Is Windows Auth Working?

[chazt3n]

Everything appears to be working, aside from the fact that sometimes I get 60 claims returned and sometimes I get 12... @estiller does this require ADFS or is AD sufficient?

[estiller]

Assuming you are referring to the Windows Auth samples, AD is sufficient (or even a workgroup if it a test environment on a single machine). If you have ADFS than it does the Windows Auth part for you, and you integrate it as a WS-Federation IdP.

[chazt3n]

@estiller yes thank you, I seem to have gotten the windows auth example working, however I'm a little concerned that sometimes I get many more claims than expected, does this image look like what you expect?:

[estiller]

Yes, it looks alright.

[chazt3n]

@estiller

Should there be anything at that /was endpoint? Currently I get a 404

[chazt3n]

@estiller Ok, I see where I'm falling short, I don't know how to get AD groups using this WindowsAuth component, any advice?

[estiller]

Hi @chazt3n, you got me a little confused...

When you say that you removed Windows Auth from the client app, what do you mean? The claims you show us in the second screenshot are claims coming directly from the Winodws Auth layer, without going through the Identity Server transformation in the Windows Authentication Service, so I am not sure what it is exactly that you changed there.

Regarding your question about how to get the AD groups - first, you have to configure the Windows Authentication Service to emit the groups -

app.UseWindowsAuthenticationService(new WindowsAuthenticationOptions
{
    IdpReplyUrl = "https://localhost:44333/was",
    SigningCertificate = Certificate.Load(),
    EnableOAuth2Endpoint = false,
    EmitGroups = true
});

Then in your Identity Server user service when you implement the AuthenticateExternalAsync() method you get these groups as role claims on the incoming context.

And as for the other question - it is OK that you get a 404 on the was address. That is not a problem.

[chazt3n]

@estiller EmitGroups = true O_o Ok well that's awesome.

Then in your Identity Server user service when you implement the AuthenticateExternalAsync() method you get these groups as role claims on the incoming context.

I see the claims, however they never make it into the CustomUser's claims, does that mean they'll only be on the access_token? (Is that the entire point of an access token?)

(doing lots today as well as reading docs, I haven't gotten this far yet)

Also, I am absolutely using your windows auth service now, that was young and reckless me

[estiller]

Glad to hear you are making progress. The user service and the Custom User class in the sample are just that - a sample... You are correct that the current sample implementation does not propagate the role claims onwards from Identity Server. You can change the implementation or write your own, which takes the role claims from the incoming context and does something with them (like placing them on the outgoing claim collection in the authentication result.

[estiller]

BTW, do feel free to create a PR on the sample and modify it to support groups as well.

[chazt3n]

My first public PR! I'd love to, let me see if I can feel my way around to get something visible

[chazt3n]

Got it! Thank you sir, I'm building this up in a very small sln so I will have to copy my changes into the original repo real fast to create the PR