mmacneil / angularaspnetcoreoauth Goto Github PK

Hello!

I didn't know how else I would reach you, but I have been trying to wrap my head around the "ResourceAPI" purpose,
and it's still not clear to me.

1. When the angular app trying to communicate with the backend, why not just do so directly with the AuthServer.
2. And in case I wanted my angular app to communicate with the backend, then the URI should include the "API/controller" in the "ValuesController" class then add - say the "register" URI? it's still confusing, and especially how it ( the resource API ) redirects to "AuthSever".
3. is it playing like some sort of a gateway? if so, should I configure it if I had to add some logic? - To be more specific in what situation(s) the resourceAPI will serve me.

Hey there, great article / demo!

Are you still planning to expand your demo a little bit to include Google auth?

I noticed this comment.

Thanks!

Cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection.

When I had loaded the AuthServer solution I'm seeing an error in my IDE (Rider) that says 'Cannot resolve action 'Challenge' on line 48 of the AccountController;

return RedirectToAction("Challenge", "External", new { provider = vm.ExternalLoginScheme, returnUrl });

There appears to be a missing External Controller?

I'm also seeing a similar error on line 79 and 120, 'Cannot resolve view Redirect'

return View("Redirect", new RedirectViewModel { RedirectUrl = model.ReturnUrl });

There is no 'Redirect' view inside the folder 'Views/Account'

I keep getting redirected, it's not clear what the exact problem is.

• First, it seemed PersistedGrants wasn't working. I had to install dotnet-ef 2.1
  (I'm mentioning this for other people). My ef database is now successfully migrated.

The port of the project is not 5000, but another one ( but all endpoints work and it doesn't seem to be redirecting to another url somewhere when i check fiddler)

The only "weird" thing is, is that the srv.session cookie is a year old. But i guess it's to remove the cookie every time:

Tried updating to the latest IdentityServer4 in the major version ( eg. 2.5.3). --> No dice

Whatever i try, i keep hitting the login page with the same "not authenticated user" in my logs.
When i try an invalid password. I receive the appropriate message.

