Identityserver4: Multiple External Identity Provider Support

Dynamically registering external identity providers (via a management ui)
I do not want to have to reboot the app in order to achieve this.

That's more of a question for Microsoft. Let us know what their solution is :)

You seem to be mixing the functions of client and IdP.
OpenID Connect dynamic registration is from a client to an IdP based on a (for example) email address from the user.
Microsoft asp.net does not support dynamic registration of clients with services. I built one on core 1.1. That was a major challenge.
I don't see any evidence that asp.net will support dynamic registration.
ADFS is a federation service, so creating another federation service that calls a federation service sounds a bit weird to me, but certainly possible. If you add dynamic registration into that mix, the idea of any sort of trust relationship is a bit wobbly.

You seem to be mixing the functions of client and IdP.
OpenID Connect dynamic registration is from a client to an IdP based on a (for example) email address from the user.

I don't think he's talking about dynamic registration at all. He simply wants to dynamically add external IdPs to his gateway.

not sure what the difference might be? Is there some other method?

not sure what the difference might be?

Well, mainly control of who adds those IdPs. And those upstream IdPs are IdPs, not clients.

so, in Microsoft speak, dynamically adding a DI service? Yeah, that sounds unlikely.

Microsoft provides a service called the IAuthenticationSchemeProvider - and that has a AddScheme method.

That's where you would start - I don't a sample though.

I will close this since this is really an ASP.NET Core question - but if you have it working, please post a sample so we can link to it from the docs. Thanks!

OK, thanks for the pointer of direction.

I did start to go down this road, but thought i would get the experts advice 😄

I am not too far from a solution now then, i will get some samples together over the next few days and post them on this issue.

The ASPNET team have the following samle: https://github.com/aspnet/AuthSamples/tree/dev/samples/DynamicSchemes

I am going to make a richer sample that you can select and configure various scheme types (google/facebook/oidc/wsfed/adfs/etc).

You were correct in that its all around the IAuthenticationSchemeProvider

Hi @martinfletcher
I believe I am looking for something similar to what you are doing:

• One instance of identityserver4 acting as "federation gateway"
• Multiple clients where each client can be connected to zero to many external identityproviders (google, azure ad, etc)

In other words:
When client A is redirecting to the identityserver4 the user who signing in with client A should be presented all the external identityproviders configured for client A. Same for client B, but in identityserver4 client A and client B will typically be configured to use different client configuration when redirecting to google, azure ad etc. (because client A and client B is typically belonging to different of our customers)

For this to work I guess I have to add multiple external IDP's using multiple uses of
C# .AddOpenIdConnect("oidc", "OpenID Connect", options =>
One for each combination of _external client_ and _internal client_. In addition each client using identityserver4 has to somehow be _filtered_ to only present the external IDP's configured for this client when a user is authenticating

Looking forward to have a look at what you come up with

Yeah that is possible out of the box i believe by using the quick start UI.

The solution i will be posting will not show a list of external IDP's, but select which IDP to use at runtime based on the domain of the email address, and redirect to that external IDP, or allow the user to enter a password if not configured with an external IDP.

@martinfletcher If what I described is possible out of the box I must have overlooked something.
As far as I know each external identityprovider has to be configured at startup. On the client configuration there is an option to use
c# /// <summary> /// Specifies which external IdPs can be used with this client (if list is empty all IdPs are allowed). Defaults to empty. /// </summary> public ICollection<string> IdentityProviderRestrictions { get; set; } = new HashSet<string>();
but given a scenario where there exists 100 different clients where each client should be configured to use its own _azure AD client configuration_ I currently cannot see how to:

• Avoid registrering 100 .AddOpenIdConnect(" in my pipeline
• Changing configuration runtime (new client with its own azure ad clientconfig)

But after a bit more googling I found:

https://github.com/aspnet/Security/issues/1132
which leads to
https://github.com/aspnet/Security/issues/1179
which leads to
https://github.com/aspnet/Docs/issues/4055
which leads to
https://github.com/aspnet/AuthSamples/tree/dev/samples/DynamicSchemes
Which is what @brockallen recommended looking at. The ring is closed :)

dev branch does not currently work, current link:

https://github.com/aspnet/AuthSamples/tree/master/samples/DynamicSchemes

@martinfletcher I have same requirements what you are trying, did you achieved any implementation on this. we have couple of client applications (angular js, angular 6, Asp.Net MVC ) and support multiple IDP's. Use openid connect on client side with ID4

@bkb503 yeah got a partial solution, but the project requirements changed and we moved to use azure b2c once they had the generic third party oidc in preview.

I still want to get the partial prototype up on github as reference when I have the time.

@martinfletcher thanks for your reply, I have been looked at Azure B2C but openid provider is still in preview and i'm looking other alternative like wise I also looked AWS Cognito but no support for refresh token and angular js..

@martinfletcher, I am also interested in your dynamic schemes sample. Please share it, when you have time (even if is raw)

@martinfletcher Same comment as @VasylSenko - Would appreciate sharing where you left off. Doesn't need to work 100%. Just curious the path you were on. I'm just starting the same project.

If you're interested, I developed a package to dynamically manage Asp.Net core authentication providers. And I'm looking for tester before publishing a release. The repository is here

It's a first preview and I'm really interested by your feedback. Is that ready for production ?

@martinfletcher I am trying to achieve the same what you were trying to achieve previously that is support for multiple authentication provider (ADFS with multiple clients and Azure AD) with identity Server 4. Can you please guide for that ?

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.