search

brockallen / BrockAllen.MembershipReboot

MembershipReboot is a user identity management and authentication library.
Other
742 stars 238 forks source link

Register and Change Email flows when using OwinAuthenticationService with IdentityServer. #671

Closed apuchkov closed 8 years ago

apuchkov commented 8 years ago

I'm not sure if Register and Change Email flows work well when using OwinAuthenticationService with IdentityServer.

My app is based on SingleTenant sample, except it uses OwinAuthenticationService and authenticates via IdentityServer, which connected to MembershipReboot.

1. Registration Flow

When user confirms his email after registration he goes throught authSvc.SignIn(account); line in ChangeEmailController.cs, which redirects him to identity server before redirecting to success page. This is not ideal as user just entered his password to confirm his email and has to enter password again at IdentityServer again.

Is there a way to authenticate user somehow in the background at this point, without having him to enter his username password at IdentityServer? We already know that who this user is anyway.

2. Change Email Flow

When user changes his email address and then confirms it, code step through the same line authSvc.SignIn(account); in ChangeEmailController.cs but in this case user is not redirected to IdentityServer, so he still has his old email address in a claim.

Did I misconfigurate something or is it a bug?

brockallen commented 8 years ago

IdentityServer manages its own cookie. You'd not be using the OwinAuthenticationService if you were using MR with IdentityServer. You'd just use the APIs to validate credentials. See here: https://github.com/IdentityServer/IdentityServer3.MembershipReboot/blob/master/source/IdentityServer3.MembershipReboot/IdentityServer3.MembershipReboot.cs

apuchkov commented 8 years ago

Is it how you suggesting to use API to validate credentials: userAccountService.Authenticate(account.Username, model.Password, out account);?

It will only tell if credentials are valid or not, but won't sign user in, correct?

Is there some way to seamlessly sign user in (get a token from IdServ) without having him to enter credentials at IdServ?

brockallen commented 8 years ago

It will only tell if credentials are valid or not, but won't sign user in, correct?

Correct -- IdSvr signs them in.

Is there some way to seamlessly sign user in (get a token from IdServ) without having him to enter credentials at IdServ?

To get tokens from IdSvr you need to authenticate.

apuchkov commented 8 years ago

Then I guess we have to sign user out after he changed his email and confirmed it. So he will have to re sign in via IdSvr and get updated email claim.

Thanks!

brockallen commented 8 years ago

You can always re-issue the cookie at IdSvr with the IssueLoginCookie OWIN extension: https://identityserver.github.io/Documentation/docsv2/advanced/owin.html

apuchkov commented 8 years ago

Thanks a lot for pointing to IssueLoginCookie(). It seems exactly what I need to get user authenticated at IdSvr without having him to reenter a password.

I will just need somehow to expose this method in IdSvr app, so I can call it from my user account app. Custom MVC endpoint will probably do the job.