AdminUI configuration with UseOpenIdConnectAuthentication

[ryandanthony]

If I use the configuration in this repo with UseOpenIdConnectAuthentication in a federated pattern, I am unable to get the redirects back to the return url to work properly. It lands on this and doesnt do another redirect:

http://ids:5003/account/login?returnUrl=%2Fconnect%2Fauthorize%2Flogin%3Fclient_id%3Djs%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A5004%252Fpopup.html%26response_type%3Dtoken%26scope%3Dapi1%26state%3D83007e9527034efb83efb1e2d755d03c%26display%3Dpopup

The database I am using is built by the "identityserverregistry.azurecr.io/idxapi" docker image.

If i remove the following configuration items:

     services
                .AddIdentityExpressAdminUiConfiguration(builder)
                .AddIdentityServerUserClaimsPrincipalFactory()
                ;


            services.AddScoped<IUserStore<IdentityExpressUser>>(x =>
            {
                return new IdentityExpressUserStore(x.GetService<IdentityExpressDbContext>())
                {
                    AutoSaveChanges = true
                };
            });

And:

                .AddAspNetIdentity<IdentityExpressUser>()

And:

app.UseIdentity();

It works perfectly fine...

Here is what my UseOpenIdConnectAuthentication configuration looks like:

 app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,
                AutomaticAuthenticate = false,
                AutomaticChallenge = false
            });

            var openIdList = new[]
            {
                new
                {
                    DisplayName = "ptgadspike.onmicrosoft.com",
                    ClientId = "17d673f4-c719-48a8-98ff-714556d5e13a",
                    TenantId = "edb8aeb7-8177-4665-91e8-b528abdcdf33",
                    SchemaName = "spike1",
                },
                new
                {
                    DisplayName = "ptgadspike2.onmicrosoft.com",
                    ClientId = "61a59626-a872-4de0-bd8a-7c507e015d78",
                    TenantId = "24a9b864-f468-4f88-bf94-3e60941ce1f5",
                    SchemaName = "spike2",
                },
            };

            openIdList.ToList().ForEach(item =>
            {
                app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
                {
                    AuthenticationScheme = item.SchemaName,
                    DisplayName = item.DisplayName,
                    SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,
                    ClientId = item.ClientId,
                    Authority = $"https://login.microsoftonline.com/{item.TenantId}",
                    ResponseType = OpenIdConnectResponseType.IdToken,
                    SignedOutCallbackPath = $"/signedout-oidc/{item.SchemaName}",
                    CallbackPath = $"/signin-oidc/{item.SchemaName}"
                });
            });

Any ideas?

Thanks,
Ryan

[scottbrady91]

Hi Ryan,

Just to clarify, you are trying to log into IdentityServer using an external OpenID provider?

If so, when IdentityServer uses ASP.NET Identity, it needs to use the ASP.NET Identity external cookie scheme, not the IdentityServer version. You also do not need to register a cookie using the cookie middleware.

So your code would something like the following:

var openIdList = new[]
{
    new
    {
        DisplayName = "ptgadspike.onmicrosoft.com",
        ClientId = "17d673f4-c719-48a8-98ff-714556d5e13a",
        TenantId = "edb8aeb7-8177-4665-91e8-b528abdcdf33",
        SchemaName = "spike1",
    },
    new
    {
        DisplayName = "ptgadspike2.onmicrosoft.com",
        ClientId = "61a59626-a872-4de0-bd8a-7c507e015d78",
        TenantId = "24a9b864-f468-4f88-bf94-3e60941ce1f5",
        SchemaName = "spike2",
     },
};

openIdList.ToList().ForEach(item =>
{
    app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
    {
        AuthenticationScheme = item.SchemaName,
        DisplayName = item.DisplayName,
        SignInScheme = "Identity.External",
        ClientId = item.ClientId,
        Authority = $"https://login.microsoftonline.com/{item.TenantId}",
        ResponseType = OpenIdConnectResponseType.IdToken,
        SignedOutCallbackPath = $"/signedout-oidc/{item.SchemaName}",
        CallbackPath = $"/signin-oidc/{item.SchemaName}"
    });
});

Let me know how it goes.

[ryandanthony]

I am trying to use it as a federation gateway:
http://docs.identityserver.io/en/release/topics/federation_gateway.html

This is the user flow:

*see notes on the screen shots.

[ryandanthony]

Oh, forgot to mention, I did try changing the SignInScheme to "Identity.External".
But it didn't work. Same result (see screen shots above).

[scottbrady91]

If you have app.UseIdentity() and your external providers have SignInScheme = "Identity.External", then this should be working. Maybe check the ordering of you IApplicationBuilder registrations.

It should look something like this:

app.UseIdentity();
app.UseIdentityServer();

app.UseOpenIdConnectAuthentication(...);

app.UseStaticFiles();
app.UseMvcWithDefaultRoute();