I'm trying to create a master slave type configuration for authentication with IdentityServer4 as below
MyMasterIdentityServer0 (Master) - receives id_token and gives access_token
|---> MySlaveIdentityServer1 (Basic Auth)
|---> MySlaveIdentityServer2 (Windows Auth)
|---> MySlaveIdentityServer3 (SmartCard Certificate Auth)
|---> MySlaveIdentityServer4 (SAML SSO Auth)
|---> Cloud Demo IdentityServer
|---> Google Auth
|---> Facebook Auth
|---> Microsoft Auth
|---> Twitter Auth
All my applications and api will point to and authenticate with the MyMasterIdentityServer0
Users can have a choice of authentication using any of the above providers. They can choose username/password in which case they should be redirected to the MySlaveIdentityServer1 (Basic Auth), or they can choose using the Windows Auth using their AD account in which case they will be redirected to MySlaveIdentityServer2 (Windows Auth), or choose any other provider.
Once the user has been authenticated, he receives an id_token from the provider server and gets redirected back to the MyMasterIdentityServer0 where the external user is looked up using the Provider and ProviderUserId and then given an access_token to access the applications/api based on his permissions.
They problem I'm facing is that the IdentityServer Master Slave configuration is not working for me and is giving me an error Unable to unprotect the message.State when the user is redirected back to the master server after authentication. I tried looking up the issue and AuthO also faced this same bug which they recently fixed.
Error Received
Exception: Unable to unprotect the message.State
IdentityServer-Master Configuration
// WORKING
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "ID4DemoCloud",
DisplayName = "Login with ID4DemoCloud",
SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,
SignOutScheme = IdentityServerConstants.SignoutScheme,
Authority = "https://demo.identityserver.io/",
ClientId = "implicit",
TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "role"
},
//Events = new OpenIdConnectEvents() { }
});
// NOT WORKING
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "MySlaveIdentityServer1BasicAuth",
DisplayName = "Login with MySlaveIdentityServer1 Basic Auth",
SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme,
SignOutScheme = IdentityServerConstants.SignoutScheme,
Authority = "http://localhost:5100/",
ClientId = "MyMasterIdentityServer0",
ClientSecret = "secret",
RequireHttpsMetadata = false,
//TokenValidationParameters = new TokenValidationParameters
//{
// NameClaimType = "name",
// RoleClaimType = "role"
//},
});
Basic Auth Server Client Configuration
public static class Clients
{
public static IEnumerable<Client> GetClients()
{
return new[]
{
new Client
{
ClientId = "MyMasterIdentityServer0",
ClientName = "My Master IdentityServer 0",
ClientSecrets = new List<Secret> { new Secret("secret".Sha256()) },
AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = new List<string>
{
StandardScopes.OpenId,
StandardScopes.Profile
},
RequireConsent = false,
AllowOfflineAccess = false,
RedirectUris = new [] { "http://localhost:5000/signin-oidc" }
}
};
}
}
All the auth providers are working fine except the internally deployed MySlaveIdentityServers 1, 2, 3 and 4 ... even the Cloud Demo Identity server is working fine. Can anyone give me any advice or suggestions ?
See Question&Answers more detail:
os