---------------------Log ------------------------------

2019-11-15 02:56:12.455 +01:00 [INF] Starting IdentityServer4 version 2.4.0.0
2019-11-15 02:56:12.808 +01:00 [INF] Using the default authentication scheme Identity.Application for IdentityServer
2019-11-15 02:56:12.810 +01:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for authentication
2019-11-15 02:56:12.813 +01:00 [DBG] Using Identity.External as default ASP.NET Core scheme for sign-in
2019-11-15 02:56:12.817 +01:00 [DBG] Using Identity.External as default ASP.NET Core scheme for sign-out
2019-11-15 02:56:12.819 +01:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for challenge
2019-11-15 02:56:12.822 +01:00 [DBG] Using Identity.Application as default ASP.NET Core scheme for forbid
2019-11-15 02:56:13.168 +01:00 [DBG] Starting grant removal
2019-11-15 02:56:13.310 +01:00 [DBG] Login Url: /Account/Login
2019-11-15 02:56:13.314 +01:00 [DBG] Login Return Url Parameter: ReturnUrl
2019-11-15 02:56:13.317 +01:00 [DBG] Logout Url: /Account/Logout
2019-11-15 02:56:13.319 +01:00 [DBG] ConsentUrl Url: /consent
2019-11-15 02:56:13.321 +01:00 [DBG] Consent Return Url Parameter: returnUrl
2019-11-15 02:56:13.324 +01:00 [DBG] Error Url: /home/error
2019-11-15 02:56:13.328 +01:00 [DBG] Error Id Parameter: errorId
2019-11-15 02:56:35.099 +01:00 [DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:4200
2019-11-15 02:56:35.103 +01:00 [DBG] Client list checked and origin: http://localhost:4200 is allowed
2019-11-15 02:56:35.104 +01:00 [DBG] CorsPolicyService allowed origin: http://localhost:4200
2019-11-15 02:56:35.123 +01:00 [DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
2019-11-15 02:56:35.150 +01:00 [DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
2019-11-15 02:56:35.153 +01:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
2019-11-15 02:56:35.159 +01:00 [DBG] Start discovery request
2019-11-15 02:56:35.249 +01:00 [DBG] Request path /connect/authorize matched to endpoint type Authorize
2019-11-15 02:56:35.260 +01:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
2019-11-15 02:56:35.263 +01:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
2019-11-15 02:56:35.271 +01:00 [DBG] Start authorize request
2019-11-15 02:56:35.289 +01:00 [DBG] No user present in authorize request
2019-11-15 02:56:35.298 +01:00 [DBG] Start authorize request protocol validation
2019-11-15 02:56:35.325 +01:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-11-15 02:56:35.374 +01:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-11-15 02:56:35.397 +01:00 [INF] ValidatedAuthorizeRequest
{"ClientId":"angular_spa","ClientName":"Angular SPA","RedirectUri":"http://localhost:4200/auth-callback","AllowedRedirectUris":["http://localhost:4200/auth-callback"],"SubjectId":"anonymous","ResponseType":"id_token token","ResponseMode":"fragment","GrantType":"implicit","RequestedScopes":"openid profile email api.read","State":"2acc6812a2de4645b57f1a8a5357a427","UiLocales":null,"Nonce":"535752b0b9184c2fa72b00387f53a0a2","AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":null,"MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"angular_spa","redirect_uri":"http://localhost:4200/auth-callback","response_type":"id_token token","scope":"openid profile email api.read","state":"2acc6812a2de4645b57f1a8a5357a427","nonce":"535752b0b9184c2fa72b00387f53a0a2"},"$type":"AuthorizeRequestValidationLog"}
2019-11-15 02:56:35.411 +01:00 [INF] Showing login: User is not authenticated
2019-11-15 02:56:35.482 +01:00 [DBG] Start authorize request protocol validation
2019-11-15 02:56:35.484 +01:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-11-15 02:56:35.485 +01:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-11-15 02:56:35.489 +01:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-11-15 02:56:37.141 +01:00 [DBG] Start authorize request protocol validation
2019-11-15 02:56:37.143 +01:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-11-15 02:56:37.145 +01:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-11-15 02:56:37.858 +01:00 [DBG] Augmenting SignInContext
2019-11-15 02:56:37.864 +01:00 [DBG] Adding idp claim with value: local
2019-11-15 02:56:37.866 +01:00 [DBG] Adding amr claim with value: pwd
2019-11-15 02:56:37.888 +01:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-11-15 02:56:37.946 +01:00 [DBG] Request path /connect/authorize/callback matched to endpoint type Authorize
2019-11-15 02:56:37.949 +01:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
2019-11-15 02:56:37.951 +01:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback
2019-11-15 02:56:37.961 +01:00 [DBG] Start authorize callback request
2019-11-15 02:56:37.969 +01:00 [DBG] No user present in authorize request
2019-11-15 02:56:37.972 +01:00 [DBG] Start authorize request protocol validation
2019-11-15 02:56:37.975 +01:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-11-15 02:56:37.978 +01:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-11-15 02:56:37.980 +01:00 [INF] ValidatedAuthorizeRequest
{"ClientId":"angular_spa","ClientName":"Angular SPA","RedirectUri":"http://localhost:4200/auth-callback","AllowedRedirectUris":["http://localhost:4200/auth-callback"],"SubjectId":"anonymous","ResponseType":"id_token token","ResponseMode":"fragment","GrantType":"implicit","RequestedScopes":"openid profile email api.read","State":"2acc6812a2de4645b57f1a8a5357a427","UiLocales":null,"Nonce":"535752b0b9184c2fa72b00387f53a0a2","AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":null,"MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"angular_spa","redirect_uri":"http://localhost:4200/auth-callback","response_type":"id_token token","scope":"openid profile email api.read","state":"2acc6812a2de4645b57f1a8a5357a427","nonce":"535752b0b9184c2fa72b00387f53a0a2"},"$type":"AuthorizeRequestValidationLog"}
2019-11-15 02:56:37.982 +01:00 [INF] Showing login: User is not authenticated
2019-11-15 02:56:38.002 +01:00 [DBG] Start authorize request protocol validation
2019-11-15 02:56:38.004 +01:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-11-15 02:56:38.007 +01:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-11-15 02:56:38.010 +01:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-11-15 02:56:43.234 +01:00 [INF] Removing 0 grants

2019-11-15 03:03:44.453 +01:00 [INF] Removing 0 grants
2019-11-15 03:04:14.479 +01:00 [INF] Removing 0 grants
2019-11-15 03:04:44.492 +01:00 [INF] Removing 0 grants
2019-11-15 03:05:14.510 +01:00 [INF] Removing 0 grants
2019-11-15 03:05:44.522 +01:00 [INF] Removing 0 grants
2019-11-15 03:06:14.540 +01:00 [INF] Removing 0 grants
2019-11-15 03:06:44.554 +01:00 [INF] Removing 0 grants
2019-11-15 03:07:14.568 +01:00 [INF] Removing 0 grants

Any thoughts what could be wrong? My current thought is that i'm not receiving any grants right now. But i don't know why.

Hi Mark
Thanks for your article, it was quite helpful, I have a lot of questions about this approach, I hope you can help me if you wish to help a newbie :)

First of all, How can get data from the API in Angular securely without user login, you know, for example, when you want to show articles on the website without needing to user login for getting data from API.

