OpenId + Uma + Oauth 2.0 providers + SCIM2.0 + RFID reader (DEPRECATED)
Home Page: https://github.com/simpleidserver/SimpleIdServer
License: Apache License 2.0
Nuget V3 feed URL (Visual Studio 2015+) : https://www.myget.org/F/advance-ict/api/v3/index.json
Don't forget to add the address claims as describes in the following link : http://openid.net/specs/openid-connect-core-1_0.html#AddressClaim
==> use Base64Url from Microsoft.Owin.Security.dll : https://msdn.microsoft.com/en-us/library/microsoft.owin.security.datahandler.encoder.textencodings.base64url(v=vs.113).aspx
==> Clean the classes
==> Split big classes into several sub-classes (Single responsability)
==> Rename certain classes with more meaningful name : ResourceOwnerGrantTypeParameter
==> Fix all the UTs
Tasks:
==> Reuse the same authentication & consent processes of the authorization code workflow
Documentation url : http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowSteps
To deserialize the object, we need to execute the following snippet code
public static T Deserialize<T>(this string serialized)
{
var serializer = new DataContractJsonSerializer(typeof (T));
var ms = new MemoryStream(Encoding.Unicode.GetBytes(serialized));
var obj = serializer.ReadObject(ms);
return (T) obj;
}
For more information read this documentation : https://tools.ietf.org/html/rfc6749#section-4.1.3
http://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps
Process the request parameter as describes in the RFC : http://openid.net/specs/openid-connect-core-1_0.html#JWTRequests
For more information read the documentation at this URL : http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token.
For more information read the documentation at this URL : http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
For more information read this document : http://openid.net/specs/openid-connect-core-1_0.html#UserInfo
This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.
Check thoses sections :
==> https://tools.ietf.org/html/rfc6749#section-4.1.2
==> https://tools.ietf.org/html/rfc6749#section-10.12
Fix this test
Read this document: http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
The client_id can be passed in the Basic Authorization header or in the HTTP request body
==> Use this solution http://getseq.net/ ?
==> Use ETW ?
For more information check this link : https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41
More information about the JWK (Json WEB KEY) : https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41
Read the documentation at this URL : http://openid.net/specs/openid-connect-session-1_0.html
none
The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.
login
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.
consent
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.
select_account
The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.
OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE [OpenID.PAPE] max_auth_age request parameter.) When max_age is used, the ID Token returned MUST include an auth_time Claim Value.
page
The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.
popup
The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
touch
The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
wap
The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.
When giving the "granted_token" check if the existing one is still valid. If it's not the case then re-generate a valid "granted_token"
Authenticate a user with his local account
If the user is not authenticated then set the "prompt" parameter to "login"
If the user is authenticated but there's no consent then set the "prompt" parameter to "consent"
If the user is authenticated & there's a consent then set the "prompt" parameter to "none"
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.