Login not possible when using IDS4 together with ASP.NET Identity following the quickstart example

[patrick-heuer]

I want to build a Identity Server OIDC service, having an additional simple ui for registration/profile/email-notification of the users.

So I followed the official quickstart manual to achieve this: http://docs.identityserver.io/en/release/quickstarts/6_aspnet_identity.html

1. first I built the ui with the Visual Studio 2017 default template for ASP.NET Core Identity (.NET Core 2.1.2), so I can perfectly register new users and can login/logout with it, incl. storage to database.
   I didnt change the hosting, so hosting is via IIS Express, using HTTPS: https://localhost:44348 - works great so far.

2. Then I added IdentityServer4 2.1 (via Nuget) to that project additionally - and the steps described in that manual. After that I can start the service and still can register a new user with ASP.NET Identity - but when I try to login in the login dialog and pressing OK, the home page (!) will be shown again (with register/login upper right) - instead that the user is logged-in as expected (-> I cannot see the logged in email/username in the navigation and no logout-button is shown - which worked nice before in step 1). The same happens when registering a new user - the user credentials are stored correct in the database, but is not logged in after registration!

I attached my project:

IDS4ASPI.zip

Issue / Steps to reproduce the problem

1. build the attached project (it uses a local MSSQL-database and .NET Core 2.1.2!)
2. prepare the database tables via console with: dotnet ef database update -c ApplicationDbContext
3. start the project with visual studio -> service and browser should open
4. press "register" to register a new user -> ERROR: user will not logged in afterwards - even he is in the database! Homepage is shown instead.
5. try to login the new user -> ERROR: login not possible. Homepage is shown istead.

Relevant parts of the log file

2018-08-03 17:23:12.189 +02:00 [INF] You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.
2018-08-03 17:23:12.246 +02:00 [DBG] Using idsrv as default scheme for authentication
2018-08-03 17:23:12.249 +02:00 [DBG] Using Identity.External as default scheme for sign-in
2018-08-03 17:23:12.249 +02:00 [DBG] Using Identity.External as default scheme for sign-out
2018-08-03 17:23:12.250 +02:00 [DBG] Using idsrv as default scheme for challenge
2018-08-03 17:23:12.250 +02:00 [DBG] Using idsrv as default scheme for forbid
2018-08-03 17:25:53.726 +02:00 [INF] AuthenticationScheme: Identity.Application signed in.
2018-08-03 17:28:54.676 +02:00 [INF] You are using the in-memory version of the persisted grant store. This will store consent decisions, authorization codes, refresh and reference tokens in memory only. If you are using any of those features in production, you want to switch to a different store implementation.
2018-08-03 17:28:54.716 +02:00 [DBG] Using idsrv as default scheme for authentication
2018-08-03 17:28:54.719 +02:00 [DBG] Using Identity.External as default scheme for sign-in
2018-08-03 17:28:54.719 +02:00 [DBG] Using Identity.External as default scheme for sign-out
2018-08-03 17:28:54.719 +02:00 [DBG] Using idsrv as default scheme for challenge
2018-08-03 17:28:54.719 +02:00 [DBG] Using idsrv as default scheme for forbid
2018-08-03 17:28:57.880 +02:00 [INF] AuthenticationScheme: Identity.External signed out.
2018-08-03 17:29:06.275 +02:00 [INF] AuthenticationScheme: Identity.Application signed in.

I tried this multiple times since two week and getting more and more frustrated - can anybody help me, to bring the offical quickstart demo to run?

THANKS in advance!
Patrick

[alexdresko]

I'm in the same boat, though I feel like this is probably a duplicate issue... just worded differently somewhere else.

[alexdresko]

Ha. As luck would have it, I think I just got it working. This post was extremely helpful.

I did scaffold Identity as instructed. Also, here's my full startup.cs

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity.UI.Services;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using StarkId7.Data;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using StarkId7.Core;

namespace StarkId7
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {
            services.Configure<CookiePolicyOptions>(options =>
            {
                // This lambda determines whether user consent for non-essential cookies is needed for a given request.
                options.CheckConsentNeeded = context => true;
                options.MinimumSameSitePolicy = SameSiteMode.None;
            });

            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(
                    Configuration.GetConnectionString("DefaultConnection")));

            services.AddIdentity<IdentityUser, IdentityRole>()
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultTokenProviders();

            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

            // configure identity server with in-memory stores, keys, clients and scopes
            services.AddIdentityServer(options =>
                {
                    options.UserInteraction.LoginUrl = "/Identity/Account/Login";
                    options.UserInteraction.LogoutUrl = "/Identity/Account/Logout";
                })
                .AddDeveloperSigningCredential()
                .AddInMemoryPersistedGrants()
                .AddInMemoryIdentityResources(Config.GetIdentityResources())
                .AddInMemoryApiResources(Config.GetApiResources())
                .AddInMemoryClients(Config.GetClients())
                .AddAspNetIdentity<IdentityUser>();

            services.ConfigureApplicationCookie(options =>
            {
                options.LoginPath = $"/Identity/Account/Login";
                options.LogoutPath = $"/Identity/Account/Logout";
                options.AccessDeniedPath = $"/Identity/Account/AccessDenied";
            });

            // using Microsoft.AspNetCore.Identity.UI.Services;
            services.AddSingleton<IEmailSender, EmailSender>();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
                app.UseHsts();
            }

            app.UseHttpsRedirection();
            app.UseStaticFiles();
            app.UseCookiePolicy();

            app.UseAuthentication(); // not needed, since UseIdentityServer adds the authentication middleware
            app.UseIdentityServer();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }
}

[patrick-heuer]

@alexdresko thank you for your post - this solved my problem! Even I needed to update your code with adjustments from the other thread you mentioned ... I am very happy now :)

Here is my complete running project (its just the running quickstart example without any other functionality) - so everybody with the same problem can look into it how we solved it:

IDS4ASPI_v2.zip

I hope the IDS4 team will update the official documentation with the needed adjustments for .NET Core 2.1.

[brockallen]

I finally had a chance to look into this. The problem is that IdentityServer (build 2.3 and prior) requires the host to have configured a default authentication scheme. This is how we know who the user is. In ASP.NET Identity prior to their 2.1 changes, they set this in the call to AddIdentity. Well, in 2.1 for their self-contained UI they changed how they're doing it. Instead they only set a default scheme, and that's not sufficient. So if you were to simply have added this line:

services.AddAuthentication(IdentityConstants.ApplicationScheme);

after you register IdentityServer, then all would be well. Oh, you would also need to set the paths for login/logout on the InteractionOptions on IdentityServer.

Sorry for so many problems on this issue. As I indicated elsewhere, I agree with many of you that the new ASP.NET Core UI is a real problem and not terribly realistic for production use. Unfortunately it requires this sort of lower level tinkering.

Given that we now know the issue, we're going to make the IdentityServer configuration (when you use our AddAspNetIdentity API) to be more defensive in how it sets things up.

[brockallen]

Part of this is already fixed here; IdentityServer/IdentityServer4.AspNetIdentity@58b8950

The other part depends on this PR which is yet to be merged: #2540

[brockallen]

I'm going to close this, as the other two issues will provide resolution. Thanks.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.