Many people seem to overlook the samples directory in IdentityModel. So I thought I quickly summarize what you can find there:
CorsSamples
Samples and test that show the usage of the CORS support in Web API, MVC and plain IIS.
Web API
Sample showing the various authentication methods for Web API (basic authentication, SWT, JWT, access keys, session tokens etc). Also includes JS samples.
Web API (InAppWindows)
Sample that show in-app authentication and AJAX style Web API as well as custom claims principals.
MVC and WCF
WS-Federation with MVC and WS-Trust with WCF sample.
HTH
leastprivilege.com 
I’m trying to integrate IdentityModel 4.0 with my WebApi project, but I ran into a problem. I’ve based my code on sample project, however as soon as the code enters the configuration and “new AuthenticationConfiguration”, the MissingMethodException is thrown with the message:
Method not found: ‘System.Security.Cryptography.X509Certificates.X509Certificate2 System.Net.Http.HttpRequestMessageExtensions.GetClientCertificate(System.Net.Http.HttpRequestMessage)’.
Full Stack Trace can be found here: http://pastebin.com/10fWJ979
Could you give me some hint, what could go wrong or advice what did I miss?
@sainti — You need to have the latest version of NuGet and make sure you open and build the ~/Thinktecture.IdentityModel.40/IdentityModel/Thinktecture.IdentityModel40.sln first so that all the necessary dependencies are loaded via NuGet. Then once that’s done, you should not have any problems with the ~/Samples solutions. Let me know if you have any other problems.
Thanks for feedback. It turns out, that one of the NuGet package was causing the problem. After updating all of them it’s working fine.
unfortunately I can never get any of your samples to load in any version of visual studio. I feel like this should be easy to integrate into my very simple webapi service, but I can not find a straightforward guide anywhere
Well – what does “load” mean. I can try to help you, but i need more information.
Sorry for being so vague. for example I just tried to load the sample “ClamsBasedAuthorization” When I do the project does not fails load in both 2010(pro) and 2012 (express), and is marked as (unavailable) in the solution explorer. I can then try to reload via context menu to which it errors :
“The project file ‘C:\Users\Josh\Desktop\thinktecture-Thinktecture.IdentityModel.40-7b997d7\Samples\ClaimsBasedAuthorization\ClaimsBasedAuthorization\ClaimsBasedAuthorization.csproj’ cannot be opened.
The project type is not supported by this installation.”
the model loads… but won’t build.
Error 1 Package restore is disabled by default. To give consent, open the Visual Studio Options dialog, click on Package Manager node and check ‘Allow NuGet to download missing packages during build.’ You can also give consent by setting the environment variable ‘EnableNuGetPackageRestore’ to ‘true’. Thinktecture.IdentityModel
Error 2 The command “”C:\Users\Josh\Desktop\thinktecture-Thinktecture.IdentityModel.40-7b997d7\Samples\ClaimsBasedAuthorization\.nuget\nuget.exe” install “C:\Users\Josh\Desktop\thinktecture-Thinktecture.IdentityModel.40-7b997d7\IdentityModel\Thinktecture.IdentityModel\packages.config” -source “” -RequireConsent -solutionDir “C:\Users\Josh\Desktop\thinktecture-Thinktecture.IdentityModel.40-7b997d7\Samples\ClaimsBasedAuthorization\ “” exited with code 1. Thinktecture.IdentityModel
Thank you for your help
Have you:
– Installed MVC4
– Enabled Nuget Package Restore?
I have restored packages, but I never installed mvc 4 to 2010. I figured it would work in 2012, being its built in? installing now. will update ;)
That did it. I guess 2012 Express just does not support enough or something. Thanks Dominick. I have been pulling my hair out over adding authorization at the very least for 2 weeks, hopefully this will help
Hello Dominick. I’ve been trying to understand the Thinktecture.IdentityModel.45 / Samples / Web API / Clients / JavaScriptClients on GitHub. However, I’m new to Thinktecture.IdentityModel.45 and Thinktecture.IdentityServer.v2 in that I’m not sure how they fit together and how to implement one or the other or both.
In the JavaScript clients example, in the sessionTokenClient.js file, there are two URLs:
var tokenEndpoint = ‘https://roadie/webapisecurity/api/token’,
serviceEndpoint = ‘https://roadie/webapisecurity/api/identity’,
* What are these and where are they pointing?
* Do I need to install Thinktecture.IdentityServer to work with the Thinktecture.IdentityModel samples (specifically the JavaScript sample)?
I’m trying to figure out how to implement client-side/JavaScript-based authentication for a single page application (all HTML5/CSS3/JavaScript, except using ASP.NET Web API controllers to get JSON data), but I’m not having any luck. I thought your solution(s) would be helpful, but, as I mentioned, it’s unclear to me how and what to do.
Thanks!
both endpoints are part of the sample (see the web host & resources project). You don’t need to install identity server.
