Status

[Igorbek]

Hi, Your implementation of OIDC seems to me more interesting than other "all-in-one" solution. Especially, in part of ability to extend and because it uses same style as does MS's OAuth2 server implementation. I couldn't find any current status of progress like what's been implemented and what's going to be implemented. The main question is that is it already production-ready? When will the nuget be released? Besides of Core standard, do you have plans to implement Session Management? Do you need help? Are you accepting PRs?

[kevinchalet]

Hey :smile:

Your implementation of OIDC seems to me more interesting than other "all-in-one" solution. Especially, in part of ability to extend and because it uses same style as does MS's OAuth2 server implementation.

Glad you like it! Please continue to share your thoughts and remarks to make sure we're progressing in the right direction.

I couldn't find any current status of progress like what's been implemented and what's going to be implemented.

As you already figured out, there's no such thing. Of course, having a "status" page would be a nice addition, so feel free to submit a PR to fix that :+1:

In a nutshell:

1. OpenIdConnectServerMiddleware being forked from OAuthAuthorizationServerMiddleware, everything you like with Katana's OAuth2 server is implemented in this project: the authorization endpoint - with the ability to serve your own consent page with a framework like MVC or Nancy - and the token endpoint, that supports the same OAuth2 grant types (resource owner password credentials, client credentials, authorization code, refresh token).
2. Of course, much OAuth2/OpenID Connect goodness has been progressively added:
   • response_type: all response types combinations are supported, except the none one, that may come in a future version since it should be easy to implement (http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html).
   • response_mode: the different standard variants are all supported and can be used with any response_type (except the response_type/response_mode combinations declared unsafe by the specifications): query, fragment and form_post. It replaces the flawed form_post handling added in Katana's OAuth2 server in the latest version.
   • provider configuration metadata endpoint: this totally new feature is probably one of the most important, since it makes configuring an OIDC client very easy (https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
   • JWKS metadata endpoint: it's also a new feature, that consists in exposing the public keys used to sign tokens (https://tools.ietf.org/html/rfc7517). It's called CryptographyEndpoint in this project and we support both X509 certificates embedding RSA keys and bare RSA keys. Implementing ECDSA is definitely on my todo-list but System.IdentityModel doesn't seem to support them...
   • token validation endpoint: totally non-standard feature, it's an easy way to validate your id_token/token. It may be replaced by the new introspection endpoint in the near future, but I'm not totally satisfied with the last draft, that makes resource server/client authentication mandatory.
   • logout endpoint: fully supported, it works exactly the same way as the authorization endpoint, which means that you can display your own MVC page or directly handle the signout process in IOpenIdConnectServerProvider.LogoutEndpoint (https://openid.net/specs/openid-connect-session-1_0.html).
   • userinfo endpoint: I'm not a huge fan of this endpoint (since it's better and easier to directly include the user details in the id_token) but it will be supported. The PR integrating it has not been merged yet but it shouldn't be long: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/pull/97

Tons of bugs have also been fixed, like the TokenEndpointResponse notification whose IsRequestCompleted property was never used (http://stackoverflow.com/a/28683971/542757), the refresh token whose expiration date was necessarily the same as the access token (http://stackoverflow.com/a/30878326/542757 and http://katanaproject.codeplex.com/discussions/461861) or the fact the state parameter was not added to the error response in OAuthAuthorizationServerHandler (http://katanaproject.codeplex.com/workitem/376). Notifications have also been completely reworked and now use the new notification model: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/96

The main question is that is it already production-ready? When will the nuget be released?

As you probably figured out, it's still a beta version. Since we have two versions (one for OWIN/Katana and one for ASP.NET 5), the current plan is to re-use the same roadmap as the one defined for ASP.NET 5 (https://github.com/aspnet/Home/wiki/Roadmap) to avoid releasing a final version that would be incompatible with newer ASP.NET 5 packages. For the OWIN/Katana version, we could of course release a version a bit earlier, but I want to make sure both versions support the same feature set. Bringing some ASP.NET 5 goodness like the new caching or data protection blocks to the OWIN/Katana version is also something I'd really like to do.

That said, most of the breaking changes I wanted to add have already been added, so it's quite stable now. The next changes should break less things and be less painful for you :smile:

Concerning NuGet, we'll probably offer a package for the next beta version. In the meantime, don't hesitate to use the MyGet repository.

Besides of Core standard, do you have plans to implement Session Management?

In the current bits, only the logout/end session part of the session management specs has been implemented: https://openid.net/specs/openid-connect-session-1_0.html#RPLogout

There are no immediate plans to support check_session_iframe, but feel free to open a new ticket to track that and to submit a PR to implement it.

Do you need help? Are you accepting PRs?

Sure! :smile: Major issues/features that are open to external contributions are marked with the "need help" green label: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/labels/help%20wanted

Adding the appropriate unit tests is probably the biggest one: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/issues/22. @ilmax is currently working on the first unit tests (https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/pull/108), so feel free to offer him some help with the other ones! :smile:

Thanks for you interest :cocktail:

[Igorbek]

Thank you a lot for the detailed answer. I'd like to look into iframe-based session checks. See a task/PR soon :)