IdentityServer

IdentityServer copied to clipboard

Raise an error if the idp doesn't match the requested idp

2

If the client sends a bad/misconfigured/changed idp value, we should give some kind of error rather than redirecting to the login page forever. Perhaps we should add a virtual method...

josephdecock

This would better support users who want a distributed lock around automatic key creation. We can hopefully accomplish this via a default implementation on the interface.

josephdecock

Research automatic key management and removing duplicates keys created at same time

4

Brainstorming: When new keys created if we notice that a few are created all within close time to one another, then delete all those newer than the oldest. All nodes...

brockallen

Adding a JSON claim to the JWT/Userinfo endpoint is a bit unintuitive because of different valueType constants

8

When searching on how to add a JSON claim to a JWT, you'll come across answers like [this one](https://stackoverflow.com/questions/56548003/passing-json-object-as-a-claim-of-jwt-token-in-asp-net-core-2-0), which use System.IdentityModel.Tokens.Jwt.JsonClaimValueTypes.Json to specify the valueType, and that works with...

raff-run

The `__Host` prefix enforces security rules on the cookie. Consider renaming both the main Identityserver session cookie `idsrv` and the temp external cookie to add the `__Host` prefix. The `__Host`...

AndersAbel

`ISessionCoordinationService.ValidateSessionAsync` always extends the server-side session. We call this method when validating refresh and reference tokens. The implication is that in order to use refresh (or reference tokens) with server-side...

josephdecock

Updating signing in build pipeline

2

At some point we should switch to the "official" version of the sign tool we use today https://github.com/dotnet/sign

leastprivilege

EntityFramework.Tests and EntityFramework.Storage.IntegrationTests have duplicate code for setting up the DB. Can we unify?

josephdecock

Consider adding additional detail code to events

4

Consider adding an additional code or sub-id to the events, so that events can be distinguished with better granularity by the id. ``` { "EventType": "Failure", "Id": 1011, "Message": "Unknown...

josephdecock

Prevent misuse of IdentityProviders

2

Sometimes when users have tried to implement dynamic providers with custom stores, there's a confusion about the intended usage of IdentityProvider vs its derived types. > @josephdecock maybe we could...

josephdecock