Closed lukos closed 8 years ago
brockallen
commented
8 years ago We suppress the host authentication because we don't want non-IdentityServer authentication stuff to leak into us. We use the SuppressDefaultHostAuthentication API (https://brockallen.com/2013/10/27/host-authentication-and-web-api-with-owin-and-active-vs-passive-authentication-middleware/).
Why are you mixing IdentityServer with an app that uses some other form of authentication? You really should keep it separate.
lukos
commented
8 years ago I am trying to use it as a pure Identity Server, not as a means to log into the web application itself. People come from an RP, authenticate using my system and then return to the RP, no local logging in required or relevant for OpenID Connect purposes.
If people want to login to change their details, there is an existing system to log in directly.
Eventually, I could use Identity Server to perform the local login as well but it is enough work trying to customise all the pages and a few other mechanisms to match the existing external logins, without having to change the entire site over to use IS.
I guess if IS is designed to take over the entire authX system of the application then I might not have a choice?
leastprivilege
commented
8 years ago you can put idsrv into a Katana Map path. That should keep it more separate from the rest of the application.
I have an existing site that I am extending with the IS module but it is interfering with the .Net auth cookie for reasons I cannot work out or track down.
With IS disabled, I can login normally, the auth cookie is dropped and when returning to the main page, I am logged in. As soon as IS is connected (specifically, as soon as I uncomment
UseIdentityServer), trying the same process, as soon as I reachPage_Loadof my main page, the user identity is not set and although the auth cookie value is still present, the expiry, domain etc. have all been blanked out and the system thinks I am not logged in (IsAuthenticated=false).I have enabled logging but there is nothing much in the log and certainly nothing which says, "logging user out" or anything. I also can't find any calls to SignOut in the IS code or something similar that are being called when re-entering the main page.