Dominick Baier,
I was able to deploy this to my web server. However I am having some problems and not understanding a few things:
currently my Constants values look as follows:
public const string WebHost = “192.168.1.202:444”; < my root website
In IIS I added an application to my above website in order to get the /webapisecurity/ root to form the below url:
public const string WebHostBaseAddress = "https://" + WebHost + "/webapisecurity/api/";
my identity server I have deployed is to the address below:
public const string IdSrv = "https://192.168.1.202/";
I then proceeded to test the javascript client because this is the code I was interested in:
I changed the endpoints as follows:
var tokenEndpoint = 'https://192.168.1.202:444/webapisecurity/api/token',
serviceEndpoint = 'https://192.168.1.202:444/webapisecurity/api/identity',
However I am getting an error when I click the "GetToken" Button. I then looked at the request in fiddler and it says request failed:
HTTP Tunnel to roadie:443
I am wondering why it is still saying roadie when I changed the endpoints the ajax reqeust are using?
That sounds like a caching issue. Try clearing your browser cache.
Hi Dominick,
Short-ish description of my problem: I’ve downloaded the Thinktecture.IdentityModel from github and am trying the SessionTokenClient.html Javascript client sample in the WebApiSecurity solution. I can’t get the “Get token (with UN/PW)” button to not return an error, “Error calling service: ” even though Fiddler2 sees a json response including an access_token and expires_in properties.
The steps I have taken:
1. Loaded the Thinktecture.IdentityModel.45 solution, and built it.
2. Loaded the WebApiSecurity solution and built it.
3. Tried to start debugging for the WebHost project, which failed. Checking the properties, I saw it was set to use a Custom Web Server, pointing to https://roadie/webapisecurity. I changed this to use Local IIS Web server, with Project Url of http://localhost:1281/, and used “http://localhost:1281/webapisecurity” in the Override application root URL.
4. Edited sessionTokenClient.js and set “tokenEndpoint = ‘http://localhost:1281/webapisecurity/api/token'” and “serviceEndpoint = ‘http://localhost:1281/webapisecurity/api/identity'”. However, I noticed that going to /webapisecurity/api/identity in a web browser gave me an ASP.NET yellow exception screen, complaining “The configSource file ‘tracing.config’ is also used in a parent, this is not allowed.” So, not knowing what else to do, I modified sessionTokenClient.js to omit webapisecurity from both urls, which do seem to be valid urls (hitting the serviceEndpoint url in Chrome popped up an authentication dialog, and then output an xml file when submitted with Alice/Alice credentials).
5. Visited SessionTokenClient.html (which is running on http://localhost:41367/), and clicked “Get token (with UN/PW)” button; I get “Error calling service: “.
6. Launched Fiddler2; when I look at the captured sessions, I see two triggered for each press of the “Get token (with UN/PW)” button. What’s odd is the second session does include a JSON formatted response:
{
“access_token”: “eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJzZXNzaW9uIGlzc3VlciIsImF1ZCI6Imh0dHA6Ly9zZXNzaW9uLnR0LyIsImh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWUiOiJBbGljZSIsImh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd3MvMjAwOC8wNi9pZGVudGl0eS9jbGFpbXMvYXV0aGVudGljYXRpb25tZXRob2QiOiJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvYXV0aGVudGljYXRpb25tZXRob2QvcGFzc3dvcmQiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL2F1dGhlbnRpY2F0aW9uaW5zdGFudCI6IjIwMTItMTItMTJUMjE6NTE6MDcuMzUzWiJ9.ISSDl-LBRx1zMZokc-CLckAUArHKLPZ8YEFzzTjn8qg”,
“expires_in”: 1355385067
}
I’m not sure why I continue to get an error when clicking on the “Get token (with UN/PW)” button.
Hi,
Christian wrote the sample. Could you please use the issue tracker on github – so he can see it as well.
https://github.com/thinktecture/Thinktecture.IdentityModel.45/issues
thanks!
Dominick: Thank you for your reply. I realized after posting the comment above that this was a cross site scripting issue; since the ports were different, it’s considered to be a cross site request and is denied by the browser (hence the error message popping up). If both projects were deployed to a test server rather than running on different ports under IIS Express, this problem would not have occurred.
Hi Dominick,
I’ve been playing with the samples particularly with basic authentication. I am using the javascript client, while I understand the token expiration is already checked on the client it would be best to check the token expiration on the server as well, right? If so, I could not see how I can check the token. If I will be using claims-based identity should I insert the token expiration as a claim? What would be the best way to check the token expiration?
In basic authentication there are no (complex) tokens – and thus no expiration.
Are you lacking about session tokens?
I was using the javascript client, I debugged the Thinktecture.IdentityModel project and I can see that the “CreateSessionTokenResponse” method is being called. In there is where I saw that an expiration time is being returned as part of the response. And so the token can be checked if it is expired – in javascript. How can I achieve the same checking on the server-side? I hope I’m not mixing the wrongs things here.
