As mentioned in the documentation, OpenID Connect allows a client application to let users authenticate via the Thinkwise Platform (https://docs.thinkwisesoftware.com/docs/iam/client_apps#openid-connect-authentication)
How can you give specific IAM users the right to authenticate on the client application?
I don't want all IAM users to be able to authenticate on the 3rd party client application.
Hello
OpenID authentication will only succeed for users whose authentication type in IAM is set to External, with the matching OpenID provider:
Hello
I'm using the Thinkwise Platform as OpenID provider. Therefore I don't have an OpenID identity provider registered in IAM.
With a client application that I have created in IAM, I can log in with any user (with authentication type 'IAM') and then receive an authorization_code. I can then use this authorization_code to get an access_code token.
As I see it, all users can now authenticate on the client application, but I'm missing the part how you can authorize users for this application.
Hello
Apologies for the confusion. The only way to communicate any kind of custom information from IAM to your client application is by defining Custom Resources on your Client Application in IAM. Here you can define claims per user or per user group and these claims can be used by the client application to distinguish between authorized and unauthorized users.
So for example, you could make a user group in IAM called “<client application> users” and then add all of the authorized users to it. After this you can create Custom Resource called Authorization and add a user group specific claim called Authorized with the value true or 1. The Client Application should then request the scope Authorization and once a user has successfully authenticated, the client application can retrieve the claim value of that scope for that user and choose to accept or reject the user.
I hope this helps.
Hello
Thank you for the clarification.
I created a custom resource and added a user group specific claim. After an indicium restart, both are now visible in the discovery document under the supported scopes and claims (<url>/indicium/.well-known/openid-configuration).
However I now run into the problem that when I use the received authorization_code to get an access_token I get an Internal Server Error.
Indicium shows the following error in the log:
(we are running IAM 2023.3 with hotfixes installed up to and including 20231108)
oERR] An unhandled exception occurred while processing the request. (ffba027a)
Microsoft.Data.SqlClient.SqlException (0x80131904): Invalid object name 'i_api_openid_custom_resource_claim_values'.
at Microsoft.Data.SqlClient.SqlCommand.<>c.<ExecuteDbDataReaderAsync>b__208_0(Task`1 result)
at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
at Indicium.Data.Shared.Connection.TSFDbCommand`1.ExecuteReaderWithoutMessages(CommandBehavior commandBehavior) in C:\azp\agent\_work\1\s\src\Data\Indicium.Data.Shared\Connection\TSFDbCommand.cs:line 65
at Indicium.Shared.Meta.Readers.Global.OpenID.OIDCustomResourceClaimValuesReader.ReadCustomUserClaimValues(IRootApplicationLoader rootApplicationLoader, String resourceID, String userID) in C:\azp\agent\_work\1\s\src\Indicium.Shared\Meta\Readers\Global\OpenID\OIDCustomResourceClaimValuesReader.cs:line 42
at Indicium.Identity.TSFProfileService.GetProfileDataAsync(ProfileDataRequestContext context) in C:\azp\agent\_work\1\s\src\Indicium.Identity\TSFProfileService.cs:line 87
at Duende.IdentityServer.Services.DefaultClaimsService.GetAccessTokenClaimsAsync(ClaimsPrincipal subject, ResourceValidationResult resourceResult, ValidatedRequest request) in /_/src/IdentityServer/Services/Default/DefaultClaimsService.cs:line 211
at Duende.IdentityServer.Services.DefaultTokenService.CreateAccessTokenAsync(TokenCreationRequest request) in /_/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 190
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 493
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAuthorizationCodeRequestAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 149
at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 100
at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 108
at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 75
at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 101
at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 117
at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 94
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
at Indicium.Extensions.ApplicationBuilderExtensions.<>c.<<SameSiteOpenIDConnectInterceptor>b__0_0>d.MoveNext() in C:\azp\agent\_work\1\s\src\Indicium\Extensions\ApplicationBuilderExtensions.cs:line 57
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
at Indicium.Middleware.Security.AuthenticationHeadersMiddleware.InvokeAsync(HttpContext context) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Authentication\AuthenticationHeadersMiddleware.cs:line 47
at Indicium.Middleware.Security.SecurityHeadersMiddleware.InvokeAsync(HttpContext context, ContentSecurityPolicyBuilder cspBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Security\SecurityHeadersMiddleware.cs:line 54
at Indicium.Middleware.Messages.TSFMessagesMiddleware.Invoke(HttpContext context, IRootApplicationLoader rootApplicationLoader, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Messages\TSFMessageMiddleware.cs:line 44
at Indicium.Middleware.Telemetry.ServerTimings.ServerTimingsMiddleware.InvokeAsync(HttpContext context, ServerTimingsBuilder serverTimingsBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Telemetry\ServerTimings\ServerTimingsMiddleware.cs:line 45
at Indicium.Middleware.ExceptionHandlingMiddleware.Invoke(HttpContext context, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\ExceptionHandlingMiddleware.cs:line 34
Hello
This issue will be resolved in the upcoming version of Indicium, which will be released later this week. After that, my previous suggestion should work for you.
Hello
This issue has been resolved in version 2023.3.13.0 of Indicium, which is available now. The claims of custom resources for a user can be retrieved by calling the userinfo endpoint and providing the access token of that user as a bearer authentication token.
GET
/connect/userinfo
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.