IdentityServer / IdentityServer3.AspNetIdentity

ASP.NET Identity support for Thinktecture IdentityServer3
Apache License 2.0
64 stars 51 forks source link

Including claims from idp and 'nonce' exception #18

Closed mattcowen closed 9 years ago

mattcowen commented 10 years ago

I am on beta 3 and I am testing a user authenticating via an Azure AD for my MVC application (implicit flow). I do not know beforehand which Azure AD the user belongs to so I need to be 'told' the tenant id via the returned claims. I got this working by adding to my scopes a new tenantid scope...

new Scope { 
    Name = "tenantid", 
    DisplayName = "Identity provider tenant details", 
    Type = ScopeType.Identity, 
    Emphasize = true, 
    Required = true,
    //IncludeAllClaimsForUser = true,
    Claims = new ScopeClaim[]
    {
        new ScopeClaim("http://schemas.microsoft.com/identity/claims/tenantid", true),
        new ScopeClaim("tid", true)
    } 
},

And then adding to my client's scoperestrictions collection...

"tenantid",

First question is, is this the best way? I know this works for Azure but I would like to ensure it will work with other id providers if I can. Should alwaysInclude be false for when the claim type isn't available? I've added both claim types since I'm unsure which ScopeClaim is best; tid or http://schemas.microsoft.com/identity/claims/tenantid.

Second question, when I try to use "IncludeAllClaimsForUser" I receive the following error when redirected back to my client (MVC website). I tried removing my own tenant id ScopeClaims but still got the error. Does this boolean make Identity Server pass all the claims it receives from Azure back to my client? So in this case it's including the nonce from Azure as well as the nonce from Identity Server so the client is confused by which to check for? Is that correct and do you know how I might solve this?

Many thanks

[OpenIdConnectProtocolInvalidNonceException: IDX10301: The 'nonce' found in the jwt token did not match the expected nonce. expected: '["635505206764178802.NmY3ZmU4ZDQtMzk4Ni00NjU2LTlhMGEtM2ExYWE1NTNjOGUyMTA1NDQwYTMtMzg4Ni00MDhhLWJjYmItNDE0OTAxZjNhZmUy","635505206936228642.ZTc4NDlmOTQtZWMxYi00Zjc3LTk1MWUtOWUyOWM5MjMwMGMwOTU0NDI1YWUtMTZlNy00YTI2LWI3YjEtZmQzZmVhZTc4MDZl"]' found in jwt: '635505206764178802.NmY3ZmU4ZDQtMzk4Ni00NjU2LTlhMGEtM2ExYWE1NTNjOGUyMTA1NDQwYTMtMzg4Ni00MDhhLWJjYmItNDE0OTAxZjNhZmUy'. jwt: '{"typ":"JWT","alg":"RS256","x5t":"a3rMUgMFv9tPclLa6yF3zAkfquE","kid":"a3rMUgMFv9tPclLa6yF3zAkfquE"}.{"nonce":["635505206764178802.NmY3ZmU4ZDQtMzk4Ni00NjU2LTlhMGEtM2ExYWE1NTNjOGUyMTA1NDQwYTMtMzg4Ni00MDhhLWJjYmItNDE0OTAxZjNhZmUy","635505206936228642.ZTc4NDlmOTQtZWMxYi00Zjc3LTk1MWUtOWUyOWM5MjMwMGMwOTU0NDI1YWUtMTZlNy00YTI2LWI3YjEtZmQzZmVhZTc4MDZl"],"iat":[1414923904,"1414923599"],"sub":"7d387b1917074c24b1983604f2387854","amr":["external","pwd"],"auth_time":1414923899,"idp":"aad","aud":"Example App","iss":"https://example.com","nbf":1414923904,"exp":1414924264,"ver":"1.0","tid":"cdb05ab5-6bfc-4c29-a2e3-af36e64c9f10","oid":"fa92dae1-41e9-41f3-a2b5-d5bbcab658a1","upn":"matt.cowen@example.com","family_name":"Cowen","given_name":"Matt","c_hash":"U7FrQ7RDRp9srXfEsDoKYQ","pwd_exp":"111288","pwd_url":"https://portal.microsoftonline.com/ChangePassword.aspx","name":"matt.cowen@example.com"} RawData: '.] Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidator.ValidateNonce(JwtSecurityToken jwt, OpenIdConnectProtocolValidationContext validationContext) +1361 Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidator.Validate(JwtSecurityToken jwt, OpenIdConnectProtocolValidationContext validationContext) +315 Microsoft.Owin.Security.OpenIdConnect.d1a.MoveNext() +4550 System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +22 Microsoft.Owin.Security.OpenIdConnect.d1a.MoveNext() +6503 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60 Microsoft.Owin.Security.Infrastructure.d0.MoveNext() +597 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60 Microsoft.Owin.Security.Infrastructure.d0.MoveNext() +265 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d5.MoveNext() +192 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60 Microsoft.Owin.Security.Infrastructure.d0.MoveNext() +668 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d5.MoveNext() +192 System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144 System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d2.MoveNext() +189 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +70 Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +64 System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +445 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +157

brockallen commented 10 years ago

For the second part, I'd suggest registering an external provider claims filter to remove those before they make it into your user service. You don't want the user service to see those claims.

mattcowen commented 10 years ago

Ok thanks for that. So just to clarify, implement the external provider claims filter in Identity Server and remove the nonce as well as anything else that the client doesn't need to see or shouldn't see.

brockallen commented 10 years ago

Yep. And we prolly should have this by default in idsvr. I'll leave this open as a reminder.

-Brock

-----Original Message----- From: "Matt Cowen" notifications@github.com Sent: ‎11/‎2/‎2014 8:31 AM To: "thinktecture/Thinktecture.IdentityServer.v3.AspNetIdentity" Thinktecture.IdentityServer.v3.AspNetIdentity@noreply.github.com Cc: "Brock Allen" brockallen@gmail.com Subject: Re: [Thinktecture.IdentityServer.v3.AspNetIdentity] Including claimsfrom idp and 'nonce' exception (#18)

Ok thanks for that. So just to clarify, implement the external provider claims filter in Identity Server and remove the nonce as well as anything else that the client doesn't need to see or shouldn't see. — Reply to this email directly or view it on GitHub.=

leastprivilege commented 10 years ago

..and we need a sample for that as well.