search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.19k stars 9.93k forks source link

Consider adding OIDC event to handle identity token validation for hybrid flow #9154

Open scottbrady91 opened 5 years ago

scottbrady91 commented 5 years ago

I am trying to handle JWE identity tokens returned from an OpenID Provider. Since OpenIdConnectProtocolValidator is meant for JWS, I must ensure that the token sent for validation is the inner token of the decrypted JWE.

A JWE identity token returned from the authorization endpoint (implicit flow) or token endpoint (authorization code flow) can be handled using the token validated event.

However, when using the hybrid flow and receiving a JWE identity token from both the authorization endpoint and token endpoint (e.g. response type of code id_token), I am not given the opportunity to handle the identity token: https://github.com/aspnet/AspNetCore/blob/v2.2.3/src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs#L614.

My current workaround is to override the protocol validator to handle JWS extraction, however according to this issue, the protocol validator is not the place to do this.

Please consider adding an event that would allow the identity token to be modified in this scenario.

blowdart commented 5 years ago

Also https://github.com/aspnet/AspNetCore/issues/9092

Eilon commented 5 years ago

We've moved this issue is in the Backlog milestone. This means that it is not going to happen for the coming release. We will re-assess the backlog following the current release and consider this item at that time. However, keep in mind that there are many other high priority features with which it will be competing for resources.

thesuavehog commented 4 years ago

I've been looking for a (ideally simple) way to access the id_token after a successful OIDC login in my Blazor WebAssembly project. My use case is that I am trying to leverage the AWS Cognito Identity Pool to provide a scoped AWS Role for my users to use to access AWS resources once they have logged in. This is done via the AWS CognitoAWSCredentials class in their .NET SDK (which you pass to the various IAmazonServiceClients), however in order to initialize a CognitoAWSCredentials instance with a JWT token after an OpenID Connect login, I need to pass it the id_token.

On a .NET Core 3.1 WebApi (running as a Lambda function) the OpenID Connect can be used to authenticate the user if I directly access the API in my browser (it redirects to the Cognito hosted login page, and back once I successfully login). Within my HttpContext I can then access the id_token as it is automatically added there (Microsoft.AspNetCore.Authentication.AuthenticationHttpContextExtensions.GetTokenAsync).

In a Blazor WebAssembly project, the access_token is available via Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal.IAccessTokenProviderAccessor.TokenProvider.RequestAccessToken however there is no equivalent IIdTokenProviderAccessor ... why? The ID, Access and Refresh tokens should all be available to be used by the application - in this case so I can leverage the AWS client libraries to access AWS resources directly in the Blazor WebAssembly - but I'm sure there are other use cases for people as well.