OpenAM As OpenID Connect Provider in ASP.NET CORE 1.0 Web

[shurman.cai]

I am trying to use OpenAM as OpenIdConnect provider, just like google, or facebook as openIdConnect provider,

I have configured the Openam as http://openam.contoso.com/openam.
I can login to the Openam as amadmin through http://openam.contoso.com/openam/XUI/#login/
I have create a OAuth 2.0/OpenID Connect Client, the clientId: ASPNETClient client Password: Pa$$w0rd As the client secret.

The redirect_url is http://localhost:5000/signin-oidc
scope: openid profile email

I have used Visual Studio 2015 community version Update 3. to generate a web application with individual authentication. I have added “google”, “facebook” external login and as well “openam” as external login.
the “openam” will use the “app.UseOpenIdConnectAuthentication”, which is similar to google and facebook as external login.

I create a simple ASP.NET Core 1.0 Web application and using OpenAM as one of the external login provider,
I can simple get google, and facebook as external login using a few lines code, but I can’t successfully use OpenAm as the external login.

There is no problem when click the “facebook”, or “google” external login

In my program web page http://localhost:5000/, I can click the external login button “Openam”, which can successfully open the “http://openam.contoso.com/openam/XUI/#login/” login interface, then I can type the user name user.0 and password to login, and i can set “Allow” the application is request the following private information.

However, after that I got
“An unhandled exception occurred while processing the request.
HttpRequestException: Response status code does not indicate success: 400 (Bad Request).
MoveNext
AggregateException: Unhandled remote failure. (Response status code does not indicate success: 400 (Bad Request).)
MoveNext”

The program failed on the _signInManager.Configure…..
{code}
// POST: /Account/ExternalLogin
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public IActionResult ExternalLogin(string provider, string returnUrl = null)
{

// Request a redirect to the external login provider.
var redirectUrl = Url.Action(“ExternalLoginCallback”, “Account”, new { ReturnUrl = returnUrl });
var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);

return Challenge(properties, provider);
}

{code}

Has anyone tried to used OpenAM as OpenIdConnect provider in ASP.NET web application.
How does the “Microsoft.AspNetCore.Authentication.OpenIdConnect” process redirect_uri “/signin-oidc”.

[Warren Strange]

I’d suggest
– Look at the browser payload (use chrome dev tools, etc.) to see what OpenAM is sending back
– Look at the OpenAM debug logs to see if any errors are logged.

[shurman.cai]

Chrome does not work when the “cors” is enabled in OpenAm 13, the login page is hung up on “loading….”.

• This reply was modified 5 years, 2 months ago by shurman.cai.

[shurman.cai]

I got it work now. the key point is the response type: options.ResponseType = “id_token”; I have used “code” before.
In “public void ConfigureServices(IServiceCollection services)” I add the following code

services.AddAuthentication(
options => options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme);

// Configure OIDC Options
services.Configure<OpenIdConnectOptions>(options =>
{
options.AutomaticChallenge = true;
options.AuthenticationScheme = “Openam”;
options.MetadataAddress = “http://openam.contoso.com/openam/oauth2/.well-known/openid-configuration&#8221;;
options.ClientId = Configuration[“openam:clientId”];
options.ClientSecret = Configuration[“openam:clientSecret”];

options.Scope.Add(“openid”);
options.Scope.Add(“email”);
options.Scope.Add(“profile”);
options.RequireHttpsMetadata = false;
// Set response type to code
options.ResponseType = “id_token”;
options.GetClaimsFromUserInfoEndpoint = true;

options.Events = new OpenIdConnectEvents
{
OnRemoteFailure = context =>
{
context.Response.Redirect(“/AccessDenied>error=” + context.Failure.Message);
return Task.FromResult(0);
},
OnTicketReceived = context =>
{
var identity = context.Principal.Identity as ClaimsIdentity;
if (identity != null)
{
if (!context.Principal.HasClaim(c => c.Type == ClaimTypes.Name) &&
identity.HasClaim(c => c.Type == “name”))
identity.AddClaim(new Claim(ClaimTypes.Name, identity.FindFirst(“name”).Value));
}
return Task.FromResult(0);
}
};
});

In ” public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)”
I added the following code

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AutomaticAuthenticate = true,
AutomaticChallenge = true,
LoginPath = new PathString(“/Account/Login”),
LogoutPath = new PathString(“/Account/Logout”)
});
var options = app.ApplicationServices.GetRequiredService<IOptions<OpenIdConnectOptions>>();
app.UseOpenIdConnectAuthentication(options.Value);

• This reply was modified 5 years, 2 months ago by shurman.cai.

[Author]

Posts