search

simpleidserver / SimpleIdServer

OpenID, OAuth 2.0, SCIM2.0, UMA2.0, FAPI, CIBA & OPENBANKING Framework for ASP.NET Core
https://simpleidserver.com/
Apache License 2.0
708 stars 92 forks source link

Multiple redirects when logging into simpleidserver manager (or website) deployed with Docker #519

Closed lechediaz closed 1 year ago

lechediaz commented 1 year ago

Hi friend, I'm going to implement SimpleIdServer in a demo of an app I'm working on.

I have deployed both the SimpleIdServer server and the website that allows to manage it, but I have a problem.

I can authenticate correctly on the SimpleIdServer server, but not from the website :(

Multiple redirects occur:

image

Looking at the logs of the website it is as if it did not find a Cookie (I guess the authentication cookie created by SimpleIdServer).

warn: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[15]
      '.AspNetCore.Correlation.7J9evnEhRsB3qClDRDASEgMLHDi_K8JyQLGq8RTYyMQ' cookie not found.
fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
      An unhandled exception has occurred while executing the request.
      System.Exception: An error was encountered while handling the remote login.
       ---> System.Exception: Correlation failed.
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
         at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
         at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|8_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

To deploy the containers I made some small modifications to the docker-compose file, to the psake instructions and in the StartUp project schedules. I have versioned the changes in this branch of my fork: https://github.com/lechediaz/SimpleIdServer/tree/release/v3.0.4-demo

I consider that my changes were not so drastic.

I ran .\psake dockerBuild, then exported the Docker images and uploaded them to my server, finally I ran another docker-compose file which is a copy of the one versioned in my branch but with the secret values in the environment variables.

Could you tell me if this error has happened to you, or how to set the SimpleIdServer Cookie, which I suspect is the problem, maybe set the SameSite to Lax value, but I don't know where to set it.

Thank you in advance

simpleidserver commented 1 year ago

Hello,

In the Program.cs file of the SimpleIdServer.IdServer.Website.Startup project, can-you please add the following line before app.UseStaticFiles and try again ?

app.UseCookiePolicy(new CookiePolicyOptions
{
    Secure = CookieSecurePolicy.Always
});
lechediaz commented 1 year ago

Unfortunately, the error persists.

Both servers redirect to each other:

image

In the logs I see the same errors.

simpleidserver commented 1 year ago

Hello,

I think the authentication is not working in the administration website, because it is not hosted on HTTPS. Cookie with "Secure" attribute can be created only by secured website , otherwise you'll receive the following error :

image

lechediaz commented 1 year ago

Hello,

I did not see the need to deploy the administration site under the HTTPS protocol, but the SimpleIdServer server I did deploy that way.

I will take advantage that I have SSL certificate and I will try to deploy the administration site in HTTPS then.

I'll try and let you know.

Thanks.

lechediaz commented 1 year ago

It worked, deploying the administration site with HTTPS was no problem.

There was no need for this:

app.UseCookiePolicy(new CookiePolicyOptions
{
    Secure = CookieSecurePolicy.Always
});

image

greetings

lechediaz commented 1 year ago

Now I have another problem logging out :(

It tells me the following:

image

Message: "subject contained in id_token_hint is invalid"

To log out correctly, I had to delete the cookies manually... do you think I should create another issue to deal with this?

lechediaz commented 1 year ago

Hello,

I think I have found the problem, the "aud" key in the JWT is not assigned:

image

why can this happen, in this case I authenticated using a realm other than "master" using Postman. can that affect?

simpleidserver commented 1 year ago

For some reason, the id_token_hint passed in the HTTP request has been issued by https://apps.lechediaz.com:5001/condominiums. However the client executes a request against the wrong realm (master : https://apps.lechediaz.com:5001/master) to end the end-user session. Can-you please give more details about the client's implementation and configuration ?

For your information, I created a Bug ticket #522 to host the administration website in HTTPS

Thanks in advance :)

lechediaz commented 1 year ago

I think we mixed two issues.

The error subject contained in id_token_hint is invalid appeared to me on the administration site when I tried to logout. I use the "master" realm for this client.

The token I showed you last I generated it from Postman for a client I called "condominiums", initially I had created it under a realm called the same way, the client uses the grant type Authorization Code + PKCE. I also configured the redirection URLs after login. And that was the token it generated.

Then I deleted the client and created it again but in the "master" realm, I get the same problem in the token.

image

Checking in the DB, I noticed that also the tokens that I had generated before for the site administrator have the "aud" key empty, so I don't understand how it works.

image

These are my clients:

image

simpleidserver commented 1 year ago

I create a bug ticket #523 to fix the audience in the access_token. When the resource parameter is missing from the HTTP request then the audience must be equals to client_id. The resource parameter enables a client to indicate the protected resources where the requested access token will be used :)

The client SIDS-manager is working because the id_token is passed into the parameter id_token_hint. I think, the access_token is passed and not the id_token, can-you please check ?

lechediaz commented 1 year ago

Yes, I use access_token to secure my API:

image

simpleidserver commented 1 year ago

If I correctly understood. There is an exception in the SPA Application (condominiums) when you're clicking on the logout button, right ?

image

The issue #523 is already fixed in the master branch. Now, by default the audience of an access token will be equals to the client identifier.

lechediaz commented 1 year ago

Nope,

that error you're showing happened in administration website when sign out but I notice that every access_token created has no "aud" key, and maybe that is the reason why administration website fails to log out and my application's web API fails to validate authentication.

Do you use Discord? could show you and try to resolve together.

lechediaz commented 1 year ago

Hello,

I want to confirm that now the administration site lets you log out correctly after:

The issue https://github.com/simpleidserver/SimpleIdServer/issues/523 is already fixed in the master branch. Now, by default the audience of an access token will be equals to the client identifier.

image

lechediaz commented 1 year ago

And I also want to tell you that happily my authorization is working!

I added an option to not validate the audience.

image

This is the generated token:

image

Thank you very much for your support.