OAuth2 in Thinktecture IdentityServer : OAuth2 identity providers
One of the new features in Thinktecture IdentityServer v2 is the support for federation with other identity providers. This means that IdentityServer can act as a federation gateway (sometimes called a R-STS or resource-STS) and Dominick shows off the feature here. In his video Dominick mentions that only other WS-Federation identity providers are supported, but this is no longer correct! OAuth2 identity providers are now supported. This means that IdentityServer can act as a federation gateway for Facebook, Live and/or Google (and potentially other OAuth2 providers in the future).
To get this working it’s not too much different than a normal R-STS setup that Dominick covers in his video. The only difference is that when you configure an identity provider by choosing “new”:
You get the standard screen to create a new identity provider (WS-* or OAuth2):
You then have the option of indicating that the identity provider is an OAuth2 style provider:
You’d then choose which of the supported OAuth2 providers from the list:
And then enter the typical OAuth2 client ID and client secret values:
And once all the information is filled in, a normal WS-Federation client can connect to IdentityServer.
And then you get claims back to the client:
So we now have federation with OAuth2 identity providers. Yay!
brockallen 
This is great stuff. I tried to get this going but I am receiving a 404 when it attempts to perform the ‘hrd’. Any ideas?
HRD is a separate configurable option — perhaps you have it disabled?
I’m having the same issue. how could I enable or check whether it is?
Configuration -> Protocols -> Ws-Fed -> Enable Federation
and
Configuration -> Protocols -> Ws-Fed -> Enable HRD
I have enabled both settings that you mention, also I have enabled Identity Providers -> Google -> Include in HRD, and I have changed issuer parameter in web.config from wsfed to hrd, but still get a 404 when I run the RP. Are there any more setting that could cause that? If I change hrd back to wsfed in web.config I get a login screen again, so the server works fine
Please open an issue on the github issue tracker for the project. Thx.
so I love the idea, but not the implementation. in short it’s doing too much that acs does, and thus does not fit in with the ecosystem.
I went the other way, only doing in an fp ( augmenting acs) only that which goes beyond acs or does that which acs does not do (e.g. talk to Twitter, or a WordPress oauth provider). most of my apparent idps are wrappers delegating to acs or acs wrapping azure ad ( which in turn may wrap your adfs or other ws-fedp asserting party)
is there an end to end example available as a source code download? I’m not seeing how to actually integrate this into a web app.
From the app’s perspective, IdentityServer is just an STS. This post just shows how to configure it to act as a federation gateway.
Brock,
I got everything working, but I am curious – this is basically just “pass-through” athentication? There is no association between the user store on Identity Server and the Identity Provider user. For example, when I authenticate with Facebook, and get redirected back to the relying party, there is no association between my facebook account a user that I have created on identity server?
Correct, but you can always implement a custom IClaimsTransformationRulesRepository to process the claims before they’re passed out of IdentityServer.
if one uses the “evil” membership/formsauth/profile world, its trivially easy to stroe a profile of the inbound assertion (from facebook). The FP can then attach an additional authentication statement – full of profile’d claims – including its local names. FP’s own claims are passed through, in the authorization statement.
So assuming I implemented my own IClaimsTransformationRulesRepositoy and then added this to the repositories.config, then I would need to do the following: (just brainstorming)
1. Create an identity server user programmatically (without a password)
2. Assign the roles necessary, and any other necessary information
3. Get the claims for this new user from the identity server and merge them some how with the claims of the 3rd party identity provider. Or is this not necessary?
The desired effect is “Registration with your Facebook, Linkedin, Google, or whatever” account.
Hi allen,
I qm using one copy of thinktecture identity server as IP-STS and another as RP-STS.
In Identity providers i created new provider and gave the details as
Enabled
WS FederationEndPoint:https:///idsrv/issue/wsfed
issuer thumbprint:thumbprint of IP-STS certificate
And at IP-STS i created new Relying party and gave details as
Enabled
Realm/ScopeName:https:///website_idsrv2/
when i am running my relying party am getting an error like this
” Invalid realm identityserver.v2.thinktecture.com/trust/changethis ”
and the error is occurring at IP-STS.I tried to change the realm at IP-STS web.config but i was not able to resolve the issue.Could you please suggest me anything
For any questions or issues related to IdentityServer, please open an issue on github.
Thanks BrokeAllen for that great post , i have tried many times to register gmail account in thinktecture using Auth2 but after logeedin to gmail and redirect to my app i got this error msg “Invalid parameter value for redirect_uri: Non-public domains not allowed: https://idsrv/issue/hrd/oauth2callback”
please help me , how to fix that .
If you have issues then open them on the github issue tracker, please.
I cannot see identity providers page on my thinktecture server admin page
Under protocols -> Ws-Fed you need to enable federation.
You could certainly see your expertise in
the work you write. The world hopes for even more
passionate writers like you who aren’t afraid
to say how they believe. At all times go after your
heart.
Do you mind if I quote a couple of your posts as long as I provide credit and sources back to
your website? My blog site is in the very same niche as yours and
my visitors would definitely benefit from a lot of the information you provide here.
Please let me know if this alright with you.
Cheers!
Yep, that’s fine.