Login using OpenID

nicholas · August 18, 2018, 9:03am

Good morning,

I wish to extend a bit Squidex by adding my own Identity Server. I am able to reach my server, login but cannot seem to get the redirection right. Can you assist, please?

This is how I am setting up Squidex (rudimentary code for testing purposes):

.AddOpenIdConnect("demoidsrv", "IdentityServer", options =>
            {
                options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                options.SignOutScheme = IdentityServerConstants.SignoutScheme;

                options.Authority = "http://localhost:5000";
                options.ClientId = "implicit";
                options.ResponseType = "id_token";
                options.SaveTokens = true;
                options.Events.OnRedirectToIdentityProvider = async n =>
                {
                n.ProtocolMessage.RedirectUri = urlsOptions.BuildUrl("client-callback-popup", false);
                    await Task.FromResult(0);
                };

                options.RequireHttpsMetadata = identityOptions.RequiresHttps;

                options.TokenValidationParameters = new TokenValidationParameters
                {
                    NameClaimType = "name",
                    RoleClaimType = "role"
                };
            })

This is how I setup my client:

new Client
            {
                ClientId = "implicit",
                ClientName = "MVC Client",
                AccessTokenLifetime = (int)TimeSpan.FromDays(30).TotalSeconds,
                AllowedGrantTypes = GrantTypes.ImplicitAndClientCredentials,

                RequireConsent = false,
                RedirectUris           = { "http://localhost:50006/client-callback-popup" },
                

                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    "squidex-api",
                    "squidex-profile",
                    "role"
                },
                AllowOfflineAccess = true
            },

Can you assist me please? Thanks in advance!

Sebastian · August 18, 2018, 10:13am

Can you post the errors you get?

Some errors I see:

I think the authority is definitely wrong. It should be your identity server.

nicholas · August 18, 2018, 10:30am

I am hosting Squidex on port 50006 and my own Identity Server on port 5000, since I am working on local host.

What should the callback URI be please?

nicholas · August 18, 2018, 10:44am

I will upload 3 screenshots:

Signup Page using an external resource (My identity server will be used only for username and password purposes, I do not want to re-invent the wheel and create all the user management inside Squidex).
Login page (here we are on my Identity server, just as if it a Google or MS Login page).
Unsuccessful redirection (This part I need help with).

Sign up.JPG768×869 47.7 KB

Identity Server.JPG764×872 53.4 KB

Redirect URI.JPG774×877 36.8 KB

Sebastian · August 18, 2018, 10:57am

Can you just try to remove the event handler? Because the redirect url is controlled by the frontend client (angular app).

nicholas · August 18, 2018, 1:41pm

I am getting this error on my Identity Server app:

fail: IdentityServer4.Validation.AuthorizeRequestValidator[0]
Invalid redirect_uri: http://localhost:50006/identity-server/signin-oidc
{
“ClientId”: “implicit”,
“ClientName”: “MVC Client”,
“AllowedRedirectUris”: [],
“SubjectId”: “0e6bdfb8-3ba6-4fc6-a0ce-2454ec19b390”,
“RequestedScopes”: “”,
“Raw”: {
“client_id”: “implicit”,
“redirect_uri”: “http://localhost:50006/identity-server/signin-oidc”,
“response_type”: “id_token”,
“scope”: “openid profile”,
“response_mode”: “form_post”,
“nonce”: “636701959884073227.N2M3MWZjNzYtYWZiYy00MDkzLWIwMjAtOWMxNzA1MGQzMTQ3NGNkNzliYWUtY2YwNC00Yjg2LTkwMmMtZDQwMjk4ZTMzOTZk”,
“state”: “CfDJ8BDr4y_HXsNDics_XNKQZiyzB-k0ei7WMYWynaYdWc_vQip29_88rXiyvycYqhFZk00VwGWEDg8ZdwV0tZuAdibCM9-aNfzmwoI17ixqpsOKfwQhIU5ECgzXeFFzvZOGDly5xoKOWMMDHdRrls-Gw8CCxHlrBPMRhVtrqBcv2N5yfaTedAzLskXyeiRDuZKubTLdOdPAM8AUQVvSjscwYllwBiY7D5isdEe9evtwn8Pjx1sxzW3uhxUV4pb3x1GogRva0ebkhzcgv-WP8Lt6-P7TLrra7qZ0iJU5CiWL3Ympw4UqVsXk7gBMmb0PrN0_ne-1YpV7G6RAVUSoRY4GvjG9MuibGmOJS1EF6XB_agQsy4INZWKqDa2f4C0Qq6Lq9CBkhw92vdCKlexgB1Vpo5Xflh3KBVxxXMLPXqJDCJuI1olznT66aFCgwqDwhmlEaQYgfZwBL3XCJf72OXW063mt4uNy59oSLgru5MqGD4oFkD7A0PqiLDIZJ58p1kLHkUixtY0_v1ACZFRVh1hZ2-mAzqtm-fKbUkKWMAblwLpB_NiLv5QoOGzNn7J2XMkvUhPtY3SV6grZ70xhDHtzC0q6iqzjr6MQYGTKycJuUtIJPhQwDvjZwdNUWSc0znYRbGnSk-SSR-X8jv1–IRbMTolCls2QcKQu1BI18Rjf6IHuisdFH-HPYbS2KxqmM7Bqr-et_5NdN-CDnp9xXpQY1aE4ErzdKATvR-YoVkBakO8IHWq2TtYUxTWYamlDrudRE-ZPZfDkzCX-uq3TBwvuvhNSV55B9SZ33DmWRy16KkbccWJkVBWB_zE022mP-sW7V2cZzi9gKNwGMd4tKfNhEwv5nTFStw68hyWJO1QaIXlLF6kF0eBtY-lrbaTCsVRMvt-kSgq-ZywF4USbD8R09C6k_Qoxb522a9yoTQr3NKe”,
“x-client-SKU”: “ID_NET”,
“x-client-ver”: “2.1.4.0”
}
}
fail: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
Request validation failed
info: IdentityServer4.Endpoints.AuthorizeEndpoint[0]
{
“ClientId”: “implicit”,
“ClientName”: “MVC Client”,
“AllowedRedirectUris”: [],
“SubjectId”: “0e6bdfb8-3ba6-4fc6-a0ce-2454ec19b390”,
“RequestedScopes”: “”,
“Raw”: {
“client_id”: “implicit”,
“redirect_uri”: “http://localhost:50006/identity-server/signin-oidc”,
“response_type”: “id_token”,
“scope”: “openid profile”,
“response_mode”: “form_post”,
“nonce”: “636701959884073227.N2M3MWZjNzYtYWZiYy00MDkzLWIwMjAtOWMxNzA1MGQzMTQ3NGNkNzliYWUtY2YwNC00Yjg2LTkwMmMtZDQwMjk4ZTMzOTZk”,
“state”: “CfDJ8BDr4y_HXsNDics_XNKQZiyzB-k0ei7WMYWynaYdWc_vQip29_88rXiyvycYqhFZk00VwGWEDg8ZdwV0tZuAdibCM9-aNfzmwoI17ixqpsOKfwQhIU5ECgzXeFFzvZOGDly5xoKOWMMDHdRrls-Gw8CCxHlrBPMRhVtrqBcv2N5yfaTedAzLskXyeiRDuZKubTLdOdPAM8AUQVvSjscwYllwBiY7D5isdEe9evtwn8Pjx1sxzW3uhxUV4pb3x1GogRva0ebkhzcgv-WP8Lt6-P7TLrra7qZ0iJU5CiWL3Ympw4UqVsXk7gBMmb0PrN0_ne-1YpV7G6RAVUSoRY4GvjG9MuibGmOJS1EF6XB_agQsy4INZWKqDa2f4C0Qq6Lq9CBkhw92vdCKlexgB1Vpo5Xflh3KBVxxXMLPXqJDCJuI1olznT66aFCgwqDwhmlEaQYgfZwBL3XCJf72OXW063mt4uNy59oSLgru5MqGD4oFkD7A0PqiLDIZJ58p1kLHkUixtY0_v1ACZFRVh1hZ2-mAzqtm-fKbUkKWMAblwLpB_NiLv5QoOGzNn7J2XMkvUhPtY3SV6grZ70xhDHtzC0q6iqzjr6MQYGTKycJuUtIJPhQwDvjZwdNUWSc0znYRbGnSk-SSR-X8jv1–IRbMTolCls2QcKQu1BI18Rjf6IHuisdFH-HPYbS2KxqmM7Bqr-et_5NdN-CDnp9xXpQY1aE4ErzdKATvR-YoVkBakO8IHWq2TtYUxTWYamlDrudRE-ZPZfDkzCX-uq3TBwvuvhNSV55B9SZ33DmWRy16KkbccWJkVBWB_zE022mP-sW7V2cZzi9gKNwGMd4tKfNhEwv5nTFStw68hyWJO1QaIXlLF6kF0eBtY-lrbaTCsVRMvt-kSgq-ZywF4USbD8R09C6k_Qoxb522a9yoTQr3NKe”,
“x-client-SKU”: “ID_NET”,
“x-client-ver”: “2.1.4.0”
}
}

nicholas · August 18, 2018, 2:22pm

If I set http://localhost:50006/identity-server/signin-oidc as an allowed URI in my Identity Server app and try again I get the following exception on Squidex:

