Ask for advice

[lsleishu]

1.What is the specific introduction of these two functions, and how should I use them? Which process needs to use these two functions? 2.Can a user be limited to logging in to the specified client, not all clients.?What actions can be used to achieve it?

[simpleidserver]

Hello,

The authentication context window lists the possible authentication workflows. It enables a client to increase the level of assurance that the identity of the user is correct. For example, the ACR pwd+sms has a higher level of assurance than pwd. An Authentication Context contains one or more Authentication Methods. You can find the list of supported Authentication Methods here: https://simpleidserver.com/docs/iam/authmethods

The Manual Identity Provisioning workflow in SimpleIdServer enables visitors to your web application to create a local account with the identity provider. For more information, please refer to the documentation: https://simpleidserver.com/docs/iam/manualidentityprovisioning

Kind regards,

SID

[qq1176914912]

Hello,

The authentication context window lists the possible authentication workflows. It enables a client to increase the level of assurance that the identity of the user is correct. For example, the ACR pwd+sms has a higher level of assurance than pwd. An Authentication Context contains one or more Authentication Methods. You can find the list of supported Authentication Methods here: https://simpleidserver.com/docs/iam/authmethods

The Manual Identity Provisioning workflow in SimpleIdServer enables visitors to your web application to create a local account with the identity provider. For more information, please refer to the documentation: https://simpleidserver.com/docs/iam/manualidentityprovisioning

Kind regards,

SID

About ACRS After verifying with ACRS in your program, this page will be displayed: My question is, how do I use this feature, and what is the effect after using it? (Is it necessary to enter a verification code in addition to the password when logging in, but that is not considered double verification?)? Could you please explain in detail.

[simpleidserver]

You can utilize the Authentication Context Class Reference (ACR) by including its name in the acr_values parameter of the OPENID authorization request. (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) In the BackChannelClient project, navigate to the Startup.cs file and insert the following line within the AddOpenIdConnect method :

options.Events.OnRedirectToIdentityProvider = context =>
{
    context.ProtocolMessage.AcrValues = "pwd-email";
    return Task.CompletedTask;
};

When employing password (pwd) and email authentication, it is classified as Two-Factor Authentication (2FA). This classification arises from the fact that the password represents something you know, and the One-Time Password (OTP) is transmitted to something you possess, such as your email or phone. The definition is sourced from this website :https://csrc.nist.gov/glossary/term/2fa

[qq1176914912]

You can utilize the Authentication Context Class Reference (ACR) by including its name in the acr_values parameter of the OPENID authorization request. (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) In the BackChannelClient project, navigate to the Startup.cs file and insert the following line within the AddOpenIdConnect method :

options.Events.OnRedirectToIdentityProvider = context =>
{
    context.ProtocolMessage.AcrValues = "pwd-email";
    return Task.CompletedTask;
};

When employing password (pwd) and email authentication, it is classified as Two-Factor Authentication (2FA). This classification arises from the fact that the password represents something you know, and the One-Time Password (OTP) is transmitted to something you possess, such as your email or phone. The definition is sourced from this website :https://csrc.nist.gov/glossary/term/2fa

Yes, I tried what you said, it can be used as 2fa. Besides being used during login, does it have any other usage. For example, when I execute certain important and sensitive interfaces or operations, I need to authenticate before I can continue. Can I implement this operation? If so, how can I call it?

[simpleidserver]

I have created a sample project to demonstrate the usage of the Authentication Context Reference (ACR) parameter. The source code can be found here: https://github.com/simpleidserver/SimpleIdServer/tree/master/samples/ProtectWebsiteServersideACR

Before running the project, follow these steps:

1. Create a Web application client with the following parameters:

Parameter	Value
Identifier	protectedServersideApp
Secret	password
Name	protectedServersideApp
Redirection URLs	http://localhost:7000/signin-oidc

2. Add an Authentication Context with two authentication methods: pwd and console.

Parameter	Value
Name	pwd-console
Display name	pwd-console
Authentication methods	pwd and console

3. Run the web application and browse the website http://localhost:7000.

Click on the Profile button and authenticate with your credentials; you will see your profile information. Click on the Edit the profile button; you will be redirected to the Identity Server because the operation doesn't trust your identity and requires 2FA such as pwd and console. The code will be displayed in the console application of the Identity Server.

