Closed stiiifff closed 9 years ago
Custom grant would be the "standard" way of doing this. Unfortunately - Kerberos and Windows integrated auth are troublesome. The way Microsoft implements Kerberos is at the host level - so you need to enable it in IIS or HttpListener. This interferes with our cookie based mechanism in IdSrv.
What I would do is - I would create a custom STS (maybe based on Microsoft's OAuth2 AS Middleware) that sits in a WIndows AuthN enabled web application. This does the Kerberos to JWT conversion - then send the resulting JWT using a custom grant to IdSrv.
Hi Dominick, I'll investigate in that direction, thx !
Just a quick followup: I was able to integrate an "Mixed-Auth" OWIN middleware (https://github.com/MohammadYounes/OWIN-MixedAuth) as external IdP in IdSrv. I can then pass an ACR value hint to the authorize endpoint, and easily generate JWT tokens from Windows principals. This is a big deal for my client, as they really wanted to avoid setting up ADFS :-)
I open sourced our version of it
Awesomeness !!!
In the WindowsAuthentication implementation, i see that i must configure the IdpReplyUrl with something like "https://localhost:44333/core/was" but i don't have this url in my IdentityServer yet. Is there a guide somewhere on how i can use the WindowsAuthentication plugin?
It is simply using the WS-Fed middleware - either point to the root (if you are only using a single WS-fed MW) or synchronize with the middleware CallbackPath property.
For others that would like to make it work, here's how i do it:
In the WebHost project, here's how it is configured:
namespace WebHost
{
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseWindowsAuthenticationService(new WindowsAuthenticationOptions
{
IdpReplyUrl = "http://localhost:61483/identity", //url to IdentityServer
SigningCertificate = LoadCertificate()
});
}
private static X509Certificate2 LoadCertificate()
{
return new X509Certificate2(string.Format(@"{0}\bin\idsrv3test.pfx", AppDomain.CurrentDomain.BaseDirectory), "idsrv3test");
}
}
}
In the IdentityServer project:
private static AuthenticationOptions GetAuthenticationOptions()
{
var authenticationOptions = new AuthenticationOptions()
{
EnableSignOutPrompt = true,
EnablePostSignOutAutoRedirect = true,
PostSignOutAutoRedirectDelay = 0,
IdentityProviders = ConfigureIdentityProviders
};
return authenticationOptions;
}
private static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
var adfs = new WsFederationAuthenticationOptions
{
AuthenticationType = "adfs",
Caption = "Windows Account",
SignInAsAuthenticationType = signInAsType,
MetadataAddress = "http://localhost:6739/", //url to WebHost project
Wtrealm = "urn:idsrv3"
};
app.UseWsFederationAuthentication(adfs);
}
The logout work but it doesn't redirect to the app home page. I only get a blank screen from this url:
http://localhost:6739/?wtrealm=urn%3aidsrv3&wa=wsignout1.0&wreply=http%3a%2f%2flocalhost%3a61483%2fidentity%2fadfscallback
Is there a way to redirect the user to the app page?
Logout of Windows does not make sense ;)
You need to suppress the redirect to the Windows provider in the notifications of the WS-Federation middleware.
for others that want to know the code to signout from the WS-Federation instead of the Windows provider. Can someone revise the code and tell us if my understanding is good?
private static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
var adfs = new WsFederationAuthenticationOptions
{
AuthenticationType = "adfs",
Caption = "Windows Account",
SignInAsAuthenticationType = signInAsType,
MetadataAddress = "http://localhost:6739/", //url to WebHost project
Wtrealm = "urn:idsrv3"
Wreply = "http://localhost:60222/identity/callback",
Notifications = GetWsFederationAuthentificationNotifications()
};
app.UseWsFederationAuthentication(adfs);
}
private static WsFederationAuthenticationNotifications GetWsFederationAuthentificationNotifications()
{
return new WsFederationAuthenticationNotifications
{
RedirectToIdentityProvider = async notification =>
{
if (notification.ProtocolMessage.IsSignOutMessage)
{
// tell IdentityServer to manage the sign out instead of the STS provider
notification.OwinContext.Authentication.SignOut();
notification.State = NotificationResultState.HandledResponse;
}
await Task.FromResult(0);
}
};
}
Hi skoub, I registered windowsauthentication as WS-Fed external Identity Provider, but don't know what the next step would be, perhaps you are willing to help me a little bit. it would be really nice if you could provide a sample for the windows authentication or a little documentation. It would be really appreciated.
Hi,
I would like the IdSrv to issue JWT tokens based on incoming Kerberos tickets, while following a standard 'way of doing things' in OAuth 2 (I haven't found an official Kerberos profile for OAuth 2.0). In your opinion, what would be the most sensible way to do this ?
Thx ! Steve