Open Closed

How to configure the OpenId without redirection to external authentication provider login page? #971


User avatar
0
nhontran created
  • ABP Framework version: v3.3.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

Hi, I have a requirement to log in with an external authentication provider named "Singpass", the spec & flow are described at the link below:

https://stg-id.singpass.gov.sg/docs/authorization/api#_introduction

Instead of redirect to authentication provider login page, it's using an embedded JS to generate the QR code in our page and require user to use mobile app to scan it for authentication, it requires to provide the state & nonce parameters as the input for embedded JS:

4.2. Input Parameters https://stg-id.singpass.gov.sg/docs/embedded-auth/js#_login_ui_dimensions

I have created an endpoint to manually generate the state & nonce parameters as below:

            private readonly IOptionsMonitor<OpenIdConnectOptions> _openIdOptions;
            ...
            private string GenerateNonce()
            {
                return Convert.ToBase64String(Encoding.UTF8.GetBytes(Guid.NewGuid().ToString()));
            }
            
            public string GetState()
           {
                var state = GenerateNonce();
                AuthenticationProperties authProperties = new AuthenticationProperties
                (
                  new Dictionary<string, string>
                  {
                    { OpenIdConnectDefaults.UserstatePropertiesKey, state },
                  }
                );

                //This StateDataFormat does not use the correct DataProtectionProvider
                return _openIdOptions.Get("singpass").CurrentValue.StateDataFormat.Protect(authProperties);
            }

However, when the user scanned the QR code and completed the authentication, it redirected back to signin-oidc with the authentication code, I got this error

2021-03-01 11:31:29.918 +08:00 [WRN] .AspNetCore.Correlation. state property not found. 2021-03-01 11:31:29.918 +08:00 [INF] Error from RemoteAuthentication: Correlation failed..

I checked the OpenIdConnectionHandler, the CorrelationId is generated in HandleChallengeAsync() during redirection which does not happen in my case. I don't know how to do the proper configuration without redirection to external authentication login page, is there any advise? Any help would be much appreciated.

Below is my openid configuration:

                .AddOpenIdConnect(authenticationScheme: "singpass", "Singpass Authentication", configureOptions =>
                {
                    configureOptions.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                    configureOptions.SignOutScheme = IdentityServerConstants.SignoutScheme;

                    configureOptions.Authority = configuration["Singpass:Authority"];
                    configureOptions.ClientId = configuration["Singpass:ClientId"];
                    configureOptions.ResponseType = OpenIdConnectResponseType.Code;
                    configureOptions.RequireHttpsMetadata = true;
                    configureOptions.ProtocolValidator = new OpenIdConnectProtocolValidator()
                    {
                        RequireState = false,
                        RequireStateValidation = false,
                    };
                    configureOptions.Events.OnAuthorizationCodeReceived = context =>
                    {
                        context.TokenEndpointRequest.ClientAssertionType = OidcConstants.ClientAssertionTypes.JwtBearer;
                        context.TokenEndpointRequest.ClientAssertion = NDIAuthenticationHandler.CreateClientAssertionJwt(
                            configuration["Singpass:ClientId"],
                            configuration["Singpass:TokenEndpoint"],
                            configuration["Key:ThumbPrint"]);
                        return Task.CompletedTask;
                    };
                })

3 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    We don't have much experience with singpass, Does it have any sample for ASP NET Core?

  • User Avatar
    0
    nhontran created

    Hi @maliming, unfortunately, there is no sample for .net core. they just provide us the spec:

    https://stg-id.singpass.gov.sg/docs/authorization/api#_introduction

    I just want to clarified, is there a way to configure the external authentication provider without redirection to their log-in page. In my case, the end-user will scan the QR code and do the log-in in their mobile phone.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    According to the current external authentication process, redirection must be used.

    The web page should also be redirected after the user scans the QR to log in.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 12, 2024, 07:15