auroris/OpenIddict-WindowsAuth

WindowsAuth and other flows?

Closed this issue · 6 comments

Is it possible to use windows auth and other flows in the same auth server? Also, What if the auth server is separate from the resource server. How would the authorization work?

I don't know? I had a specific requirement for doing single-sign on with a domain-joined computer, so Internet Explorer and Chrome users (also on domain-joined computers) can click through a link to both be authenticated and signed in with their roles (groups). Authentication is just DotNet Core's built-in Windows Authentication scheme and the results are stuffed into an authentication ticket.

You could build other authorization flows, but you'd be doing it manually in "degraded mode".

I implemented your code in the resource server. The auth server is a separate project. If I enter wrong credentials the first time I do get 401. Then i enter the correct credentials and I get 200. I reenter wrong credentials for the 3rd request and I get 200 again. So something is not working as it should. Should integrated Windows authentication be set in the project? Or maybe I need to implement a policy with multiple schemes?

Integrated Windows Authentication is required to be set in IIS, per my documentation. Trying to use Windows Authentication without Windows Authentication being enabled has unpredictable results, as you are apparently observing. You can use https://oidcdebugger.com to test the responses and see what values are being returned. OidcDebugger does not require the server be internet accessible, but it does require your browser be able to access its pages and the openiddict server.

I will try that. It might have been an issue with Postman. I tried with Edge and Chrome and also with and without your implementation. It always seems to work. I noticed that the openiddict tries to validate the request and sends back a challenge for the Openiddict scheme and not Windows. Is this correct?

@auroris FYI, OpenIddict 3.0 RTM was released last month (in case you'd like to update your sample 😃): https://kevinchalet.com/2020/12/23/openiddict-3-0-general-availability/

@kevinchalet OpenIddict is a great package! A couple of questions:

  1. I used OpenIddict.Validation.AspNetCore to do the validation on the resource server. Can I instead use the default AddOpenIdConnect?

  2. Also... if I want to add ExternalLogins, should I add them in the resource server or would it be possible to add them in the auth server? (Auth server would need those client id/secret)