[keycloak-user] .NET Core OIDC auth

Nalyvayko, Peter pnalyvayko at agi.com
Tue Jul 26 02:51:00 EDT 2016


Hi Rafael,

Yes, KEYCLOAK-3286 has something to do with the issue you've run into. According to the spec, when the client uses one of Hybrid flows, i.e. 'code id_token', 'code id_token token', the server is required to include c_hash claim into the id token.
Regards
Peter
 ________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Rafael Soares [rsoares at redhat.com]
Sent: Tuesday, July 26, 2016 1:00 AM
To: keycloak-user
Subject: [keycloak-user] .NET Core OIDC auth

I'm trying to integrate an ASP .NET Core client web app with Keycloak using the .NET Core native OIDC Support.

For this I'm using a sample project available in the IdentityServer Github repo [1]. IdentityServer is an OIDC Auth Server/Framework implementation for .NET platform.

I forked that sample repo and changed the configuration to use the Keycloak OIDC endpoints.
The code snippet changed to use keycloak endpoint is this one<https://github.com/rafaeltuelho/IdentityServer4.Samples/blob/dev/MVC%20and%20API/src/AspNetCoreAuthentication/Startup.cs#L37>.

I was able to run this code on my RHEL 7 box using .NET Core for Linux [2]. In the KC side I just created a new realm and a client (see the dotnetcore.json realm config attached). The web app starts and the secured pages/resources redirects the user to the Keycloak endpoint, but after the user authenticates and KC responds the request the following error occurs on .NET client side:

"OpenIdConnectProtocolInvalidCHashException: IDX10307: The 'c_hash' claim was not found in the id_token, but a 'code' was in the OpenIdConnectMessage, id_token: '{"alg":"RS256","typ":"JWT"}.{"jti":"cae47265-327e-4961-aeb2-6615713cc6f8","exp":1469508079,"nbf":0,"iat":1469507779,"iss":"http://localhost:8080/auth/realms/dotnetdemo","aud":"dotnetcore","sub":"b8a10870-3abd-487b-802e-e57307eafc14","typ":"ID","azp":"dotnetcore","nonce":"636051045638599850.NTdmY2FhNWQtYzNmYi00Zjg1LWFlZjItYmViYzBmZTgwMjYzZDMwMDdlYzYtMGJiMS00OWY1LTlhZTQtY2VjNWYyMzM2Yzhl","session_state":"b3010cce-24ac-426b-969a-cccefe41711f","name":"dot NET","preferred_username":"dotnetuser","given_name":"dot","family_name":"NET","email":"donetuser at localhost.com<mailto:donetuser at localhost.com>"}'"

Searching for this message "The 'c_hash' claim was not found in the id_token" I found the issue KEYCLOAK-3286 [3]. Does this error have something to do with the KEYCLOAK-3286?

Does some one tried to integrate a .NET app with Keycloak using OIDC protocol?

[1] https://github.com/IdentityServer/IdentityServer4.Samples
[2] https://www.microsoft.com/net/core#redhat
[3] https://issues.jboss.org/browse/KEYCLOAK-3286

--

___
Rafael T. C. Soares




More information about the keycloak-user mailing list