Closed Thercy closed 7 years ago
brockallen
commented
7 years ago Use PreAuth, do a partial login to your own custom page, on that custom page do the Challenge to request the client/user cert, once validated then use the OWIN extension methods to issue the IdSvr cookie.
https://identityserver.github.io/Documentation/docsv2/advanced/owin.html
Thercy
commented
7 years ago Thanks! I do have the parts needed, but I cannot see how to put them together. Is there any example I could check on how I could use the partial login to redirect to a custom page to perform the challenge request for the certificate?
I've seen your example for just redirection on PreAuthentication, but is there any other that matches with my requirements?:
public override Task PreAuthenticateAsync(PreAuthenticationContext context) { var id = ctx.Request.Query.Get("signin"); context.AuthenticateResult = new AuthenticateResult("~/custom/login?id=" + id, (IEnumerable<Claim>)null); return Task.FromResult(0); }
Many thanks.
brockallen
commented
7 years ago Nothing exactly like what you want, but this might be the closest: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomLoginPage/CustomLoginPage
Thercy
commented
7 years ago Spot on! that's exactly the example project where I am currently working on. However, at the moment I'm stuck on getting the user certificate authentication into the OWIN middleware chain from my custom login page. Guess this is the path I should go? I'll try and post with any update!
brockallen
commented
7 years ago stuck on getting the user certificate authentication into the OWIN middleware chain
Well, that's unrelated to IdSvr -- you need to figure that one out separately. IIRC, there's a web,config entry to have IIS do that handshake.
Thercy
commented
7 years ago Cool! I'll close the ticket now. I'll try and post my findings :)
Question
I am working with IdentityServer3 and I need the user to authenticate using a X509 certificate (instead of user/pass). I am trying to achieve this through a Partial Login implementing IUserService (on the PreAuthenticateAsync), but so far it looks like there is no possible option to request this from the "PreAuthenticationContext context" (open the browser X509 user certificate store so the user selects one and proceed). However, I have read in some posts this should be available on IdentityServer3.
Many thanks in advance!