search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 764 forks source link

SessionCookie SessionId generation #3281

Open ionutcalin opened 8 years ago

ionutcalin commented 8 years ago

Question

Having a custom user store, I would need to be able to allocated the SessionId based on some authenticated user claims, instead of current way using CryptoRandom.CreateUniqueId()

My ideea would be to create a ISessionIdGenerator which could be registered in the IdentityServerServiceFactory and after used by IssueSessionId method of SessionCookie class (code below)

PS Initial ideea was to override the SessionCookie class and adapt the behavior, but I can not as the constructor is internal and also IOwinContext is internal due to th emerge of dependant assemblies during generation of IdentityServer3.dll assembly.

Thank you very much, Ionut Calin

Relevant parts of code

public virtual void IssueSessionId(bool? persistent, DateTimeOffset? expires = null)
        {
            context.Response.Cookies.Append(
                GetCookieName(), **CryptoRandom.CreateUniqueId()**,
                CreateCookieOptions(persistent, expires));
        }
brockallen commented 8 years ago

Having a custom user store, I would need to be able to allocated the SessionId based on some authenticated user claims, instead of current way using CryptoRandom.CreateUniqueId()

Can you explain why?

ionutcalin commented 8 years ago

I already have a service which acts as user store, roles and profiles which I would plug on IdentityServer3 as a IUserStore (Currently is plugged into IdentityServer2, but I want to upgrade it to IdentityServer3).

This backend service manage all the actions regarding user account management and user logins and also logs all events related to account, so that upon succesful authentication the identity will have a claim with the succesful login event id from our backend service.

Now we need to use this event key as session Id, because we are after using it in trace logs through out our applications to pair user actions with a particular user login session.

Of course I could decide to use any other claim for that matter, but I think that sessionId is the proper one. (In IdentityServer2 implementtaion we are using NameIdentifier as transitory identifier for this, but with IdentitytServer3 and especially OAuth2 access token (used in downstream service access) I would like to have in "sub" claim (nameIdentifier) the user login name and not the user login session key.

Regards, ionut

brockallen commented 8 years ago

Why can't you just rely on the random one generated by IdentityServer? I guess my main concern is that if you use claims to generate it, it won't really be random with any entropy.

ionutcalin commented 8 years ago

Because This random one is generated after checking user credentials and at that moment I already have the event key in the backend service database.

PS The event key I'm mentioning is a GUID, so I would say is random and unique :-)

brockallen commented 8 years ago

This would require a new extensibility point in IdSvr. I guess we can consider it.

ionutcalin commented 8 years ago

Thx a lot