Identity Server 4 and Single Sign On

Sign in to vote

User475983607 posted

I have two web applications

1: App-A
2: App-B

I have identity server 4 for authentication, App-A has its own ClientId, App-B has its own.

What i want is that once user logged in to App-A he will not re-authenticated for App-B. This works in case of Web-API as we have API-Resources but how it will work for Web applications.

This should just work out-of-the-box.. The code below shows two client configurations on Identity Server.

   public static IEnumerable<Client> GetClients()
        {
            return new List<Client>
            {
                // other clients omitted...

                // OpenID Connect implicit flow client (MVC)
                new Client
                {
                    ClientId = "mvc",
                    ClientName = "MVC Client",
                    AllowedGrantTypes = GrantTypes.Implicit,

                    // where to redirect to after login
                    RedirectUris = { "https://localhost:44379/signin-oidc" },

                    // where to redirect to after logout
                    PostLogoutRedirectUris = { "https://localhost:44379/signout-callback-oidc" },

                    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile
                    }
                },

                new Client
                {
                    ClientId = "mvc2",
                    ClientName = "MVC Client2",
                    AllowedGrantTypes = GrantTypes.Implicit,

                    // where to redirect to after login
                    RedirectUris = { "https://localhost:44395/signin-oidc" },

                    // where to redirect to after logout
                    PostLogoutRedirectUris = { "https://localhost:44395/signout-callback-oidc" },

                    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile
                    }
                }
            };
        }

The login process results in the user (browser) getting two authneticaiton cookies one for the MVC app (mvc) and one for the Identity Server. When the same browser opens the second app and goes to a secured resource, the browser is redirected to the Identity Server. Since the browser is already logged in to Identity Server, the consent screen is displayed unless you disabled the consent screen in which case the user is redirected to the secured resource.

                new Client
                {
                    ClientId = "mvc2",
                    ClientName = "MVC Client2",
                    AllowedGrantTypes = GrantTypes.Implicit,

                    // where to redirect to after login
                    RedirectUris = { "https://localhost:44395/signin-oidc" },

                    // where to redirect to after logout
                    PostLogoutRedirectUris = { "https://localhost:44395/signout-callback-oidc" },

                    AllowedScopes = new List<string>
                    {
                        IdentityServerConstants.StandardScopes.OpenId,
                        IdentityServerConstants.StandardScopes.Profile
                    },

                    RequireConsent = false
                }

Wednesday, March 14, 2018 3:32 PM

0

Sign in to vote

User-1780421697 posted

Thanks for your support, i have tried it with same flow "hybrid, hybrid, implicit" and it get worked with in a browser , my client was

// JavaScript Client
                    new Client
                    {
                        ClientId = "js",
                        ClientName = "JavaScript Client",
                        AllowedGrantTypes = GrantTypes.Implicit,
                        AllowAccessTokensViaBrowser = true,

                        RedirectUris =           { "http://localhost:5004/callback.html" },
                        PostLogoutRedirectUris = { "http://localhost:5004/index.html" },
                        AllowedCorsOrigins =     { "http://localhost:5004" },

                        AllowedScopes =
                        {
                            IdentityServerConstants.StandardScopes.OpenId,
                            IdentityServerConstants.StandardScopes.Profile,
                            "api1"
                        }
                    },

       

                 new Client
                    {
                        ClientId = "mvc",
                        ClientName = "MVC Client",
                        AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                        ClientSecrets =
                        {
                            new Secret("secret".Sha256())
                        },

                        RedirectUris           = { "http://localhost:5001/signin-oidc" },
                        PostLogoutRedirectUris = { "http://localhost:5001/signout-callback-oidc" },

                        AllowedScopes =
                        {
                            IdentityServerConstants.StandardScopes.OpenId,
                            IdentityServerConstants.StandardScopes.Profile,
                            "api1"
                        },
                        AllowOfflineAccess = true
                     },


