Custom values to external provider #1318
Comments
|
You can always handle the notifications on the IdPs you've registered. Is that not sufficient? |
|
But how do I get these values in the notification handler? |
|
You can pass them via the OWIN environment -- this is injectable via IOwinEnvironmentService in anything in IdSvr. |
|
At what stage should I add them to the OWIN environment? I have looked at |
|
Well, you could perhaps do something from the user service in PreAuthN to capture those values from the SignInMessage, put them into the OWIN environment, and then in the notifications events on the idP middleware extract them from the OWIN environment. |
|
I'm maybe missing something, but I can't see how this is possible. The OWIN environment lifetime is for each http request. The authentication challenge that triggers the provider is in a later request than PreAuthenticateAsync. Or am I wrong? How can I then use environmen to pass values? |
|
In the request to the authentication controller if there's an IdP in the SignInMessage then we skip the login page and redirect to the selected Idp. That's all in one request. PreAuthN gets called in there, so that hook (I'm 99% sure) will work. Try it, and if you can't get it working let me know. |
|
It does not look like that to me. PreAuthenticateAsync is fired by a request to /login and handeled by AuthenticationController.Login(string signin = null). This method does a redirect: if (signInMessage.IdP.IsPresent())
{
Logger.InfoFormat("identity provider requested, redirecting to: {0}", signInMessage.IdP);
return Redirect(context.GetExternalProviderLoginUrl(signInMessage.IdP, signin));
}The redirect sends a http 302 to the browser, and a new http request is made to /external?provider=myprovider&signin=7ca7957618ae3ea893b8017bd9ce65b7 and handeled by AuthenticationController.LoginExternal(string signin, string provider). LoginExternal issues the authentication challenge that thrigger the selected IdP. The environment from AuthenticationController.Login() is gone when the second request hits AuthenticationController.LoginExternal(). One solution can be to change LoginExternal to add data from the SignInMessage (LoginExternal got it from a cookie) to the AuthenticationProperties it sends to Authentication.Challenge when issuing the challenge. |
|
Ah, darn it - you're right. Sorry. What you could do then is use the GetSignInMessage extension method to get the SignInMessage in your IdP middleware. We just added that in 1.5 a couple of weeks ago. |
|
Thanks. I think that may work. It would be great if you can make SignInMessage properties available in the dictionary of AuthenticationProperties in the future. |
|
GetSignInMessage extension method requires signin identifier as argument: public static SignInMessage GetSignInMessage(this IDictionary<string, object> env, string id)What is the prefered way to get this identifier? |
|
For now, you'll have to use that Query param. Perhaps the extension method should do that for you -- feel free to send a PR :) |
|
I found that this value is in the AuthenticationProperties, and the key has been defined in a constant. My current soltuion is this extension to AuthenticationProperties: |
I want to pass custom values to some identity providers. They support this by use of AuthenticationProperties.Dictionary.
In my scenario, I want to select a specific provider (using acr_values idp:name_of_idp) and also pass the user id to the provider. This could be possible if IdentityServer transfered acr_values and maybe login_hint to the provider in AuthenticationProperties.Dictionary.
Do IdenityServer has any way of assigning custom AuthenticationProperties.Dictionary vaues?
The text was updated successfully, but these errors were encountered: