7
votes

Trying to use Thinctecture identityserver v3 as a simple sts for multiple mvc applications.
I'm able to walk through the sample applications provided and the run fine but they all use embedded identityserver. I need the identityserver to be a separate application so that I can use it as the sts for several apps. When I try to run the identityserver and connect the sample mvc application to it seem to be missing something.

The sample mvc app uses katana

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions...

but I'm just not understanding how to correctly config for external app service. My guess is I'm not using the right endpoint.

Here is my relying party configuration as mvc. I then have the latest IS v3 running untouched here: :44333

In the mvc app whenever I try to navigate to a view that requires authorization I get the exception.

Stack Trace:

[HttpRequestException: Response status code does not indicate success: 404 (Not Found).]
   System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() +87960
   Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__0.MoveNext() +496

[IOException: Unable to get document from: https://localhost:44333/.well-known/openid-configuration]
   Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__0.MoveNext() +830
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
   Microsoft.IdentityModel.Protocols.<GetAsync>d__0.MoveNext() +512
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
   System.Runtime.CompilerServices.TaskAwaiter`1.GetResult() +24
   Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() +1332

here is the full auth config in the mvc app.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    //Authority = "https://localhost:44319/identity",
    Authority = "https://localhost:44333",
    ClientId = "mvc",
    Scope = "openid profile roles",
    RedirectUri = "https://localhost:44319/",

    SignInAsAuthenticationType = "Cookies",
    UseTokenLifetime = false,

    Notifications = new OpenIdConnectAuthenticationNotifications
    {
        SecurityTokenValidated = async n =>
            {
                var id = n.AuthenticationTicket.Identity;

                // we want to keep first name, last name, subject and roles
                var givenName = id.FindFirst(Constants.ClaimTypes.GivenName);
                var familyName = id.FindFirst(Constants.ClaimTypes.FamilyName);
                var sub = id.FindFirst(Constants.ClaimTypes.Subject);
                var roles = id.FindAll(Constants.ClaimTypes.Role);

                // create new identity and set name and role claim type
                var nid = new ClaimsIdentity(
                    id.AuthenticationType,
                    Constants.ClaimTypes.GivenName,
                    Constants.ClaimTypes.Role);

                nid.AddClaim(givenName);
                nid.AddClaim(familyName);
                nid.AddClaim(sub);
                nid.AddClaims(roles);

                // keep the id_token for logout
                nid.AddClaim(new Claim("id_token", n.ProtocolMessage.IdToken));

                // add some other app specific claim
                nid.AddClaim(new Claim("app_specific", "some data"));

                n.AuthenticationTicket = new AuthenticationTicket(
                    nid,
                    n.AuthenticationTicket.Properties);
            },
        RedirectToIdentityProvider = async n =>
            {
                if (n.ProtocolMessage.RequestType == OpenIdConnectRequestType.LogoutRequest)
                {
                    var idTokenHint = n.OwinContext.Authentication.User.FindFirst("id_token");

                    if (idTokenHint != null)
                    {
                        n.ProtocolMessage.IdTokenHint = idTokenHint.Value;
                    }
                }
            }
    }
});
1
Well I got a little further, but still would appreciate guidance to my stupidity if anyone is willing to offer. By changing authority and adding the MeadataAddress to mvc configuration I was about to get it to work. Authority = "idsrv3.com", MetadataAddress = "localhost:44333/core/.well-known/openid-configuration",Aaron792000
could you add the content of the Startup.cs file you used to configure IdentityServerv3 ? I also created a tutorial to configure IdSrv3, there you have the configuration of Idsrv and also an Mvc app that requesting some public resource after the user gave consent : link to tutorialCedric Dumont
I encourage with this issue, refreshing the page solved it. It seems the STS site don't response some time.Mike Anderson

1 Answers

0
votes

Your endpoint is missing the /identity at the end