Custom grant w/ Kerberos ticket authentication ?

[stiiifff]

Hi,

I would like the IdSrv to issue JWT tokens based on incoming Kerberos tickets, while following a standard 'way of doing things' in OAuth 2 (I haven't found an official Kerberos profile for OAuth 2.0). In your opinion, what would be the most sensible way to do this ?

• A custom grant
• Piggybacking on the Resource Owner Password Client grant
• sthg else ?

Thx ! Steve

[leastprivilege]

Custom grant would be the "standard" way of doing this. Unfortunately - Kerberos and Windows integrated auth are troublesome. The way Microsoft implements Kerberos is at the host level - so you need to enable it in IIS or HttpListener. This interferes with our cookie based mechanism in IdSrv.

What I would do is - I would create a custom STS (maybe based on Microsoft's OAuth2 AS Middleware) that sits in a WIndows AuthN enabled web application. This does the Kerberos to JWT conversion - then send the resulting JWT using a custom grant to IdSrv.

[stiiifff]

Hi Dominick, I'll investigate in that direction, thx !

[stiiifff]

Just a quick followup: I was able to integrate an "Mixed-Auth" OWIN middleware (https://github.com/MohammadYounes/OWIN-MixedAuth) as external IdP in IdSrv. I can then pass an ACR value hint to the authorize endpoint, and easily generate JWT tokens from Windows principals. This is a big deal for my client, as they really wanted to avoid setting up ADFS :-)

[leastprivilege]

I open sourced our version of it

https://github.com/IdentityServer/WindowsAuthentication

[stiiifff]

Awesomeness !!!

[alexandrejobin]

In the WindowsAuthentication implementation, i see that i must configure the IdpReplyUrl with something like "https://localhost:44333/core/was" but i don't have this url in my IdentityServer yet. Is there a guide somewhere on how i can use the WindowsAuthentication plugin?

[leastprivilege]

It is simply using the WS-Fed middleware - either point to the root (if you are only using a single WS-fed MW) or synchronize with the middleware CallbackPath property.

[alexandrejobin]

For others that would like to make it work, here's how i do it:

In the WebHost project, here's how it is configured:

namespace WebHost
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            app.UseWindowsAuthenticationService(new WindowsAuthenticationOptions
            {
                IdpReplyUrl = "http://localhost:61483/identity", //url to IdentityServer
                SigningCertificate = LoadCertificate()
            });
        }

        private static X509Certificate2 LoadCertificate()
        {
            return new X509Certificate2(string.Format(@"{0}\bin\idsrv3test.pfx", AppDomain.CurrentDomain.BaseDirectory), "idsrv3test");

        }
    }
}

In the IdentityServer project:

private static AuthenticationOptions GetAuthenticationOptions()
{
    var authenticationOptions = new AuthenticationOptions()
    {
        EnableSignOutPrompt = true,
        EnablePostSignOutAutoRedirect = true,
        PostSignOutAutoRedirectDelay = 0,
        IdentityProviders = ConfigureIdentityProviders
    };

    return authenticationOptions;
}

private static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
    var adfs = new WsFederationAuthenticationOptions
    {
        AuthenticationType = "adfs",
        Caption = "Windows Account",
        SignInAsAuthenticationType = signInAsType,
        MetadataAddress = "http://localhost:6739/", //url to WebHost project
        Wtrealm = "urn:idsrv3"
    };
    app.UseWsFederationAuthentication(adfs);
}

[alexandrejobin]

The logout work but it doesn't redirect to the app home page. I only get a blank screen from this url:

http://localhost:6739/?wtrealm=urn%3aidsrv3&wa=wsignout1.0&wreply=http%3a%2f%2flocalhost%3a61483%2fidentity%2fadfscallback

Is there a way to redirect the user to the app page?

[leastprivilege]

Logout of Windows does not make sense ;)

You need to suppress the redirect to the Windows provider in the notifications of the WS-Federation middleware.

[alexandrejobin]

for others that want to know the code to signout from the WS-Federation instead of the Windows provider. Can someone revise the code and tell us if my understanding is good?

private static void ConfigureIdentityProviders(IAppBuilder app, string signInAsType)
{
    var adfs = new WsFederationAuthenticationOptions
    {
        AuthenticationType = "adfs",
        Caption = "Windows Account",
        SignInAsAuthenticationType = signInAsType,
        MetadataAddress = "http://localhost:6739/", //url to WebHost project
        Wtrealm = "urn:idsrv3"
        Wreply = "http://localhost:60222/identity/callback",
        Notifications = GetWsFederationAuthentificationNotifications()
    };
    app.UseWsFederationAuthentication(adfs);
}

private static WsFederationAuthenticationNotifications GetWsFederationAuthentificationNotifications()
{
    return new WsFederationAuthenticationNotifications 
    {
        RedirectToIdentityProvider = async notification => 
        {
            if (notification.ProtocolMessage.IsSignOutMessage)
            {
                // tell IdentityServer to manage the sign out instead of the STS provider
                notification.OwinContext.Authentication.SignOut();
                notification.State = NotificationResultState.HandledResponse;
            }
            await Task.FromResult(0);
        }
    };
}

[illukarl23]

Hi skoub, I registered windowsauthentication as WS-Fed external Identity Provider, but don't know what the next step would be, perhaps you are willing to help me a little bit. it would be really nice if you could provide a sample for the windows authentication or a little documentation. It would be really appreciated.