I believe you are getting the Unable to unprotect the message.State error because one of your OIDC providers is trying to decrypt/unprotect the message state of the other one. (The message state is just a random string to help with security.) I suggest that you name the AuthenticationSchemes for each OIDC provider like oidc-demo and … Read more
IdentityServer is for authenticating existing users, not really creating new users. In our use-case, we have 3 projects playing a part: The identity server A protected API An identity provider (aspnet core identity) project Users are created by a call to the API, which creates the appropriate structures in the identity provider. Our identity server … Read more
[HttpPost(“loginas/{id}”)] [Authorize(Roles = “admin”)] public async Task<IActionResult> LoginAs(int id, [FromServices] ITokenService TS, [FromServices] IUserClaimsPrincipalFactory<ApplicationUser> principalFactory, [FromServices] IdentityServerOptions options) { var Request = new TokenCreationRequest(); var User = await userManager.FindByIdAsync(id.ToString()); var IdentityPricipal = await principalFactory.CreateAsync(User); var IdServerPrincipal = IdentityServerPrincipal.Create(User.Id.ToString(), User.UserName, IdentityPricipal.Claims.ToArray()); Request.Subject = IdServerPrincipal; Request.IncludeAllIdentityClaims = true; Request.ValidatedRequest = new ValidatedRequest(); Request.ValidatedRequest.Subject = Request.Subject; Request.ValidatedRequest.SetClient(Config.GetClients().First()); Request.Resources … Read more
There are two types of authentication, cookie and bearer. Where the cookie keeps you logged in, the bearer token can’t. Because the bearer token is set to expire at some point, without allowing you to change the lifetime. The only way to access the resource (api) after the access token expires is to either let … Read more
Scopes listed under IdentityResources are the scopes that will be included in the ID-token. ApiScopes is what you ask for as a client and as a user you give consent to. Optionally, one or more ApiResources can associated with an ApiScope. The ApiScope and ApiResources controls what is included in the access token. ApiResources points … Read more
Update – IdentityServer 4 has changed and replaced IUserService with IResourceOwnerPasswordValidator and IProfileService I used my UserRepository to get all the user data from the database. This is injected (DI) into the constructors, and defined in Startup.cs. I also created the following classes for identity server (which is also injected): First define ResourceOwnerPasswordValidator.cs: public class … Read more
The problem is that the claims are not added to the access token. There are two tokens, the access token and the identity token. When you want to add claims to the identity token, then you’ll have to configure the IdentityResource. If you want to add claims to the access token, then you’ll have to … Read more