OWIN middleware for OpenID Connect - Code flow ( Flow type - AuthorizationCode) documentation?

Asked 11/11, 2015 at 23:40 Answered 31/1, 2018 at 7:32

Solved asp.net-mvc oauth-2.0 owin openid-connect identityserver3

In my implementation I am using OpenID-Connect Server (Identity Server v3+) to authenticate Asp.net MVC 5 app (with AngularJS front-end)

I am planning to use OID Code flow (with Scope Open_ID) to authenticate the client (RP). For the OpenID connect middle-ware, I am using OWIN (Katana Project) components.

Before the implementation, I want to understand back-channel token request, refresh token request process, etc using OWIN.. But I am unable to find any documentation for this type of implementation (most of the available examples use Implicit flow).

I could find samples for generic Code flow implementation for ID Server v3 here https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source

I am looking for a similar one using OWIN middleware ? Does anyone have any pointers ?

Bridgers answered 11/11, 2015 at 23:40 Comment(0)

Edit: good news, code flow and response_mode=query support was finally added to Katana, as part of the 4.1 release (that shipped in November 2019): https://github.com/aspnet/AspNetKatana/wiki/Roadmap#410-release-november-2019.

Be sure to set the RedeemCode property to true if you want it to handle the communication with the token endpoint.

The OpenID Connect middleware doesn't support the code flow: http://katanaproject.codeplex.com/workitem/247 (it's already fixed in the ASP.NET 5 version, though).

Actually, only the implicit flow (id_token) is officially supported, and you have to use the response_mode=form_post extension. Trying to use the authorization code flow will simply result in an exception being thrown during the callback, because it won't be able to extract the (missing) id_token from the authentication response.

Though not directly supported, you can also use the hybrid flow (code + id_token (+ token)), but it's up to you to implement the token request part. You can see https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Nancy/Nancy.Client/Startup.cs#L82-L115 for an example.

Protohistory answered 12/11, 2015 at 1:2 Comment(7)

So much knowledge packed into this answer. It must have taken you time to discover all these pain points. Expanding on exception being thrown during the callback for the OP: the exception is due to an id token not being returned in the call to idsvr if you only ask for code flow (which of course is by design). – Seagirt 14/11, 2015 at 14:57

@CrescentFresh thanks the kind word! Actually, I've contributed a few times to the OIDC middleware (for instance, I introduced the response_mode=query support) and I develop the server counterpart for OWIN/Katana and ASP.NET 5 (github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server), which explains why I feel comfortable with the questions related to OIDC ;) I updated my answer to incorporate your precision, thanks! – Gabel 16/11, 2015 at 18:43

Can you please help me with this question :#47096613 – Mildredmildrid 4/11, 2017 at 13:12

Will we see updates for non Core apps wanting to run Microsoft.Owin.Security.OpenIdConnect code flow? Or are there some alternate packages out there when Core migration is still far future for the specific project? – Labelle 8/12, 2017 at 21:41

@JohanKronberg Katana 4.0 is about to ship but nothing has changed concerning code flow support. Feel free to open a new ticket on GitHub (github.com/aspnet/AspNetKatana), but I'm not sure it will be supported in the near future. – Gabel 8/12, 2017 at 22:1

Code flow support has been added for 4.1 github.com/aspnet/AspNetKatana/pull/297 – Terylene 25/9, 2019 at 12:59

Can anyone point me to a sample for configuring Owin 4.1 to use Authentication Code Flow? All the samples I find seem to use implicit flow. – Ester 15/3, 2021 at 14:6

The answer and comment replies by Pinpoint are spot on. Thanks!

But if you are willing to step away from the NuGet package and instead run modified source code for Microsoft.Owin.Security.OpenIdConnect you can get code (code) flow with form_post.

Of course this can be said for all open source project problems but this was an quick solution for a big thing in my case so I thought I'd share that it could be an option.

I downloaded code from https://github.com/aspnet/AspNetKatana, added the csproj to my solution and removed lines from https://github.com/aspnet/AspNetKatana/blob/dev/src/Microsoft.Owin.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs in AuthenticateCoreAsync().

You must then combine it with backchannel calls and then create your own new ClaimsIdentity() to set as the notification.AuthenticationTicket.

// Install-Package IdentityModel to handle the backchannel calls in a nicer fashion
AuthorizationCodeReceived = async notification =>
{
    var configuration = await notification.Options.ConfigurationManager
             .GetConfigurationAsync(notification.Request.CallCancelled);

    var tokenClient = new TokenClient(configuration.TokenEndpoint,
             notification.Options.ClientId, notification.Options.ClientSecret,
                  AuthenticationStyle.PostValues);
    var tokenResponse = await tokenClient.RequestAuthorizationCodeAsync(
        notification.ProtocolMessage.Code,
        "http://localhost:53004/signin-oidc",
        cancellationToken: notification.Request.CallCancelled);

    if (tokenResponse.IsError 
            || string.IsNullOrWhiteSpace(tokenResponse.AccessToken)
            || string.IsNullOrWhiteSpace(tokenResponse.RefreshToken))
    {
        notification.HandleResponse();
        notification.Response.Write("Error retrieving tokens.");
        return;
    }

    var userInfoClient = new UserInfoClient(configuration.UserInfoEndpoint);
    var userInfoResponse = await userInfoClient.GetAsync(tokenResponse.AccessToken);

    if (userInfoResponse.IsError)
    {
        notification.HandleResponse();
        notification.Response.Write("Error retrieving user info.");
        return;
    }
    ..

Labelle answered 31/1, 2018 at 7:32 Comment(4)

Johan, Do you have a github repo that shows a working modification of this library? – Yearning 12/9, 2018 at 22:37

Afraid not. In the end we used an even more custom approach. – Labelle 17/10, 2018 at 17:35

Just saw that someone is working on it: github.com/adefalque/AspNetKatana/commits/feature/oidauthcode – Labelle 22/10, 2018 at 7:8

Code flow support has been added for 4.1 github.com/aspnet/AspNetKatana/pull/297 – Terylene 25/9, 2019 at 12:59

Recommended topics

Hot tags