tokens in a setup with a single host? Or how to configure the existing MVC5 bearer token support to use IdSrv3 tokens?

// Enable the application to use bearer tokens to authenticate users
            app.UseOAuthBearerTokens(OAuthOptions);
buybackoff commented 9 years ago

My main concern was that I want identity server to be hosted at mydomain.com/id, webapi at mydomain.com/api, and Web UI at mydomain.com as a SPA. I needed id server to support not only user logins, but clients. The easiest solution seems to be hosting the identity server as a separate child application of existing application in IIS at /id path. There is a great explanation of different options here: http://stackoverflow.com/questions/24189181/how-do-i-host-a-web-application-and-an-api-from-the-same-server-while-keeping-th

Haven't implemented the entire setup yet so will keep this issue open in case someone could comment further.

brockallen commented 9 years ago

Since you're running them together, you can simply set the config info via the other IdentityServerBearerTokenAuthenticationOptions config values (IssuerName and IssuerSigningToken).

cbeall commented 9 years ago

I think the issue noted above is specific to version 2.0.0. In 2.0.0 (dev branch), the IssuerName field no longer exists in IdentityServerBearerTokenAuthenticationOptions and I don't see a property to store IssuerSigningToken either.

I have a similar configuration to what is described above, and until today, I had been running 2.0.0-rc1. When upgraded to rc3 this morning, I began to experience the same issue. Everything worked fine for rc1, but from what I can tell (I reverted back to rc1 and then incrementally upgraded), the issue was introduced in rc2. The application goes into deadlock as described by @buybackoff

leastprivilege commented 9 years ago

see https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation/issues/40

leastprivilege commented 9 years ago

I added it back - it is on the dev branch and myget. wanna try it?

cbeall commented 9 years ago

I pulled down IdentityServer3.AccessTokenValidation.2.2.0-build00030 and followed Brock's advice above and everything is now working as expected. Thanks

vdaron commented 9 years ago

I'm facing the same "deadlock" problem while configuring API and IdentityServer in the same application. Everything was working fine until I update to the last version

Any help is welcome ! (maybe by clarifying the Brock's advice above :-))

leastprivilege commented 9 years ago

Configure IssuerName and SigningCertificate manually. That fixes it.

UlyssesAlves commented 7 years ago

@leastprivilege How to configure IssuerName and SigningCertificate manually? I'm facing deadlocks in this same situation too, but I didn't understand yet how to apply your solution in the code. Do you have any snippet you could show us how to apply this fix?