Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Getting a 403 on reauthorization attempts running 2 client applications concurrently with SSO #1457

Open
MSDev52 opened this issue Oct 24, 2024 · 2 comments
Open

Getting a 403 on reauthorization attempts running 2 client applications concurrently with SSO #1457

MSDev52 opened this issue Oct 24, 2024 · 2 comments
Labels
IdentityServer

Comments

@MSDev52
Copy link

MSDev52 commented Oct 24, 2024

Version 6.3.10

.NET6

I am receiving a '403 access denied' when attempting reauthorization SSO between the 2 client applications.

I have 2 client applications and 1 IDS6 instance that I have inherited. I'm using ComponentSpace to handle the SAML protocol with my IDP. Initial login to either application is functional, SAML token is received from IDP, my ID Token and Access Tokens are both populated correctly.

I have a 15-minute timeout constraint on the client apps so the user must click a button to reauthenticate every 15 minutes. Testing the applications by myself (1 user) I find that if I open App1 authentication is successful. If I, then open app2 login is also successful.

Now I am logged into both applications (app1 and app2 running simultaneously)

Following this all attempts to re-auth for app1 and app2 receive a 403 error (Request Blocked) and this occurs on my Callback https:***/SAML/External/Callback.

For this I have the following configuration (timeouts shortened to 1 minute for testing purposes):
IdentityServer Config.cs:
new List
{
//The Client class models an OpenID Connect or OAuth 2.0 client.
new Client
{
ClientId = "app1",
ClientName = "app1 Production",
ClientSecrets =
{
new Secret("SuperSecret1".Sha256())
},

    AllowedGrantTypes = GrantTypes.Implicit,
    RequireConsent = false,
    AllowOfflineAccess = true,
    
    #region Token Lifetime
    UserSsoLifetime = 60,   //1m
    AccessTokenLifetime = 60,   // 1m                
    IdentityTokenLifetime = 60,   //1m
    #endregion
    AllowAccessTokensViaBrowser = true,
    AlwaysIncludeUserClaimsInIdToken = true,
    AlwaysSendClientClaims = true,
    RedirectUris = { "app1/signin-oidc" },
    PostLogoutRedirectUris = { "https://app1" },
    BackChannelLogoutUri = "https://*****/***/SAML/SAML/SingleLogout",
    FrontChannelLogoutUri = "https://*****/***/SAML/SAML/SingleLogout",

    AllowedScopes = {
         Duende.IdentityServer.IdentityServerConstants.StandardScopes.OpenId,
         Duende.IdentityServer.IdentityServerConstants.StandardScopes.Profile,
         "offline_access", "api2", "user.domain", "api1", "app1"
    }
},
new Client
{
    ClientId = "app2",
    ClientName = "app2 Production",
    ClientSecrets =
    {
        new Secret("superSecret2".Sha256())
    },

    AllowedGrantTypes = GrantTypes.Implicit,
    RequireConsent = false,
    AllowOfflineAccess = true,

    #region Token Lifetime
    UserSsoLifetime = 60,    //1m
    AccessTokenLifetime = 60,    // 1m                
    IdentityTokenLifetime = 60,  //1m
    #endregion

    AllowAccessTokensViaBrowser = true,
    AlwaysIncludeUserClaimsInIdToken = true,
    AlwaysSendClientClaims = true,
    RedirectUris = { "https://****/***/***/signin-oidc" },
    PostLogoutRedirectUris = { "https://app2" },
    BackChannelLogoutUri = "https://*****/***/SAML/SAML/SingleLogout",
    FrontChannelLogoutUri = "https://*****/***/SAML/SAML/SingleLogout",
   
    AllowedScopes = {
         Duende.IdentityServer.IdentityServerConstants.StandardScopes.OpenId,
         Duende.IdentityServer.IdentityServerConstants.StandardScopes.Profile,
         "offline_access", "api1", "api2", "app2", "user.domain"
    }
}

};

To Reproduce

Open 2 IDS6 client applications hosted behind a reverse proxy, attempt reauthorization, get 403.

Expected behavior

Expectation is both client applications will re-auth with the correct user.

I am happy to share code and paths via email for clarity.

Additional context
I am hosted behind a reverse proxy.
Depending on how I have my token/cookie timeouts set when testing with 2 users one of the users will receive the wrong ID Token which makes me jump out of my skin every time.
Alternate cookie/token timeout settings will also get me a 'the sequence contains no elements' when going from app1 to app2.
I consistently find my IDSV cookies blocked, and I have no idea if this is causing or contributing to the issues.
Image

I believe this is going to be a multi-part question but first I need to determine why I'm getting a 403 when trying to re-authenticate with 2 apps running concurrently.

Thanks.
@MSDev52
Copy link
Author

MSDev52 commented Oct 25, 2024

I find that if I remove the SSO and Token timeouts from my clients and just allow the defaults I get the wrong user ID Token on reauthentication if another user is logged in. Please help me understand how and why I could possibly end up with another user's ID Token. There are only 2 of testing and this happens consistently.

This is the workflow from dev tools when this occurs.
Image

So, it appears anytime I don't make a round trip to the IDP I get the other users ID Token and they get mine.

@MSDev52
Copy link
Author

MSDev52 commented Oct 25, 2024
edited
Loading

I would also like to reference this issue from IDS4:
IdentityServer/IdentityServer4#4466

-Same issue I'm having with IDS6, no answer here as apparently it was resolved via email and then closed leaving others with the same unresolved issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
IdentityServer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MSDev52