In following How could log in with no need to go in the Identity Server app to log in, like sending a post request with login information in its body securely to Identity Server, I think its quite a drawback with those all going difference links, and call-back component, it should be a simple login inside Angular like registration!

I'll very grateful if you could help me in any sort of, articles, codes, examples, etc :)

hi,
how can I possibly replace all identity server 4 MVC view templates like (login and register) to Angular template?

thanks in advance for any idea

Hi,

I tried to run the sample but when i click on TopSecretArea after login i am getting the below error:
Failed to load resource: the server responded with a status of 403(Forbidden) - :5050.api/values:1
ERROR Server error
defaultErrorLogger @cor.js:4002

Regards,
Kalpana

Hello, can you add extraTokenParams attribute in to OidcClientSettings interface?
The JS library have this attribute and i need :(
Thanks!

Hi,
After i have logged in, once i click on sign out it redirect me to the home page but
then when i press on log in it instantly authenticate me.

I believe it is because the log out functionality isn't implemented in the server side(auth server).
Can you take a look?

Hello Mark,
Thank you for sharing this wonderful repository with everyone, it has been a great learning experience.

I was playing around with the repository and noticed that after successful login when I browse to the Top Secret page/component using the link in the header it works fine as expected, after that if I do a page reload using the browser refresh button or F5 then I am redirected to the login page.

For some strange reason the canActivate method in the auth.guard.ts file returns false when the page is reloaded.

Any suggestions to resolve this?

Thank you :)

following command doesn't create respective entities into database , also I don't see consent page after login ,

AuthServer.Infrastructure> dotnet ef database update --context PersistedGrantDbContext

Please suggest

After login, it stays there, not go back to spa site and I can see this in the log.
Any idea?

2019-09-29 11:27:40.482 -07:00 [DBG] Augmenting SignInContext
2019-09-29 11:27:40.486 -07:00 [DBG] Adding idp claim with value: local
2019-09-29 11:27:40.487 -07:00 [DBG] Adding amr claim with value: pwd
2019-09-29 11:27:56.194 -07:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-09-29 11:29:19.608 -07:00 [INF] Removing 0 grants
2019-09-29 11:29:19.641 -07:00 [DBG] Request path /connect/authorize/callback matched to endpoint type Authorize
2019-09-29 11:29:19.643 -07:00 [DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
2019-09-29 11:29:19.644 -07:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback
2019-09-29 11:29:19.649 -07:00 [DBG] Start authorize callback request
2019-09-29 11:29:19.654 -07:00 [DBG] No user present in authorize request
2019-09-29 11:29:19.655 -07:00 [DBG] Start authorize request protocol validation
2019-09-29 11:29:19.657 -07:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-09-29 11:29:19.658 -07:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-09-29 11:29:19.659 -07:00 [INF] ValidatedAuthorizeRequest
{"ClientId":"angular_spa","ClientName":"Angular SPA","RedirectUri":"http://localhost:4200/auth-callback","AllowedRedirectUris":["http://localhost:4200/auth-callback"],"SubjectId":"anonymous","ResponseType":"id_token token","ResponseMode":"fragment","GrantType":"implicit","RequestedScopes":"openid profile email api.read","State":"1437dc56e6d44f7a83633019bddc2ba5","UiLocales":null,"Nonce":"0e0f9ccf5aca4280852d12b6bb6ec2a2","AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":null,"MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"angular_spa","redirect_uri":"http://localhost:4200/auth-callback","response_type":"id_token token","scope":"openid profile email api.read","state":"1437dc56e6d44f7a83633019bddc2ba5","nonce":"0e0f9ccf5aca4280852d12b6bb6ec2a2"},"$type":"AuthorizeRequestValidationLog"}
2019-09-29 11:29:19.661 -07:00 [INF] Showing login: User is not authenticated
2019-09-29 11:29:19.673 -07:00 [DBG] Start authorize request protocol validation
2019-09-29 11:29:19.675 -07:00 [DBG] client configuration validation for client angular_spa succeeded.
2019-09-29 11:29:19.676 -07:00 [DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
2019-09-29 11:29:19.677 -07:00 [DBG] client configuration validation for client angular_spa succeeded.

I'm seeing that you're inserting the Connection String of the database as string and not going with the configuration way (in the PersistedGrantDbContextFactory). Don't you think that that's a security concern?

Hi Mr.Mark,

Thank you for your valuable work!
I can make this project work fine in the local db. So, I want to create a same database in my AWS RDS db instance. But both of them are created with error. And the most confusing thing is I fail to delete these two database in my db instance.

the warning message from ssms:
"Msg 3701, Level 11, State 2, Line 3
Cannot drop the database 'AuthServer', because it does not exist or you do not have permission."

Any helps are highly appreciated. Thank you in advance!

I tried convert Resource.API project to core 3 but no success.
User.Claims does not contain any entry.