OWIN middleware for OpenID Connect - Code flow ( Flow type - AuthorizationCode) documentation?
Solution 1
Edit: good news, code flow and response_mode=query support was finally added to Katana, as part of the 4.1 release (that shipped in November 2019): https://github.com/aspnet/AspNetKatana/wiki/Roadmap#410-release-november-2019.
The OpenID Connect middleware doesn't support the code flow: http://katanaproject.codeplex.com/workitem/247 (it's already fixed in the ASP.NET 5 version, though).
Actually, only the implicit flow (id_token) is officially supported, and you have to use the response_mode=form_post extension. Trying to use the authorization code flow will simply result in an exception being thrown during the callback, because it won't be able to extract the (missing) id_token from the authentication response.
Though not directly supported, you can also use the hybrid flow (code + id_token (+ token)), but it's up to you to implement the token request part. You can see https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Nancy/Nancy.Client/Startup.cs#L82-L115 for an example.
Solution 2
The answer and comment replies by Pinpoint are spot on. Thanks!
But if you are willing to step away from the NuGet package and instead run modified source code for Microsoft.Owin.Security.OpenIdConnect you can get code (code) flow with form_post.
Of course this can be said for all open source project problems but this was an quick solution for a big thing in my case so I thought I'd share that it could be an option.
I downloaded code from https://github.com/aspnet/AspNetKatana, added the csproj to my solution and removed lines from https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs in AuthenticateCoreAsync().
You must then combine it with backchannel calls and then create your own new ClaimsIdentity() to set as the notification.AuthenticationTicket.
// Install-Package IdentityModel to handle the backchannel calls in a nicer fashion
AuthorizationCodeReceived = async notification =>
{
var configuration = await notification.Options.ConfigurationManager
.GetConfigurationAsync(notification.Request.CallCancelled);
var tokenClient = new TokenClient(configuration.TokenEndpoint,
notification.Options.ClientId, notification.Options.ClientSecret,
AuthenticationStyle.PostValues);
var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
notification.ProtocolMessage.Code,
"http://localhost:53004/signin-oidc",
cancellationToken: notification.Request.CallCancelled);
if (tokenResponse.IsError
|| string.IsNullOrWhiteSpace(tokenResponse.AccessToken)
|| string.IsNullOrWhiteSpace(tokenResponse.RefreshToken))
{
notification.HandleResponse();
notification.Response.Write("Error retrieving tokens.");
return;
}
var userInfoClient = new UserInfoClient(configuration.UserInfoEndpoint);
var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);
if (userInfoResponse.IsError)
{
notification.HandleResponse();
notification.Response.Write("Error retrieving user info.");
return;
}
..
Karthik
Updated on June 06, 2022Comments
-
Karthik almost 2 years
In my implementation I am using OpenID-Connect Server (Identity Server v3+) to authenticate Asp.net MVC 5 app (with AngularJS front-end)
I am planning to use OID Code flow (with Scope Open_ID) to authenticate the client (RP). For the OpenID connect middle-ware, I am using OWIN (Katana Project) components.
Before the implementation, I want to understand back-channel token request, refresh token request process, etc using OWIN.. But I am unable to find any documentation for this type of implementation (most of the available examples use Implicit flow).
I could find samples for generic Code flow implementation for ID Server v3 here https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source
I am looking for a similar one using OWIN middleware ? Does anyone have any pointers ?
-
Crescent Fresh over 8 yearsSo much knowledge packed into this answer. It must have taken you time to discover all these pain points. Expanding on exception being thrown during the callback for the OP: the exception is due to an id token not being returned in the call to idsvr if you only ask for
codeflow (which of course is by design). -
Kévin Chalet over 8 years@CrescentFresh thanks the kind word! Actually, I've contributed a few times to the OIDC middleware (for instance, I introduced the response_mode=query support) and I develop the server counterpart for OWIN/Katana and ASP.NET 5 (github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server), which explains why I feel comfortable with the questions related to OIDC ;) I updated my answer to incorporate your precision, thanks! -
Learning-Overthinker-Confused over 6 yearsCan you please help me with this question :stackoverflow.com/questions/47096113/… -
Johan Kronberg over 6 yearsWill we see updates for non Core apps wanting to run Microsoft.Owin.Security.OpenIdConnect code flow? Or are there some alternate packages out there when Core migration is still far future for the specific project?
-
Kévin Chalet over 6 years@JohanKronberg Katana 4.0 is about to ship but nothing has changed concerning code flow support. Feel free to open a new ticket on GitHub (github.com/aspnet/AspNetKatana), but I'm not sure it will be supported in the near future.
-
Herb Stahl over 5 yearsJohan, Do you have a github repo that shows a working modification of this library?
-
Johan Kronberg over 5 yearsAfraid not. In the end we used an even more custom approach.
-
Johan Kronberg over 5 yearsJust saw that someone is working on it: github.com/adefalque/AspNetKatana/commits/feature/oidauthcode
-
Tratcher over 4 yearsCode flow support has been added for 4.1 github.com/aspnet/AspNetKatana/pull/297
-
Tratcher over 4 yearsCode flow support has been added for 4.1 github.com/aspnet/AspNetKatana/pull/297
-
bmode about 3 yearsCan anyone point me to a sample for configuring Owin 4.1 to use Authentication Code Flow? All the samples I find seem to use implicit flow.
