Using Discovery and Katana Middleware to write an OpenID Connect Web Client

In the last post I showed how to write an OIDC web client from scratch – this requires to have knowledge of certain configuration parameters of the OIDC provider, e.g.:

  • the URL of the authorize endpoint (and logout endoint)
  • the issuer URI
  • the key material used to sign the identity token (as well as the signing algorithm)

To make all that information ‘discoverable’, the OIDC provider can publish metadata (see WS-Federation/SAML2p metadata). This is specified here.

OIDC discovery documents live on a well known URL relative to the base URL of the OIDC provider, e.g. https://www.myoidcprovider/.well-known/openid-configuration.

image

So IOW – an OIDC client library could read that information and automatically configure itself so you don’t have to provide all the configuration values. This also makes scenarios like signing key roll overs less ‘painful’.

The Microsoft OIDC middleware for Katana is such an client library – its setup boils down to providing the base URL of the provider, the client id, redirect URI, the scopes and response type.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions

    {

        Client_Id = “implicitclient”,

        Authority = Constants.BaseAddress,

        Redirect_Uri = https://localhost:2671/,

        Response_Type = “id_token”,

        Scope = “openid email”,

 

        SignInAsAuthenticationType = “Cookies”,

    });

 

Since this integrates with the MVC/Katana security model you simply need to return a 401 to trigger the authentication handshake (manually or via an [Authorize] attribute).

The middleware will be part of Katana 3.0 (currently in beta) and you can find a sample using IdentityServer as the provider here.

This entry was posted in IdentityServer, Katana, OpenID Connect, OWIN. Bookmark the permalink.

7 Responses to Using Discovery and Katana Middleware to write an OpenID Connect Web Client

  1. Fabien Ruffin says:

    Hi Dominick,

    I tried your sample MVC Owin Client and it works great… except when running it under IIS (I’m using IIS 7.5). For some reason in that case I get a 401 instead of being redirected to the login page on identity server. Any idea why?

    Thanks

    • Make sure all authentication methods are disabled in IIS – and anonymous access is enabled.

      • Fabien Ruffin says:

        Hi Dominick,

        Thanks for your reply.

        Are you saying it works for you?
        I checked my IIS config and all authentication methods were already disabled and anonymous was enabled. I tried a few things but still couldn’t get it to work with IIS. So just to be sure it was not due to something on my machine I tried with a brand new Windows Server 2012 VM on AWS, installed IIS and tried the sample again using the default website. The exact same problem is occurring.

        Just to be sure IIS was not getting in the way, I tried setting the “LoginPath” for the CookieAuthenticationOptions in my Startup class and in this instance it did try to redirect me to the login page I had set there. Obviously this is not the behaviour we want for oidc, but I was just trying to see if all auth redirections would have the same issue.

        I must be missing something really simple here, but I can’t figure it out.

        Any idea?

        Thanks

  2. fallafab says:

    Ok I figured it out and it was something simple and stupid.

    I downloaded the KatanaProject source code so I could debug through the OIDC middleware.
    What I found out is that when using IIS, the Authorization_Enpoint option was null in the ApplyResponseChallengeAsync method of the OpenIdConnectAuthenticationHandler and it was ok when using IIS Express.

    Looking further in that method, I’ve found this:
    if (!Uri.IsWellFormedUriString(redirect, UriKind.Absolute))
    {
    _logger.WriteError(string.Format(CultureInfo.InvariantCulture, “The OpenIdConnectRequest sign-in redirect uri is not well formed: ‘{0}'”, redirect));
    return;
    }

    Thanks Microsoft! Next time throw an exception please instead of passing the request on to the next module!

    The reason why the Authorization_Enpoint was null was that the OIDC middleware couldn’t reach the discovery endpoint (.well-known/openid-configuration) and populate all the required endpoint urls.
    It turns out at work we’re using a proxy. For experimenting with Identity Server v3 I’ve set up some exceptions in my local proxy exclusion list to run IDSV3 on local. Apparently IIS and IIS Express have different configurations for using the default system proxy…

    Mystery solved!

    Thanks

  3. Anup Marwadi says:

    Hello, This is a great article!

    I had a question related to Multi-Tenant Scenarios. We have many customers that have their own OIDC setups. Can we add multiple UseOpenIdConnectAuthentication options in the same Web API? I am trying to figure out how I would reference a specific Client’s metadata at runtime. In this setup, the application is bootstrapped with OIDC Client_id and Metadata URL thus making it work only for one OIDC provider.

    Is that interpretation correct? And if so, is there a workaround? Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s