Third-party OpenID 2.0 authentication not working

[saefren]

Hi,

I am trying to integrate an OpenID 2.0 authentication provider using this library:
https://github.com/aspnet-contrib/AspNet.Security.OpenId.Providers

It works effortlessly on a plain .NET Web Application project. I log in the third-party, get redirected back to my site and see that I am authenticated with 1 claim (type http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier).

However, when I tried the same on a new Piranha project (using the Razor variant) with a simple page that initiates the challenge, I am not authenticated after the redirect. I suppose the Piranha authentication middleware is somehow interfering / intercepting the request? Or perhaps it's a routing issue?

I would like this to work alongside the regular Manager login. It's fine if visitors can't be both logged in the Manager and the third-party simultaneously. And I understand we currently can't replace the IdentiyUser class anyway:
#1114
(which seems like a bit of a shame since this is an out-of-the-box feature of Identity)

Thanks again and regards!

[tidyui]

Hi there! Piranha only care about the claims of the current user for access in the manager ui, it doesn't care about how they got added. Piranha has a single security oriented middleware which is added in Startup.cs by calling:

services.AddPiranha(options =>
{
    options.UseSecurity(o =>
    {
        ...
    });
});

The only thing this middleware does is pass through the request to the other middleware components in the pipeline, and when the response comes back it checks the status code. If the status code is Unauthorized it redirects the request to the configured client application login path:

public async Task InvokeAsync(HttpContext ctx, IApplicationService service)
{
    // Execute the rest of the pipeline first
    await _next(ctx);

    // Check if we got back an unauthorized result
    // from the application
    if (ctx.Response.StatusCode == 401)
    {
        // Redirect to the configured login url
        ctx.Response.Redirect($"{ _config.LoginUrl }?returnUrl={ service.Request.Url }");
    }
}

The reason for this second redirect is that the login path of the standard Identity setup is configured to point to the manager login page at ~/manager/login. Apart from this there are no security related components within Piranha except the extension methods that add Identity. Have you adjusted the different identity settings to suit your application startup? Take a look here in the docs:

https://piranhacms.org/docs/architecture/authentication/identity

Best regards

[tidyui]

As a second clarification, the package Piranha.AspNetCore.Identity doesn't have to be used at all. The only thing needed by Piranha is a service implementing Piranha.ISecurity as this is the service that the manager login page calls when the user logs in. However, by setting up your own Identity implementation you can set a completely different login url for the entire application (including the manager) and then the Security service won't be called at unless you do it explicitly in your custom login page.

Regards

[saefren]

Thank you for super fast response (as usual) 👍

I was not entirely clear so let me try to elucidate; I do not want to use the third-party authentication as a replacement. I do not want to use it with the Manager. I am fine with using Identity for the Manager (although it would be nice if I could bind the third-party identification to the IdentityUser and then perhaps a visitor could log in using either system). I just want visitors to log in using a third-party (via the AspNet.Security.OpenId.Providers lib) on the web application itself. This works in a plain Razor project and in the User.Claims I can find the ID of the third-party user (which I want to use for other functionality).

I had seen the documentation however I don't understand how it further helps me with my goal. I had also found the ISecurity interface but did not get to play around with it yet. I did notice it requires a username/password to sign-in. However, from what I understand, this is not applicable with third-party authentication. So that makes me think the ISecurity interface is not relevant in this scenario.

If you're willing (and have time) I can create a repository with a new Piranha project with the AspNet.Security.OpenId.Providers library and you can look in to it (and perhaps modify it so it works).

Or I can just clone the Piranha source-code and use that (instead of the nuget packages) to try to find the issue by stepping through the code. Because currently I don't have any insight in what is going on.

Kind regards

[tidyui]

Problem here is that I haven't actually set this up myself but have started to look at it for our public site PiranhaCMS.org. Like in your case the main idea here is to have the manager users in Identity (the current solution) and add the possibility for users to log in using their GitHub account to gain access to other parts of the site (add/edit information about plugins/modules they develop).

As always I'm kind if busy but I'd be more than happy to collaborate on something if you create a repository as I'm looking at implementing the exact same feature myself :)

[jensbrak]

I would love to jump on the train too somehow. I'd like to enable visitors of a Piranha site to add comments by using external login provider (like - for instance - Disqus as used at PiranhaCMS.org blog section).
Howver, to me it's way too much overhead to do considering I would do it just for fun and comments work fine as it is.

[tidyui]

Since Piranha.AspNetCore.Identity just uses the standard features of AspNetCore.Identity I think it's a fair assumption that we should get this going without too much hassle. I think the main problem here is that the convenience methods for adding the module performs too many actions and configurations which makes it hard to add other authentication methods to the applications. The goal here should be to make our Identity module more flexible so it's easier to configure alternative login methods.

[biapar]

Maybe that it need a better documentation about this important point.

[tidyui]

Unfortunately I can’t provide this as I SUCK at security stuff. This is why we’ve done everything in our power to minimize dependencies on the current security / authentication / authorization provider in Piranha, to make sure that everyone should be able to handle it the way they see fit.

I think the main problem is that many see our default Identity package as something mandatory that they need to base their authorization on. This was never our intention to begin with, our identity package is just identity in its simplest form, perfect for anyone that’s looking to spin up a blog/website fast. For users with specific needs I at least recommend to remove our default package and just implement your own custom solution.

Best regards

Håkan

[jensbrak]

Cards on the table, as far as I'm concerned:

As said before, I'd love to do something but I am not in the position to put effort into this - no matter how much I want. Not now anyway. I have some experience from federative login at work and will most likely need to dig into it quite soon - so if no one beats me to it I will have a go at some point in the near future (depending on what near is).

I find this both interesting and likely to be part of things I need so to me it's just a matter of time. But since I can devote so little time to hobby projects I need to be realistic too.

[biapar]

.net core identity out of the box can login to some social network and Azure AD that can login to social.

[tedvanderveen]

#1623

[tidyui]

Closing as #1623 has been released.