OpenAM As OpenID Connect Provider in ASP.NET CORE 1.0 Web

This topic has 3 replies, 2 voices, and was last updated 5 years, 2 months ago by shurman.cai.

  • Author
    Posts
  • #12029
     shurman.cai
    Participant

    I am trying to use OpenAM as OpenIdConnect provider, just like google, or facebook as openIdConnect provider,

    I have configured the Openam as http://openam.contoso.com/openam.
    I can login to the Openam as amadmin through http://openam.contoso.com/openam/XUI/#login/
    I have create a OAuth 2.0/OpenID Connect Client, the clientId: ASPNETClient client Password: Pa$$w0rd As the client secret.

    The redirect_url is http://localhost:5000/signin-oidc
    scope: openid profile email

    I have used Visual Studio 2015 community version Update 3. to generate a web application with individual authentication. I have added “google”, “facebook” external login and as well “openam” as external login.
    the “openam” will use the “app.UseOpenIdConnectAuthentication”, which is similar to google and facebook as external login.

    I create a simple ASP.NET Core 1.0 Web application and using OpenAM as one of the external login provider,
    I can simple get google, and facebook as external login using a few lines code, but I can’t successfully use OpenAm as the external login.

    There is no problem when click the “facebook”, or “google” external login

    In my program web page http://localhost:5000/, I can click the external login button “Openam”, which can successfully open the “http://openam.contoso.com/openam/XUI/#login/” login interface, then I can type the user name user.0 and password to login, and i can set “Allow” the application is request the following private information.

    However, after that I got
    “An unhandled exception occurred while processing the request.
    HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
    MoveNext
    AggregateException: Unhandled remote failure. (Response status code does not indicate success: 400 (Bad Request).)
    MoveNext”

    The program failed on the _signInManager.Configure…..
    {code}
    // POST: /Account/ExternalLogin
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public IActionResult ExternalLogin(string provider, string returnUrl = null)
    {

    // Request a redirect to the external login provider.
    var redirectUrl = Url.Action(“ExternalLoginCallback”, “Account”, new { ReturnUrl = returnUrl });
    var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);

    return Challenge(properties, provider);
    }

    {code}

    Has anyone tried to used OpenAM as OpenIdConnect provider in ASP.NET web application.
    How does the “Microsoft.AspNetCore.Authentication.OpenIdConnect” process redirect_uri “/signin-oidc”.

    #12046
     Warren Strange
    Participant

    I’d suggest
    – Look at the browser payload (use chrome dev tools, etc.) to see what OpenAM is sending back
    – Look at the OpenAM debug logs to see if any errors are logged.

    #12056
     shurman.cai
    Participant

    Chrome does not work when the “cors” is enabled in OpenAm 13, the login page is hung up on “loading….”.

    • This reply was modified 5 years, 2 months ago by shurman.cai.
    #12072
     shurman.cai
    Participant

    I got it work now. the key point is the response type: options.ResponseType = “id_token”; I have used “code” before.
    In “public void ConfigureServices(IServiceCollection services)” I add the following code

    services.AddAuthentication(
    options => options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);

    // Configure OIDC Options
    services.Configure<OpenIdConnectOptions>(options =>
    {
    options.AutomaticChallenge = true;
    options.AuthenticationScheme = “Openam”;
    options.MetadataAddress = “http://openam.contoso.com/openam/oauth2/.well-known/openid-configuration&#8221;;
    options.ClientId = Configuration[“openam:clientId”];
    options.ClientSecret = Configuration[“openam:clientSecret”];

    options.Scope.Add(“openid”);
    options.Scope.Add(“email”);
    options.Scope.Add(“profile”);
    options.RequireHttpsMetadata = false;
    // Set response type to code
    options.ResponseType = “id_token”;
    options.GetClaimsFromUserInfoEndpoint = true;

    options.Events = new OpenIdConnectEvents
    {
    OnRemoteFailure = context =>
    {
    context.Response.Redirect(“/AccessDenied>error=” + context.Failure.Message);
    return Task.FromResult(0);
    },
    OnTicketReceived = context =>
    {
    var identity = context.Principal.Identity as ClaimsIdentity;
    if (identity != null)
    {
    if (!context.Principal.HasClaim(c => c.Type == ClaimTypes.Name) &&
    identity.HasClaim(c => c.Type == “name”))
    identity.AddClaim(new Claim(ClaimTypes.Name, identity.FindFirst(“name”).Value));
    }
    return Task.FromResult(0);
    }
    };
    });

    In ” public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)”
    I added the following code

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    LoginPath = new PathString(“/Account/Login”),
    LogoutPath = new PathString(“/Account/Logout”)
    });
    var options = app.ApplicationServices.GetRequiredService<IOptions<OpenIdConnectOptions>>();
    app.UseOpenIdConnectAuthentication(options.Value);

    • This reply was modified 5 years, 2 months ago by shurman.cai.
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?