Hi Rafael,
Yes, KEYCLOAK-3286 has something to do with the issue you've run into. According to
the spec, when the client uses one of Hybrid flows, i.e. 'code id_token',
'code id_token token', the server is required to include c_hash claim into the id
token.
Regards
Peter
________________________________________
From: keycloak-user-bounces(a)lists.jboss.org [keycloak-user-bounces(a)lists.jboss.org] on
behalf of Rafael Soares [rsoares(a)redhat.com]
Sent: Tuesday, July 26, 2016 1:00 AM
To: keycloak-user
Subject: [keycloak-user] .NET Core OIDC auth
I'm trying to integrate an ASP .NET Core client web app with Keycloak using the .NET
Core native OIDC Support.
For this I'm using a sample project available in the IdentityServer Github repo [1].
IdentityServer is an OIDC Auth Server/Framework implementation for .NET platform.
I forked that sample repo and changed the configuration to use the Keycloak OIDC
endpoints.
The code snippet changed to use keycloak endpoint is this
one<https://github.com/rafaeltuelho/IdentityServer4.Samples/blob/dev/M...;.
I was able to run this code on my RHEL 7 box using .NET Core for Linux [2]. In the KC side
I just created a new realm and a client (see the dotnetcore.json realm config attached).
The web app starts and the secured pages/resources redirects the user to the Keycloak
endpoint, but after the user authenticates and KC responds the request the following error
occurs on .NET client side:
"OpenIdConnectProtocolInvalidCHashException: IDX10307: The 'c_hash' claim was
not found in the id_token, but a 'code' was in the OpenIdConnectMessage, id_token:
'{"alg":"RS256","typ":"JWT"}.{"jti":"cae47265-327e-4961-aeb2-6615713cc6f8","exp":1469508079,"nbf":0,"iat":1469507779,"iss":"http://localhost:8080/auth/realms/dotnetdemo","aud":"dotnetcore","sub":"b8a10870-3abd-487b-802e-e57307eafc14","typ":"ID","azp":"dotnetcore","nonce":"636051045638599850.NTdmY2FhNWQtYzNmYi00Zjg1LWFlZjItYmViYzBmZTgwMjYzZDMwMDdlYzYtMGJiMS00OWY1LTlhZTQtY2VjNWYyMzM2Yzhl","session_state":"b3010cce-24ac-426b-969a-cccefe41711f","name":"dot
NET","preferred_username":"dotnetuser","given_name":"dot","family_name":"NET","email":"donetuser@localhost.com<mailto:donetuser@localhost.com>"}'"
Searching for this message "The 'c_hash' claim was not found in the
id_token" I found the issue KEYCLOAK-3286 [3]. Does this error have something to do
with the KEYCLOAK-3286?
Does some one tried to integrate a .NET app with Keycloak using OIDC protocol?
[1]
https://github.com/IdentityServer/IdentityServer4.Samples
[2]
https://www.microsoft.com/net/core#redhat
[3]
https://issues.jboss.org/browse/KEYCLOAK-3286
--
___
Rafael T. C. Soares