Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Using a "hidden" secondary authentication with IdentityServer.v3? #489

Closed
henrikniemann opened this issue Oct 29, 2014 · 3 comments
Closed
Assignees
Labels

Comments

@henrikniemann
Copy link

Hi guys,

Rocking good work on beta3. Thank you!

I am using ID Server for authenticating users against a custom user store (from IUserService). Users can login to several apps, some end-user apps and one of them a user admin app (MVC 5, OWIN with UseOpenIdConnectAuthentication).

The user admin app allows select users to create other users for their own little part of the world (based on accountId from claim). If a user has claim "Role:Admin" the user can create non-admins under his/her own accountId.

I am trying to allow some employees (based on criteria TBD) within our organization access to the user administration app for creating new admins. Employees are not in the user store, and thus cannot sign in with ID Server. Employees are however in our Azure AD.

I can easily switch my OWIN StartUp to use Azure AD instead of IdServer, but I would like to authenticate/authorize employees against Azure AD, and the users in the custom user store against ID Server. Custom user store should be default. Azure AD could be something like https:///adlogin/ or the like. Important thing is that it should be hidden from the (non-employee) end-user as they are easily confused.

Any thoughts on how to do this?

Best regards,

Henrik

@kking-envelope
Copy link

how do users usually get to the login page? you could use the login_hint for the authorization endpoint if they generally come to the site by clicking through different locations:

https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Authorization-Endpoint

If you have some way to detect who is a user without their explicit interaction, you could set it up at the beginning of your OWIN pipeline and bifurcate the login experience automatically.

Edit: i a word originally ....

@leastprivilege
Copy link
Member

You can set the Caption property of the autentication middleware you want to hide to an empty string. This way it won't show up on the login page, but can still be selected by the login hint.

@henrikniemann
Copy link
Author

Thanks guys,

A few minutes after posting, I had an idea. Of course.

I tried adding a map to my startup class:

app.Map("/adlogin", app2 => app2.UseOpenIdConnectAuthentication(
                new OpenIdConnectAuthenticationOptions
            {
                ClientId = "xxxxx",
                Authority = "https://login.windows.net/<xxxxx>",
                RedirectUri = "https://localhost:44303/AdLogin",
                SignInAsAuthenticationType = "Cookies"
            }

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
            {
                ClientId = "implicitclient",
                Authority = "https://myids/core",
                RedirectUri = "https://localhost:44303/",
                ResponseType = "id_token",
                Scope = "openid profile email",
                SignInAsAuthenticationType = "Cookies"
            });

AdLoginController/Index has the [Authorize] attribute and simply returns RedirectToAction("index", "Usermanager");

I now have a login page in IdServer for my (non-employee) end-users and my employee AD users can login with https://useradminapp/adlogin.

This works, but is it "nice"?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

3 participants