[qq1176914912]

I have created a sample project to demonstrate the usage of the Authentication Context Reference (ACR) parameter. The source code can be found here: https://github.com/simpleidserver/SimpleIdServer/tree/master/samples/ProtectWebsiteServersideACR

Before running the project, follow these steps:

1. Create a Web application client with the following parameters:

Parameter Value Identifier protectedServersideApp Secret password Name protectedServersideApp Redirection URLs http://localhost:7000/signin-oidc

2. Add an Authentication Context with two authentication methods: pwd and console.

Parameter Value Name pwd-console Display name pwd-console Authentication methods pwd and console

3. Run the web application and browse the website http://localhost:7000.

Click on the Profile button and authenticate with your credentials; you will see your profile information. Click on the Edit the profile button; you will be redirected to the Identity Server because the operation doesn't trust your identity and requires 2FA such as pwd and console. The code will be displayed in the console application of the Identity Server.

Excuse me, I think there may be some logical errors in this case. Suppose I use the password method to log in to this system with the account 'admin', and when I click "Edit the profile" for 2FA, suppose I specify the mailbox for secondary verification. Generally speaking, This mailbox must be admin's mailbox, that is, I can authenticate admin twice, and now the situation is that I can use anyone's mailbox, as long as the authentication passes. In the example, "pwd-email" is used for 2FA. Suppose I log in as admin for the first time, I use "test1" as the pwd of 2FA for authentication, and it can pass normally. After successful login, the account information will be changed into "test1" account information. Isn't that logically problematic?

[simpleidserver]

Hello,

I made some modifications to the master branch to prevent the administration website from assigning the same email to two different users. I tried to reproduce the scenario you described, but I was unsuccessful. Could you please describe all the steps to reproduce this problem?

[qq1176914912]

Hello,

I made some modifications to the master branch to prevent the administration website from assigning the same email to two different users. I tried to reproduce the scenario you described, but I was unsuccessful. Could you please describe all the steps to reproduce this problem?

I recorded a video: Probably content is like this, I ran your sample "ProtectWebsiteServersideACR", login for the first time I use the "administrator" account login, when to 2 fa is I use another account "user login", the final success of landing. The problem is here, generally speaking, shouldn't 2FA be verified again on the basis of the account already logged in? This means that when I perform 2FA, assuming that it is an email address, the 2FA should obtain the email address of the account I have logged in to for verification, instead of randomly verifying the email address of another account. As long as the verification passes, the verification can be successful. If 2FA is "pwd", it should also be required to verify the account that has been logged in (" administrator "), that is, to verify the password of the "administrator" account again, rather than just entering an account to log in successfully. video.zip

[simpleidserver]

Thank you for the description. The issue is fixed in release 5.0.0.

Kind regards,

SID

[qq1176914912]

Thank you for the description. The issue is fixed in release 5.0.0.

Kind regards,

SID

Thank you. Does the code in the sample need to be changed?

[simpleidserver]

This line must be commented out, otherwise the user will always be logged in: https://github.com/simpleidserver/SimpleIdServer/blob/master/samples/ProtectWebsiteServersideACR/src/Website/Program.cs#L19.

[qq1176914912]

This line must be commented out, otherwise the user will always be logged in: https://github.com/simpleidserver/SimpleIdServer/blob/master/samples/ProtectWebsiteServersideACR/src/Website/Program.cs#L19.

Thank you for reminding me. I tried your case, but there was a problem when I used pwd-email. The location of the email is the user name, which is locked and cannot be modified. I see that your source code uses pwd-console, did you not take into account the situation of SMS and mailbox?

https://github.com/simpleidserver/SimpleIdServer/assets/79817742/ddf76e2d-4ebd-4cb1-a528-c9164b3ffc7c

[simpleidserver]

The issue is fixed in the master branch