aspnet / Security

[Archived] Middleware for security and authorization of web apps. Project moved to https://github.com/aspnet/AspNetCore
Apache License 2.0
1.27k stars 600 forks source link

Two authentication schema doesn't work together #1874

Closed yucelakpinar closed 6 years ago

yucelakpinar commented 6 years ago

Hello, I want to use AspNet Identity for storing user accounts locally to my app, and also want them to login/logout to my app. I also want to use an openId provider for not storing user accounts locally, only want them to login/logout my app.

So that I setup my app like below;

services
    .AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection")));

services
    .AddDefaultIdentity<IdentityUser>()
    .AddEntityFrameworkStores<ApplicationDbContext>();

services
    .AddAuthentication(IdentityConstants.ExternalScheme)
    .AddOpenIdConnect("oidc", options =>
    {
        options.SignInScheme = IdentityConstants.ExternalScheme;
        options.Authority = "https://demo.identityserver.io/";
        options.RequireHttpsMetadata = false;
        options.ClientId = "implicit";
    });

With that configuration I can login to app with openId provider, but local users can't login to the app.

According to my investigation:

What is the problem on this case, why local users can't authenticate them self.

Tratcher commented 6 years ago

The more common pattern is to connect OIDC to a local identity (no local password required). To do that remove .AddAuthentication(IdentityConstants.ExternalScheme) and options.SignInScheme = IdentityConstants.ExternalScheme;. Is there a reason you want them to be completely separate?

How do you have users choose which login approach to use?

yucelakpinar commented 6 years ago

I see on the internet(blogs, msdn) that OIDC is implemented like below (but without AspNet Identity, oidc is always used alone on examples), so that I write it like above. On my login page I have inputs for username&password with login button and also a link if client want to use OIDC login type. So you want me to store a local identity for this user, is there any example? And also I don't want to store anything on my local identity about oidc users, is there any way to do that? Thanks.

Tratcher commented 6 years ago

OIDC can be used with Identity just like any other remote provider. See these examples for Facebook.

yucelakpinar commented 6 years ago

I updated my code to create a local account for external users, than sign-in them with local user account. With this way my problem is looks solved.