“exception”: {
“type”: “System.Exception”,
“message”: “An error was encountered while handling the remote login.”,
“stackTrace”: " at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.HandleRequestAsync()\r\n at IdentityServer4.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in C:\\local\\identity\\server4\\IdentityServer4\\src\\IdentityServer4\\Hosting\\FederatedSignOut\\AuthenticationRequestHandlerWrapper.cs:line 38\r\n at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\r\n at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context)\r\n at IdentityServer4.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in C:\\local\\identity\\server4\\IdentityServer4\\src\\IdentityServer4\\Hosting\\BaseUrlMiddleware.cs:line 36\r\n at Microsoft.AspNetCore.Builder.Extensions.MapMiddleware.Invoke(HttpContext context)\r\n at Microsoft.AspNetCore.Builder.Extensions.MapMiddleware.Invoke(HttpContext context)\r\n at Microsoft.AspNetCore.Builder.Extensions.MapMiddleware.Invoke(HttpContext context)\r\n at Microsoft.AspNetCore.Builder.Extensions.MapMiddleware.Invoke(HttpContext context)\r\n at Squidex.Pipeline.RequestLogPerformanceMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\\Git Repositories\\cmsdemofork\\src\\Squidex\\Pipeline\\RequestLogPerformanceMiddleware.cs:line 33\r\n at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass5_1.<<UseMiddlewareInterface>b__1>d.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at Squidex.Pipeline.EnforceHttpsMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\\Git Repositories\\cmsdemofork\\src\\Squidex\\Pipeline\\EnforceHttpsMiddleware.cs:line 29\r\n at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass5_1.<<UseMiddlewareInterface>b__1>d.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context)\r\n at Squidex.Pipeline.LocalCacheMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\\Git Repositories\\cmsdemofork\\src\\Squidex\\Pipeline\\LocalCacheMiddleware.cs:line 30\r\n at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass5_1.<<UseMiddlewareInterface>b__1>d.MoveNext()\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication1 application)"
},
“app”: {
“name”: “Squidex”,
“version”: “1.0.0.0”,
“sessionId”: “a7e3f098-eb31-420d-a462-7adb048018b6”
},
“web”: {
“requestId”: “be0028e4-1938-48e9-9919-2c6cfbd36f5c”,
“requestPath”: “/identity-server/signin-oidc”,
“requestMethod”: “POST”
},
“timestamp”: “2018-08-18T14:20:09.7493435Z”,
“category”: “Microsoft.AspNetCore.Server.Kestrel”
}

nicholas · August 18, 2018, 2:39pm

I think we are getting somewhere. I rearranged the order of wiring up the middleware and now I have this exception.

It is thrown from this method because externalLogin is null. Can you give me any pointers, please?

Sebastian · August 18, 2018, 3:04pm

Your identity server has to return the email address as claim.

nicholas · August 19, 2018, 9:24am

externalLogin is always null because expectedXsrf is always null, hence the exception. Any ideas please?

nicholas · August 20, 2018, 6:31am

ok apparently it has nothing to do with expectedXsrf but signInManager.GetExternalLoginInfoAsync is always returning null.

Sebastian · August 20, 2018, 7:43am

The identity stuff is a lot of trial and error for me as well. I would check your cookies or your settings of your open id auth provider in squidex.

nicholas · August 21, 2018, 9:57am

Some progress has been made, I was able to register a user with my Open Id Connect implementation. Yet, for some reason when I try to login with said user, even though I can see it is successful (I can even login as an admin and see the users), I am being redirected again to the login page.

Any ideas?

Sebastian · August 21, 2018, 10:21am

Have you checked the claims and/or roles?

nicholas · August 21, 2018, 10:22am

From where? Are there any particular claims which are expected?

Sebastian · August 21, 2018, 11:01am

No, you are right. You should talk with @pushrbx, he has already solved it.

nicholas · August 21, 2018, 11:07am

Is there a ticket here I can refer to?

pushrbx · August 21, 2018, 12:23pm

@nicholas I haven’t read the thread through yet, but I will dig into it this evening.
If you want to authenticate through an external server, you need to take out identity server from squidex, and it only should have JWT authentication.
Example: https://github.com/pushrbx/squidex/blob/keycloak/src/Squidex.Domain.Users.Keycloak/KeycloakUserResolver.cs

In overall my branch of squidex is acting as a “resource” within the oauth2 terminology, instead of providing identity.
So basically your authentication and http request flow should look like this:
Client software -> authenticates with external identity server -> gets token -> sends request with token to squidex -> squidex validates token -> gets role information from external identity server -> authorizes the requests -> send response

nicholas · August 21, 2018, 12:27pm

Somehow I am able to log in but the behavior is very haphazard. For example, in order to login with my external login I logged, got redirected to the login page, restarted npm and the application, debugged the solution again and it worked! I am suspecting it might have to do something with caching in the angular app. If that is the case is there a way to disable caching completely (from the app not Chrome) to try it

out?

nicholas · August 21, 2018, 12:37pm

@pushrbx Thank you but I do not feel the need to unplug the current implementation of identity server from the Squidex solution. If you do not agree I am open to your suggestions. What I want is another method to Authenticate, like Google. I did manage to achieve this and was able to register a user But sometimes the login is working haphazardly, I log in and get redirected to the login screen again, this happened with Google authentication too and my colleague reported that even with admin login.

This is a similar scenario reported: [SOLVED] Squidex Locally Hosted - Login Doesn’t Work

Maybe I can try to carefully log every step and open another thread under the Bugs section?