Are there C# intergration examples anywhere?

This topic has 8 replies, 3 voices, and was last updated 1 week, 2 days ago by KMORGAN.

  • Author
    Posts
  • #28267
     KMORGAN
    Participant

    Hi Everyone, is there any examples that are using C# (ideally OWIN) to authenticate? I am trying to setup SSO integration with ForgeRock and my application. I have downloaded and configuration AM-eval-6.5.1 which appeared to be working as I am able to login, configure and create a application. I created a new Realm with a single application. I have set the ClientName and Secret to be the same, the scope(s) and default scope(s) are set to openid.

    The problem I am encountering is invalid_client Client authentication failed on redirection to ForgeRock.

    I have seen this link changing Token Endpoint Authentication Method to client_secret_post but this made no difference. https://backstage.forgerock.com/knowledge/kb/article/a27814899.

    I can see a 400 error in fiddler.

    Clearly I have missed something but I am at a miss as to what. Any suggestion would be gratefully received.

    #28268
     KMORGAN
    Participant

    This is the message being sent:

    GET http://<machinednsname fqdn>:9090/AM-eval-6.5.1/oauth2/authorize?client_id=OpenIdcTest&response_type=id_token&scope=openid&state=OpenIdConnect.AuthenticationProperties%3Dio3AMu9_U6PHKqNcGcIl1D717ut6bliZSrlrRL-5ivCwomLCu-OclPyaIBd4aun0hP-g2-hUyBAhMYqAaj6-hYeaEg3ofUAVqnW9lVDhoexKDaM1RgSAKtFGz_xrk1ow0l55q0N4zmK1UcaD6cxXh2U7PRoyjksUOVTW6GakZvk&response_mode=form_post&nonce=637356495226468586.NDZmYjBkMjItMzk2NC00ZTg5LWE3NDAtMDMzNTdkMmI5ZmIzNDA0MmYzYWItMTMxMS00MjZiLWFjZWEtMmUxMjQxMzI4ZDNm&redirect_uri=http%3A%2F%2Flocalhost%2F
    Host: <machine name not fqdn>:9090
    Connection: keep-alive
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Accept-Encoding: gzip, deflate
    Accept-Language: en-NZ,en;q=0.9</em>
    
    • This reply was modified 1 week, 3 days ago by KMORGAN.
    #28270
     KMORGAN
    Participant

    Response is invalid_client Client authentication failed

    Sorry I can’t paste the whole message here as its blocked by the forum,

    description: “Client authentication failed”,
    message: “invalid_client”

    #28271
     KMORGAN
    Participant

    I am assuming that it can’t access the Realm as if i create the application on the Top Level Realm I get a different error (server_error server_error (400) – The authorization server encountered an unexpected condition which prevented it from fulfilling the request.)

    #28272
     Andrew Potter
    Participant

    I see you say you created a realm. From your API call it looks like you are not specifying the realm in the URL.
    See the note on composing the URL with a realm name here: https://backstage.forgerock.com/docs/am/7/oauth2-guide/oauth2-authorize-endpoint.html. (It’s the same for v6.5)
    i.e. you’ll need something like ‘oauth2/realms/root/realms/<your-realm>/authorize’

    #28273

    Addition to what Andrew has already mentioned: To determine what OAuth2 endpoints (e.g. /authorize, /access_token, /introspect) are being published by the Authorization server, you can query the the below endpoint:

    http://<machinednsname fqdn>:9090/AM-eval-6.5.1/oauth2/realms/root/realms/YOUR_REALM/.well-known/openid-configuration

    #28274
     KMORGAN
    Participant

    Excellent thanks for the tip on that the URL needing to contain the realm. That has moved me along but now I am getting other error and am no longer seeing the ForgeRock landing.

    Fiddler is showing that the redirection once ForgeRock is contacted. From the URL is appears that the that there is a setting issue.

    The error on the URL is ‘unsupported_response type’.
    OpenIdConnectCallback#error_description=Response%20type%20is%20not%20supported.&state=OpenIdConnect.AuthenticationProperties%3DQeYa-veDRoZhHN4W2JbV37RygNtu03Z0sVhx72NGiH5giQb7eqxRL-thtGybFroU7CKU58Nck04tqFf-FlqdkiLTJQyHL-rdjBtTMeIsNwpbxODK_x8bKknDTdZ725-S97KVHIxa-UbAr6qt6T_nA4fTEPkJg1bZAfpl8OHf8UM&error=unsupported_response_type

    This is the request that was sent.
    GET http://ap-chc-lt179:9090/AM-eval-6.5.1/oauth2/realms/root/realms/OpenIdcTest/authorize?client_id=OpenIdcTest&response_type=token&scope=openid&state=OpenIdConnect.AuthenticationProperties%3D9ohXPw50SIqiU8G5MESHYFOwVhkUfX498bNIKOKHrWjBxDTpnh9cJbN3a2V_yfT7Lmt7t6Oadl03GHIEty5nCDbBghTSpMampv940L7KiSDAgyisNocBFhgqysl__PGyXPoSPVOeqaMheL7MuHF9tfBER0HDUPve8ZQOsDhx3mo&response_mode=form_post&nonce=637357231049035335.ZWE4NmM2YzAtMTI3Mi00NTBlLWE0MGEtZjdhZTVhNGFmZGVjZGNiOTE2NGQtNTg1Zi00OTgxLTljYjctZjRlYThjODdkMDBj&redirect_uri=http%3A%2F%2Flocalhost%2FAxWebOrigination%2FOpenIdConnectCallback&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0 HTTP/1.1

    In my client configuration I have the following:
    Grant Types, All selected
    Response Types I have ‘code’,’id_token’,’token’,’code token’,’token id_token’,’code id_token’,’code token id_token’,’none’ .
    Token Endpoint Authentication Method, client_secret_post

    I am grateful for any further suggestions.

    #28275
     KMORGAN
    Participant

    I have also tried with response type of id_token too with the same response…

    http://ap-chc-lt179:9090/AM-eval-6.5.1/oauth2/realms/root/realms/OpenIdcTest/authorize?client_id=OpenIdcTest&amp;response_type=id_token&scope=openid%20profile&state=OpenIdConnect.AuthenticationProperties%3Dv99ygdGhfUxGeg_WVQyRUk2ZJyzjPe2_16Kxfd0pTqLIQ9zUwe5NntZS3nC7SpEkriyGeALqPg6b_qOhmbiBpRcAe0EP685J-Uj-y6MXVEjkDbB40shr0LcagHOrnqKr-GoEyZo_VzjV9ZNe9otSZtKCCdUb8jaE3YcjzqOMhVw&response_mode=form_post&nonce=637357300946805779.M2JkNTMzNGMtOGUxZS00MWFlLWI2ZmEtNThiOWMwNTg5N2FkMmM4NjFhNDMtMjQ4Zi00ZGYzLWI4MDItNDRjMTc5MTg1MGI1&redirect_uri=http%3A%2F%2Flocalhost%2FAxWebOrigination%2FOpenIdConnectCallback&x-client-SKU=ID_NET461&x-client-ver=5.3.0.0 HTTP/1.1

    #28276
     KMORGAN
    Participant

    Thanks everyone for your help. I just got it working. My problem was the scope was mismatched between the ForgeRock and the OWIN Configuration in C#. Once corrected I am able redirect login and then receive a JWT token that need for further processing.

    Once again thanks for your help.

    • This reply was modified 1 week, 2 days ago by KMORGAN.
Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?