                        new Client
                    {
                        ClientId = "mvc2",
                        ClientName = "MVC Client",
                        AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,

                        ClientSecrets =
                        {
                            new Secret("secret".Sha256())
                        },

                        RedirectUris           = { "http://localhost:5002/signin-oidc" },
                        PostLogoutRedirectUris = { "http://localhost:5002/signout-callback-oidc" },

                        AllowedScopes =
                        {
                            IdentityServerConstants.StandardScopes.OpenId,
                            IdentityServerConstants.StandardScopes.Profile,
                            "api1"
                        },
                        AllowOfflineAccess = true
                     }

Now there is another issue, when i get logged out by using JS app

var mgr = new Oidc.UserManager(config);

mgr.getUser().then(function (user) {
    if (user)
    {
        log("User logged in", user.profile);
    }
    else
    {
        log("User not logged in");
    }
});

function login() {
    mgr.signinRedirect();
}

function api() {
    mgr.getUser().then(function (user) {
        var url = "http://localhost:5001/identity";

        var xhr = new XMLHttpRequest();
        xhr.open("GET", url);
        xhr.onload = function ()
        {
            log(xhr.status, JSON.parse(xhr.responseText));
        }
        xhr.setRequestHeader("Authorization", "Bearer " + user.access_token);
        xhr.send();
    });
}

function logout() {
    mgr.signoutRedirect();
}

It still logged in MVC apps. No matter how many times i refresh page.

Thursday, March 15, 2018 5:55 AM

0

Sign in to vote

User475983607 posted

The first issue is solved? If so, mark the post that solved the issue. You create a new thread for new questions.

Khuram.Shahzad
It still logged in MVC apps. No matter how many times i refresh page.

Correct, you are using a self contained token. The clients validate the token. The client apps do not contact Identity Server when using a self contained token unless the token has expired.

See Reference Tokens in the Identity Server docs. Reference tokens are stored in a database which allows you to revoke the token and affect all applications.

http://docs.identityserver.io/en/release/topics/reference_tokens.html

You can also decrease the token expiration if an immediate logout is not needed.

Also see the Identity Server signout docs.

http://docs.identityserver.io/en/release/topics/signout.html

Thursday, March 15, 2018 10:43 AM

0

Sign in to vote

User-345719443 posted

<g class="gr_ gr_12 gr-alert gr_gramm gr_inline_cards gr_run_anim Punctuation only-ins replaceWithoutSep" id="12" data-gr-id="12">Hi</g> <g class="gr_ gr_11 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="11" data-gr-id="11">mgebhard</g>!

I have two Clients defined in my identityserver4 like those two that you put in your comment but in my case the AllowedGrantTypes is GrantTypes.Hybrid "AllowedGrantTypes = GrantTypes.Hybrid," in both Clients. When I sign-in in one of the Clients I have a link to jump to the other one, but I still get the login page from <g class="gr_ gr_14 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="14" data-gr-id="14">identityserver</g> again even though that the user is logged in. I know the user is logged in because I can see it in the top of the login page in <g class="gr_ gr_16 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="16" data-gr-id="16">identityserver</g> after I clicked the link to jump a second time and even I see the cookies generated from the <g class="gr_ gr_18 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="18" data-gr-id="18">identityserver</g>. I mean, I open one Client and Log-in there, after that, I hit the link to jump to the other one.

Do you have some idea of what happened in my case?

Friday, April 12, 2019 8:36 PM

0

Sign in to vote

User475983607 posted

This is not really an IdentityServer4 issue. Browser based applications use an cookie to store the authentication token. You'll need to configure IIS and the applications to share the cookie.

https://www.dotnetexpertguide.com/2016/11/sharing-owin-authentication-cookie-across-iis-applications.html

Friday, April 12, 2019 9:01 PM

Asked by:

Identity Server 4 and Single Sign On

Question

All replies

Khuram.Shahzad