Menu
How to correctly implement Windows Authentication with Identity Server 4? Are there any samples to do that?
I looked at the source code of IdentityServer 4, and in the Host project in the AccountController, I noticed that there is Windows Authentication checks and they are implemented as an External Provider, but I can't seem to work out the configuration.
Has anybody successfully implemented windows authentication with idsrv4 and how?
769
Make sure that Windows authentication is enabled in launchSettings.json or your IIS configuration. The IIS integration layer will configure a Windows authentication handler into DI that can be invoked via the authentication service. Typically in IdentityServer it is advisable to disable the automatic behavior.
With Identity Server 4 running on ASP.NET Core, we can now use any UI technology and host IdentityServer in any environment ASP.NET Core can run in. This also means we can now integrate with existing login forms/systems, allowing for in place upgrades.
Now the user secrets configuration needs to be setup on your dev PC. Right click the IdentityServer4 project and add the user secrets with the proper values which you can get from your Twilio account. The configuration class is then added to the DI in the Startup class ConfigureServices method.
Implementing IdentityServer4 on ASP.NET Core and .NET Core 1 OpenID Connect Discovery Document. ... 2 Signing Credentials. ... 3 Clients, Resources and Users. ... 4 OAuth Functionality. ... 5 Protecting an API. ... 6 Adding a User Interface. ... 7 OpenID Connect. ... 8 Entity Framework Core. ... 9 ASP.NET Core Identity. ...
For anyone coming across this in search results that is having trouble meshing the quickstart with the ASPNET Identity quickstart, here are the missing pieces.
For the most part you want to use the ASPNET Identity code, utilizing the SignInManager to do the heavy lifting. Once you get there and add the Window auth code from the quick start, you should get to the point where everything looks like it is working, but you get null at this line in the callback:
ExternalLoginInfo info = await _signInManager.GetExternalLoginInfoAsync();
To get Windows treated as a real External provider, instead of adding "scheme" to the auth properties around line 163, you want to change the key to "LoginProvider":
properties.Items.Add("LoginProvider", AccountOptions.WindowsAuthenticationSchemeName);
I use a domain query to pull extra info on my users, looks something like this:
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain))
using (UserPrincipal up = UserPrincipal.FindByIdentity(pc, wp.Identity.Name))
{
if (up == null)
{
throw new NullReferenceException($"Unable to find user: {wp.Identity.Name}");
}
id.AddClaim(new Claim(ClaimTypes.NameIdentifier, up.Sid.Value));
id.AddClaim(new Claim(JwtClaimTypes.Subject, wp.Identity.Name));
id.AddClaim(new Claim(JwtClaimTypes.Name, wp.Identity.Name));
id.AddClaim(new Claim(JwtClaimTypes.Email, up.EmailAddress));
id.AddClaim(new Claim(Constants.ClaimTypes.Upn, up.UserPrincipalName));
id.AddClaim(new Claim(JwtClaimTypes.GivenName, up.GivenName));
id.AddClaim(new Claim(JwtClaimTypes.FamilyName, up.Surname));
}
What claims you add is up to you, but you NEED one of type ClaimTypes.NameIdentifier for the SigninManager to find. SID seems like the best use to me. Last thing to change is the SignInAsync call to use the correct scheme around line 178-181:
await HttpContext.SignInAsync(IdentityConstants.ExternalScheme, new ClaimsPrincipal(id), properties);
Unless you are overriding the default Schemes that IdentityServer4 is using in .net core 2, this is the correct default scheme. And now your call to GetExternalLoginInfoAsync in the callback will work and you can continue on!
134
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
