Skip to content

OAuth2 in Thinktecture IdentityServer : OAuth2 identity providers

November 4, 2012

One of the new features in Thinktecture IdentityServer v2 is the support for federation with other identity providers. This means that IdentityServer can act as a federation gateway (sometimes called a R-STS or resource-STS) and Dominick shows off the feature here. In his video Dominick mentions that only other WS-Federation identity providers are supported, but this is no longer correct! OAuth2 identity providers are now supported. This means that IdentityServer can act as a federation gateway for Facebook, Live and/or Google (and potentially other OAuth2 providers in the future).

To get this working it’s not too much different than a normal R-STS setup that Dominick covers in his video. The only difference is that when you configure an identity provider by choosing “new”:

You get the standard screen to create a new identity provider (WS-* or OAuth2):

You then have the option of indicating that the identity provider is an OAuth2 style provider:

You’d then choose which of the supported OAuth2 providers from the list:

And then enter the typical OAuth2 client ID and client secret values:

And once all the information is filled in, a normal WS-Federation client can connect to IdentityServer.

And then you get claims back to the client:

So we now have federation with OAuth2 identity providers. Yay!

23 Comments leave one →
  1. December 15, 2012 7:19 pm

    This is great stuff. I tried to get this going but I am receiving a 404 when it attempts to perform the ‘hrd’. Any ideas?

    • December 17, 2012 3:50 pm

      HRD is a separate configurable option — perhaps you have it disabled?

      • January 8, 2013 8:43 am

        I’m having the same issue. how could I enable or check whether it is?

        • January 8, 2013 11:24 am

          Configuration -> Protocols -> Ws-Fed -> Enable Federation

          and

          Configuration -> Protocols -> Ws-Fed -> Enable HRD

          • bartek4c permalink
            February 24, 2014 7:30 am

            I have enabled both settings that you mention, also I have enabled Identity Providers -> Google -> Include in HRD, and I have changed issuer parameter in web.config from wsfed to hrd, but still get a 404 when I run the RP. Are there any more setting that could cause that? If I change hrd back to wsfed in web.config I get a login screen again, so the server works fine

          • February 24, 2014 8:09 am

            Please open an issue on the github issue tracker for the project. Thx.

  2. December 27, 2012 2:55 pm

    so I love the idea, but not the implementation. in short it’s doing too much that acs does, and thus does not fit in with the ecosystem.

    I went the other way, only doing in an fp ( augmenting acs) only that which goes beyond acs or does that which acs does not do (e.g. talk to Twitter, or a WordPress oauth provider). most of my apparent idps are wrappers delegating to acs or acs wrapping azure ad ( which in turn may wrap your adfs or other ws-fedp asserting party)

  3. February 15, 2013 5:22 pm

    is there an end to end example available as a source code download? I’m not seeing how to actually integrate this into a web app.

    • February 18, 2013 8:03 am

      From the app’s perspective, IdentityServer is just an STS. This post just shows how to configure it to act as a federation gateway.

  4. February 18, 2013 9:34 am

    Brock,

    I got everything working, but I am curious – this is basically just “pass-through” athentication? There is no association between the user store on Identity Server and the Identity Provider user. For example, when I authenticate with Facebook, and get redirected back to the relying party, there is no association between my facebook account a user that I have created on identity server?

    • February 18, 2013 12:21 pm

      Correct, but you can always implement a custom IClaimsTransformationRulesRepository to process the claims before they’re passed out of IdentityServer.

      • February 18, 2013 12:35 pm

        if one uses the “evil” membership/formsauth/profile world, its trivially easy to stroe a profile of the inbound assertion (from facebook). The FP can then attach an additional authentication statement – full of profile’d claims – including its local names. FP’s own claims are passed through, in the authorization statement.

      • February 18, 2013 12:46 pm

        So assuming I implemented my own IClaimsTransformationRulesRepositoy and then added this to the repositories.config, then I would need to do the following: (just brainstorming)

        1. Create an identity server user programmatically (without a password)
        2. Assign the roles necessary, and any other necessary information
        3. Get the claims for this new user from the identity server and merge them some how with the claims of the 3rd party identity provider. Or is this not necessary?

        The desired effect is “Registration with your Facebook, Linkedin, Google, or whatever” account.

  5. prasad permalink
    July 9, 2013 2:14 am

    Hi allen,
    I qm using one copy of thinktecture identity server as IP-STS and another as RP-STS.

    In Identity providers i created new provider and gave the details as
    Enabled
    WS FederationEndPoint:https:///idsrv/issue/wsfed
    issuer thumbprint:thumbprint of IP-STS certificate

    And at IP-STS i created new Relying party and gave details as
    Enabled
    Realm/ScopeName:https:///website_idsrv2/

    when i am running my relying party am getting an error like this

    ” Invalid realm ¬†identityserver.v2.thinktecture.com/trust/changethis ”

    and the error is occurring at IP-STS.I tried to change the realm at IP-STS web.config but i was not able to resolve the issue.Could you please suggest me anything

    • July 26, 2013 5:11 pm

      For any questions or issues related to IdentityServer, please open an issue on github.

  6. walidward permalink
    September 18, 2013 7:37 am

    Thanks BrokeAllen for that great post , i have tried many times to register gmail account in thinktecture using Auth2 but after logeedin to gmail and redirect to my app i got this error msg “Invalid parameter value for redirect_uri: Non-public domains not allowed: https://idsrv/issue/hrd/oauth2callback

    please help me , how to fix that .

    • September 22, 2013 7:32 am

      If you have issues then open them on the github issue tracker, please.

  7. saffi permalink
    December 1, 2013 9:19 am

    I cannot see identity providers page on my thinktecture server admin page

  8. February 12, 2014 4:24 pm

    You could certainly see your expertise in
    the work you write. The world hopes for even more
    passionate writers like you who aren’t afraid
    to say how they believe. At all times go after your
    heart.

  9. August 26, 2014 2:34 pm

    Do you mind if I quote a couple of your posts as long as I provide credit and sources back to
    your website? My blog site is in the very same niche as yours and
    my visitors would definitely benefit from a lot of the information you provide here.
    Please let me know if this alright with you.
    Cheers!

Trackbacks

  1. Thinktecture IdentityServer v2: Federation with Web Identities | www.leastprivilege.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: