- ABP Framework version: v3.3.2
- UI type: Angular
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes
Hi, I have a requirement to log in with an external authentication provider named "Singpass", the spec & flow are described at the link below:
https://stg-id.singpass.gov.sg/docs/authorization/api#_introduction
Instead of redirect to authentication provider login page, it's using an embedded JS to generate the QR code in our page and require user to use mobile app to scan it for authentication, it requires to provide the state & nonce parameters as the input for embedded JS:
4.2. Input Parameters https://stg-id.singpass.gov.sg/docs/embedded-auth/js#_login_ui_dimensions
I have created an endpoint to manually generate the state & nonce parameters as below:
private readonly IOptionsMonitor<OpenIdConnectOptions> _openIdOptions;
...
private string GenerateNonce()
{
return Convert.ToBase64String(Encoding.UTF8.GetBytes(Guid.NewGuid().ToString()));
}
public string GetState()
{
var state = GenerateNonce();
AuthenticationProperties authProperties = new AuthenticationProperties
(
new Dictionary<string, string>
{
{ OpenIdConnectDefaults.UserstatePropertiesKey, state },
}
);
//This StateDataFormat does not use the correct DataProtectionProvider
return _openIdOptions.Get("singpass").CurrentValue.StateDataFormat.Protect(authProperties);
}
However, when the user scanned the QR code and completed the authentication, it redirected back to signin-oidc with the authentication code, I got this error
2021-03-01 11:31:29.918 +08:00 [WRN] .AspNetCore.Correlation. state property not found. 2021-03-01 11:31:29.918 +08:00 [INF] Error from RemoteAuthentication: Correlation failed..
I checked the OpenIdConnectionHandler, the CorrelationId is generated in HandleChallengeAsync() during redirection which does not happen in my case. I don't know how to do the proper configuration without redirection to external authentication login page, is there any advise? Any help would be much appreciated.
Below is my openid configuration:
.AddOpenIdConnect(authenticationScheme: "singpass", "Singpass Authentication", configureOptions =>
{
configureOptions.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
configureOptions.SignOutScheme = IdentityServerConstants.SignoutScheme;
configureOptions.Authority = configuration["Singpass:Authority"];
configureOptions.ClientId = configuration["Singpass:ClientId"];
configureOptions.ResponseType = OpenIdConnectResponseType.Code;
configureOptions.RequireHttpsMetadata = true;
configureOptions.ProtocolValidator = new OpenIdConnectProtocolValidator()
{
RequireState = false,
RequireStateValidation = false,
};
configureOptions.Events.OnAuthorizationCodeReceived = context =>
{
context.TokenEndpointRequest.ClientAssertionType = OidcConstants.ClientAssertionTypes.JwtBearer;
context.TokenEndpointRequest.ClientAssertion = NDIAuthenticationHandler.CreateClientAssertionJwt(
configuration["Singpass:ClientId"],
configuration["Singpass:TokenEndpoint"],
configuration["Key:ThumbPrint"]);
return Task.CompletedTask;
};
})
3 Answer(s)
-
0
hi
We don't have much experience with singpass, Does it have any sample for ASP NET Core?
-
0
Hi @maliming, unfortunately, there is no sample for .net core. they just provide us the spec:
https://stg-id.singpass.gov.sg/docs/authorization/api#_introduction
I just want to clarified, is there a way to configure the external authentication provider without redirection to their log-in page. In my case, the end-user will scan the QR code and do the log-in in their mobile phone.
-
0
According to the current external authentication process, redirection must be used.
The web page should also be redirected after the user scans the QR to log in.
