Identityserver4: "RememberLogin" and the AMR claim issue ...

Created on 4 Jan 2017 · 6Comments · Source: IdentityServer/IdentityServer4

I'm not 100% sure right now if this is an issue with the quickstart account controller, my code extending it, IdentityServer4 or something in ASP.Net Core, but I'm out of ideas to look at to figure out what's going on...

First and foremost, there's no documentation about how the RememberLogin checkbox is working in the Quickstart... it sets a flag in AuthenticationProperties, which appears to be going to the AspNetCore cookie middleware, but I didn't configure that, so I'm assuming IdentityServer4 did?

Of note, there's an inconsistency in the demo code related to the amr claim -- the "hidden" code is creating it as "pwd" -- which it should be -- but the sample IResourceOwnerPasswordValidator is setting it as "password". I can't find the "pwd" setting in the IdentityServer4 code, so I'm guessing that's coming from the ASP.Net Core code?

The issue I've got is that, when the user is re-authenticated via the cookie mechanism, the amr value is still being set to "pwd", which isn't correct -- the current session was not authenticated with a password. Its essentially a zero-factor authentication at that point, because there's no proof of identity. (The proposed OAuth definitions for AMR values from https://tools.ietf.org/html/draft-ietf-oauth-amr-values-00 critically misses this, as well, as it doesn't touch on remembered authentication at all.)

From a security standpoint, that's bad, because you haven't actually proven identity -- you've pushed the trust boundary back to the system storing the cookie, and there's no chain-of-trust established there, obviously. That's why most systems will force a re-authentication before sensitive actions are taken. The problem is, with the amr set to pwd, the system doesn't actually know the user wasn't really authenticated.

So I need to change that value -- if that is coming from the cookie middleware, I need a way to control it getting registered and configured so I can get in the middle of it, and its not clear how to do that, or I need to find a point in the pipeline where I can a) see that there wasn't a real authentication and b) change that claim.

Any ideas how this would best be done? The behavior is wrong, I just suspect its not wrong in IdentityServer4 ...

Source

lpghartz

All 6 comments

So, in further research, this is an ASP.Net Core issue with the cookie middleware. There's hooks to tweak it, but its still not ideal.

What I think is missing in IS4 is documentation on how to override the default configured cookie middleware (register a new one on your own, and then set its name into the IdentityServerOptions via AuthenticationOptions.AuthenticationScheme)

So I think this should be just closed -- its a Microsoft issue, unless you want to track it as a documentation issue.

lpghartz on 4 Jan 2017

👍1

I'll close, since the entire UI and login process (which includes the use of a "remember me" checkbox) is outside the responsibility of IdentityServer. Our quickstarts are just sample code for how you might implement those UI pieces.

brockallen on 4 Jan 2017

👍1

One caveat on that, though -- IdentityServer is configuring the middleware, which is actually what is doing the "remember me"... so that specifically is not part of the quickstart or the UI. The sole thing the quickstart is doing is setting the flag to persist the cookie. The details of that cookie, how its configured, how it expires, how its validated, etc, are all things the core server is setting up, and in an opaque way.

That detail is not obvious without digging through the code, because its hidden inside of UseIdentityServer(). It may be obvious if you're looking for that specifically (like I was) once you go into the code, but in-passing someone may not understand what UseIdentityServer is doing relative to that middleware or, most concerningly, the security implications of that default config (because a remembered login is never re-validated, etc...)

lpghartz on 4 Jan 2017

Yep, understood -- we do still have more work to do to document those relationships.

brockallen on 4 Jan 2017

FYI: https://github.com/IdentityServer/IdentityServer4/issues/656

brockallen on 4 Jan 2017

👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.