How to restrict OpenID connect authentication on a client application

Hello @Pierius Lycklama A Nijeholt,

OpenID authentication will only succeed for users whose authentication type in IAM is set to External, with the matching OpenID provider:

Hello @Vincent Doppenberg,
 

I'm using the Thinkwise Platform as OpenID provider. Therefore I don't have an OpenID identity provider registered in IAM.
With a client application that I have created in IAM, I can log in with any user (with authentication type 'IAM') and then receive an authorization_code. I can then use this authorization_code to get an access_code token.

As I see it, all users can now authenticate on the client application, but I'm missing the part how you can authorize users for this application.

Hello @Pierius Lycklama A Nijeholt 

Apologies for the confusion. The only way to communicate any kind of custom information from IAM to your client application is by defining Custom Resources on your Client Application in IAM. Here you can define claims per user or per user group and these claims can be used by the client application to distinguish between authorized and unauthorized users.

So for example, you could make a user group in IAM called “<client application> users” and then add all of the authorized users to it. After this you can create Custom Resource called Authorization and add a user group specific claim called Authorized with the value true or 1. The Client Application should then request the scope Authorization and once a user has successfully authenticated, the client application can retrieve the claim value of that scope for that user and choose to accept or reject the user.

I hope this helps.

Hello @Vincent Doppenberg,

Thank you for the clarification.

I created a custom resource and added a user group specific claim. After an indicium restart, both are now visible in the discovery document under the supported scopes and claims (<url>/indicium/.well-known/openid-configuration).

However I now run into the problem that when I use the received authorization_code to get an access_token I get an Internal Server Error.

Indicium shows the following error in the log:
(we are running IAM 2023.3 with hotfixes installed up to and including 20231108)

[ERR] An unhandled exception occurred while processing the request. (ffba027a)
Microsoft.Data.SqlClient.SqlException (0x80131904): Invalid object name 'i_api_openid_custom_resource_claim_values'.
   at Microsoft.Data.SqlClient.SqlCommand.<>c.<ExecuteDbDataReaderAsync>b__208_0(Task`1 result)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Indicium.Data.Shared.Connection.TSFDbCommand`1.ExecuteReaderWithoutMessages(CommandBehavior commandBehavior) in C:\azp\agent\_work\1\s\src\Data\Indicium.Data.Shared\Connection\TSFDbCommand.cs:line 65
   at Indicium.Shared.Meta.Readers.Global.OpenID.OIDCustomResourceClaimValuesReader.ReadCustomUserClaimValues(IRootApplicationLoader rootApplicationLoader, String resourceID, String userID) in C:\azp\agent\_work\1\s\src\Indicium.Shared\Meta\Readers\Global\OpenID\OIDCustomResourceClaimValuesReader.cs:line 42
   at Indicium.Identity.TSFProfileService.GetProfileDataAsync(ProfileDataRequestContext context) in C:\azp\agent\_work\1\s\src\Indicium.Identity\TSFProfileService.cs:line 87
   at Duende.IdentityServer.Services.DefaultClaimsService.GetAccessTokenClaimsAsync(ClaimsPrincipal subject, ResourceValidationResult resourceResult, ValidatedRequest request) in /_/src/IdentityServer/Services/Default/DefaultClaimsService.cs:line 211
   at Duende.IdentityServer.Services.DefaultTokenService.CreateAccessTokenAsync(TokenCreationRequest request) in /_/src/IdentityServer/Services/Default/DefaultTokenService.cs:line 190
   at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.CreateAccessTokenAsync(ValidatedTokenRequest request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 493
   at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAuthorizationCodeRequestAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 149
   at Duende.IdentityServer.ResponseHandling.TokenResponseGenerator.ProcessAsync(TokenRequestValidationResult request) in /_/src/IdentityServer/ResponseHandling/Default/TokenResponseGenerator.cs:line 100
   at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 108
   at Duende.IdentityServer.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) in /_/src/IdentityServer/Endpoints/TokenEndpoint.cs:line 75
   at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 101
   at Duende.IdentityServer.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IdentityServerOptions options, IEndpointRouter router, IUserSession userSession, IEventService events, IIssuerNameService issuerNameService, ISessionCoordinationService sessionCoordinationService) in /_/src/IdentityServer/Hosting/IdentityServerMiddleware.cs:line 117
   at Duende.IdentityServer.Hosting.MutualTlsEndpointMiddleware.Invoke(HttpContext context, IAuthenticationSchemeProvider schemes) in /_/src/IdentityServer/Hosting/MutualTlsEndpointMiddleware.cs:line 94
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47
   at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
   at Indicium.Extensions.ApplicationBuilderExtensions.<>c.<<SameSiteOpenIDConnectInterceptor>b__0_0>d.MoveNext() in C:\azp\agent\_work\1\s\src\Indicium\Extensions\ApplicationBuilderExtensions.cs:line 57
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.ResponseCompression.ResponseCompressionMiddleware.InvokeCore(HttpContext context)
   at Indicium.Middleware.Security.AuthenticationHeadersMiddleware.InvokeAsync(HttpContext context) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Authentication\AuthenticationHeadersMiddleware.cs:line 47
   at Indicium.Middleware.Security.SecurityHeadersMiddleware.InvokeAsync(HttpContext context, ContentSecurityPolicyBuilder cspBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Security\SecurityHeadersMiddleware.cs:line 54
   at Indicium.Middleware.Messages.TSFMessagesMiddleware.Invoke(HttpContext context, IRootApplicationLoader rootApplicationLoader, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Messages\TSFMessageMiddleware.cs:line 44
   at Indicium.Middleware.Telemetry.ServerTimings.ServerTimingsMiddleware.InvokeAsync(HttpContext context, ServerTimingsBuilder serverTimingsBuilder) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\Telemetry\ServerTimings\ServerTimingsMiddleware.cs:line 45
   at Indicium.Middleware.ExceptionHandlingMiddleware.Invoke(HttpContext context, TSFRequestContext requestContext) in C:\azp\agent\_work\1\s\src\Indicium\Middleware\ExceptionHandlingMiddleware.cs:line 34

Hello @Pierius Lycklama A Nijeholt,

This issue will be resolved in the upcoming version of Indicium, which will be released later this week. After that, my previous suggestion should work for you.