The token validation will fail on the server side when the token has expired.
How is the token validated? Is it by calling the ValidateToken method on the BasicAuthenticationSecurityTokenHandler? If so where is the best place to do it (as an actionfilter)?
Does this help:
http://ben.onfabrik.com/posts/dog-fooding-our-api-authentication
I think you are confused :)
Token validation is done by thinktecture.identitymodel. Thats the whole point of it.
Actually I was hoping you would say that, as I am expecting it’s the job of the IdentityModel. However during my test earlier I skipped the token validation on the client and issue an api request with an expired token. On the server I was still able to make a request.
Thanks for the link you gave me but what Ben did there is already in the samples in github. Of which I am having trouble again about a CORS issue. Remember I post this on your other blog. I was able to make it work (GET, POST) but the login part is not working now. I always get an error in the “requestSessionToken” method (sessionTokenAuthentication.js) where as in Fiddler I get a 200 OK.
Are you on .NET 4.5 ?
I only have one blog.
Yes I am on .NET 4.5 and I meant your other post here: http://brockallen.com/2012/06/28/cors-support-in-webapi-mvc-and-iis-with-thinktecture-identitymodel/. . Sorry for the confusion.
Also, it seems like the thinktecture.identitymodel that is in Nuget is different than the one in github. When I used the one in Nuget everything breaks on my end. All my GET and POST requests failed in addition to the login.
Yes – but this is not my blog ;)
I guess you have too many moving parts right now – this works for many others. Maybe you need to debug your way through to understand what’s going on.
That is so embarassing… I AM SO SORRY :/
I was working the whole day and was trying it out way past midnight and I got confused who’s talking what. But what I’m sure of even when I was tired is that the code in the IndentityModel is not throwing an error. Anyway, forget my question on CORS, I’ll ask help from Brock as I’ve started it there. And if it’s okay that you forget my issue on the NuGet version. I think the github version is the latest and stable right? If so, and I am using that and basing my question on that version, how does the Token validation works on the server? How do I check on the server if a token has expired?
S’ok :)
Put a breakpoint into AuthenticationHandler.SendAsync to see what’s going on.
Yeah I did that before I posted here and that’s what get me thinking. The “principal.Identity.IsAuthenticated” is true which I expect to be false since the token is expired. So I started looking where the token is validated and I found a few places but put a breakpoint at “BasicAuthenticationSecurityTokenHandler.ValidateToken” since I am using basic auth. But then I found out that ValidateToken is only called when doing the login. So on subsequent API calls the token is not validated anymore. But I did a more detailed debugging and I think I found a possible bug. I reported it in github (https://github.com/thinktecture/Thinktecture.IdentityModel.45/issues/37).
Thanks for your patience!
Hi there,
1) Sorry for revive this old posting with a new comment.
2) I really appreciate your efforts on the whole Security Topics and enjoyed also your pluralsight (and other) videos
3) Maybe I’m just too stupid, but currently I’m getting insane with these samples. I guess I’m just “spoilt” with samples which usually works without setup or a detailed guideline/walk through…
For example:
The “MVC and WCF” (Saml) Example will not running.
– I had to download and attach the “Thinktecture.IdentityModel.45” (wasn’t a problem, still an inconvenience)
– I had to open the “Thinktecture.IdentityModel.45″ separately and made the Nuget Restore (somehow it didn’t worked directly within the sample project) and build it (VS2012 Ultimate)
– Gone through the .config and remapped to an IIS-Hosted idsrv (server) and tried to guess (don’t saw where they configured in the code/properties) what i need to put for audienceUris , realm and reply.
– Had to search through the application because it set on several points the Url to your domains
– Started Web-Project
– Clicking on any links -> nothing happen. Set Breakpoints to the Controllers and it seems nothing going into it. So guess there is a mistake but not yet gone through.
– The Sample Client throw an exception”System.ServiceModel.EndpointNotFoundException”.
If I check the Endpoint Url directly in browser it’s reachable but throw another exception ( Could not find a base address that matches scheme http for the endpoint with binding CertificateWSTrustBinding. Registered base address schemes are [https]) -> and there I’m now stuck.
I just want to have a look on the workflow and get a grasp on the concepts (needed for a PoC of a Desktop-Client – IdSrv Link for Authentication), but I’m fiddling since 4 hours for a working sample.
So any guidance would be appreciated. I even would bribe/pay with some swiss stuff (could delivery maybe around end of march when i planned to drive to Wuppertal.. ;) )
PS: I wrote it in the comment, because I guess it’s not a real issue for Github.. or is it?
I am sorry that this does not work you out of the box. But these kind of samples have so many moving parts that it is impossible to give you a “perfect F5 experience” – you need to put in a bit of work yourself ;)
Not sure how a Desktop PoC relates to that specific sample…
Feel free to use the github issue tracker when you have questions about IdSrv or how to connect an application to it.