CODEWITHSUNDEEP
.net-coreidentityserver4
TTCG
TTCG

Reputation: 9113

Identity Server 4 Passing acr_values but not redirecting to external provider

We've got the Idsrv 4 and another external authentication provider. The integration between those TWO systems are fine and we can login / redirection all ok.

But it involves the user actions and they still need to click button to define that they want to use which External provider. We would like to skip this step for the particular group of users and redirect the user to login directly to the External provider automatically.

I learnt that this automatic redirection can be achieved by using the acr_values passed together with the Authorize Request from the client. I tried to use it, but still not redirecting to the external provider.

Identity Server Set Up: We set up the AuthenticationScheme -> demoidsrv as our external provider

services.AddAuthentication()
                        .AddOpenIdConnect("demoidsrv", "IdentityServer", options =>
                        {
                            options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                            options.SignOutScheme = IdentityServerConstants.SignoutScheme;

                            options.Authority = "https://demo.identityserver.io/";
                            options.ClientId = "login";
                            options.ResponseType = "id_token";
                            options.SaveTokens = true;

                            options.Scope.Add(IdentityServerConstants.StandardScopes.OpenId);
                            options.Scope.Add(IdentityServerConstants.StandardScopes.Profile);
                            options.Scope.Add(IdentityServerConstants.StandardScopes.Email);

                            options.CallbackPath = "/signin-idsrv";
                            options.SignedOutCallbackPath = "/signout-callback-idsrv";
                            options.RemoteSignOutPath = "/signout-idsrv";
                        })

We passed the acr_values -> idp:demoidsrv in OnRedirectToIdentityProvider event. Client Mvc App Startup.cs:

services.AddAuthentication(options =>
                {
                    options.DefaultScheme = "Cookies";
                    options.DefaultChallengeScheme = "oidc";
                })
                .AddCookie("Cookies", options =>
                {
                    options.AccessDeniedPath = "/AccessDenied";
                })
                .AddOpenIdConnect("oidc", options =>
                {
                    options.SignInScheme = "Cookies";
                    options.ClientId = "test.web.app1.hybrid";
                    options.ResponseType = "code id_token";
                    options.RequireHttpsMetadata = false; // to host it without Https
                    options.SaveTokens = true;
                    options.ClientSecret = "secret";

                    options.GetClaimsFromUserInfoEndpoint = true;
                    options.Scope.Add("openid");

                    //T1 Identity Server
                    options.Authority = Configuration.GetSection("MySettings").GetSection("IdentityServerUrl").Value;


                    options.Events = new OpenIdConnectEvents()
                    {
                        OnRedirectToIdentityProvider = ctx =>
                        {
                            ctx.ProtocolMessage.UiLocales = Thread.CurrentThread.CurrentUICulture.Name;
                            ctx.ProtocolMessage.AcrValues = "idp:demoidsrv";
                            return Task.CompletedTask;
                        }
                    };
                });

I checked the redirect_uri and it did correctly append acr_values in the AuthoriseRequest

http://localhost:5847/identityserver/connect/authorize?client_id=test.web.app1.hybrid&redirect_uri=http%3A%2F%2Flocalhost%3A64177%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20offline_access&response_mode=form_post&nonce=637315373849113603&ui_locales=en-US&state=testStatewH&acr_values=idp%3Ademoidsrv&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=5.3.0.0

I would like to know whether I need to implement the redirection manually by checking this value or Am I missing some settings to make the redirection happen automatically?

Upvotes: 2

Views: 2136

Answers (1)

TTCG
TTCG

Reputation: 9113

As far as I know it doesn't redirect automatically. We have to detect the posted value and redirect to external provider manually.

If you provide acr_values, they can be retrieved in the Idp property of the AuthorizationContext. Then redirect to Challenge Action of the ExternalController to simulate the redirection.

var context = await _interaction.GetAuthorizationContextAsync(returnUrl);

// redirect to external Identity provider automatically, if requested
if (string.IsNullOrWhiteSpace(context.IdP) == false)
{
    var idp = context.IdP;
    return RedirectToAction("Challenge", "ExternalAuthentication",
        new
        {
            provider = idp,
            returnUrl
        });
}

Upvotes: 2

Related Questions