Closed mattcowen closed 9 years ago
For the second part, I'd suggest registering an external provider claims filter to remove those before they make it into your user service. You don't want the user service to see those claims.
Ok thanks for that. So just to clarify, implement the external provider claims filter in Identity Server and remove the nonce as well as anything else that the client doesn't need to see or shouldn't see.
Yep. And we prolly should have this by default in idsvr. I'll leave this open as a reminder.
-Brock
-----Original Message----- From: "Matt Cowen" notifications@github.com Sent: 11/2/2014 8:31 AM To: "thinktecture/Thinktecture.IdentityServer.v3.AspNetIdentity" Thinktecture.IdentityServer.v3.AspNetIdentity@noreply.github.com Cc: "Brock Allen" brockallen@gmail.com Subject: Re: [Thinktecture.IdentityServer.v3.AspNetIdentity] Including claimsfrom idp and 'nonce' exception (#18)
Ok thanks for that. So just to clarify, implement the external provider claims filter in Identity Server and remove the nonce as well as anything else that the client doesn't need to see or shouldn't see. — Reply to this email directly or view it on GitHub.=
..and we need a sample for that as well.
I am on beta 3 and I am testing a user authenticating via an Azure AD for my MVC application (implicit flow). I do not know beforehand which Azure AD the user belongs to so I need to be 'told' the tenant id via the returned claims. I got this working by adding to my scopes a new tenantid scope...
And then adding to my client's scoperestrictions collection...
First question is, is this the best way? I know this works for Azure but I would like to ensure it will work with other id providers if I can. Should alwaysInclude be false for when the claim type isn't available? I've added both claim types since I'm unsure which ScopeClaim is best; tid or http://schemas.microsoft.com/identity/claims/tenantid.
Second question, when I try to use "IncludeAllClaimsForUser" I receive the following error when redirected back to my client (MVC website). I tried removing my own tenant id ScopeClaims but still got the error. Does this boolean make Identity Server pass all the claims it receives from Azure back to my client? So in this case it's including the nonce from Azure as well as the nonce from Identity Server so the client is confused by which to check for? Is that correct and do you know how I might solve this?
Many thanks
[OpenIdConnectProtocolInvalidNonceException: IDX10301: The 'nonce' found in the jwt token did not match the expected nonce. expected: '["635505206764178802.NmY3ZmU4ZDQtMzk4Ni00NjU2LTlhMGEtM2ExYWE1NTNjOGUyMTA1NDQwYTMtMzg4Ni00MDhhLWJjYmItNDE0OTAxZjNhZmUy","635505206936228642.ZTc4NDlmOTQtZWMxYi00Zjc3LTk1MWUtOWUyOWM5MjMwMGMwOTU0NDI1YWUtMTZlNy00YTI2LWI3YjEtZmQzZmVhZTc4MDZl"]' found in jwt: '635505206764178802.NmY3ZmU4ZDQtMzk4Ni00NjU2LTlhMGEtM2ExYWE1NTNjOGUyMTA1NDQwYTMtMzg4Ni00MDhhLWJjYmItNDE0OTAxZjNhZmUy'. jwt: '{"typ":"JWT","alg":"RS256","x5t":"a3rMUgMFv9tPclLa6yF3zAkfquE","kid":"a3rMUgMFv9tPclLa6yF3zAkfquE"}.{"nonce":["635505206764178802.NmY3ZmU4ZDQtMzk4Ni00NjU2LTlhMGEtM2ExYWE1NTNjOGUyMTA1NDQwYTMtMzg4Ni00MDhhLWJjYmItNDE0OTAxZjNhZmUy","635505206936228642.ZTc4NDlmOTQtZWMxYi00Zjc3LTk1MWUtOWUyOWM5MjMwMGMwOTU0NDI1YWUtMTZlNy00YTI2LWI3YjEtZmQzZmVhZTc4MDZl"],"iat":[1414923904,"1414923599"],"sub":"7d387b1917074c24b1983604f2387854","amr":["external","pwd"],"auth_time":1414923899,"idp":"aad","aud":"Example App","iss":"https://example.com","nbf":1414923904,"exp":1414924264,"ver":"1.0","tid":"cdb05ab5-6bfc-4c29-a2e3-af36e64c9f10","oid":"fa92dae1-41e9-41f3-a2b5-d5bbcab658a1","upn":"matt.cowen@example.com","family_name":"Cowen","given_name":"Matt","c_hash":"U7FrQ7RDRp9srXfEsDoKYQ","pwd_exp":"111288","pwd_url":"https://portal.microsoftonline.com/ChangePassword.aspx","name":"matt.cowen@example.com"} RawData:'.]
Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidator.ValidateNonce(JwtSecurityToken jwt, OpenIdConnectProtocolValidationContext validationContext) +1361
Microsoft.IdentityModel.Protocols.OpenIdConnectProtocolValidator.Validate(JwtSecurityToken jwt, OpenIdConnectProtocolValidationContext validationContext) +315
Microsoft.Owin.Security.OpenIdConnect.d1a.MoveNext() +4550
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +22
Microsoft.Owin.Security.OpenIdConnect.d 1a.MoveNext() +6503
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
Microsoft.Owin.Security.Infrastructure.d0.MoveNext() +597
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
Microsoft.Owin.Security.Infrastructure.d 0.MoveNext() +265
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d5.MoveNext() +192
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
Microsoft.Owin.Security.Infrastructure.d 0.MoveNext() +668
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d5.MoveNext() +192
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +144
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +60
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.d 2.MoveNext() +189
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.StageAsyncResult.End(IAsyncResult ar) +70
Microsoft.Owin.Host.SystemWeb.IntegratedPipeline.IntegratedPipelineContext.EndFinalWork(IAsyncResult ar) +64
System.Web.AsyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +445
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +157