Problems encountered during testing

[qq1176914912]

When I click on a User's "Sessions", let's say his list has 10 data, when the data is loaded, I click on "User" at the top to go back to the user list:

This time I clicked on a user who had never logged in, and then went to his "Sessions", I found that his list was still the same as my previous user list (the same 10 pieces of data), he did not refresh. The list only refreshes when I refresh the browser.

[qq1176914912]

About the client type: whether the "Name" of the two "SAML" and "Device" are required, I found that in addition to these two clients, the "Name" field of the remaining clients is not required.

[qq1176914912]

In the "API Resources" of "Scope", when I have some data and have checked it, when I want to delete some data separately, click Delete behind the data I want to delete, and it will delete all the data I have checked before. There may be some conflicts in your functions. For "API Resources", only when it is selected and updated can it be considered as an application. If it is not selected, it will not be applied.

[qq1176914912]

The Value in the "add Add API resource" method is not displayed in the "API Resources" list, and if you use aud to restrict the api, he only uses "Audience".

If you want to limit the api via aud, you only need to write "Audience" in the following position (without using value) :

[simpleidserver]

User Session

The user session refresh has been addressed and fixed in the master branch.

Name is Required

The name is no longer required for the client Device and Saml in the master branch.

Removal

In the master branch, only the selected elements (client, scopes, API resources, etc.) can now be removed.

API Resource - Value

The value corresponds to the description of the API Resource. The translation has been fixed, and the description is displayed in the table.

[qq1176914912]

User Session

The user session refresh has been addressed and fixed in the master branch.

Name is Required

The name is no longer required for the client Device and Saml in the master branch.

Removal

In the master branch, only the selected elements (client, scopes, API resources, etc.) can now be removed.

API Resource - Value

The value corresponds to the description of the API Resource. The translation has been fixed, and the description is displayed in the table.

Removal
"API Resources" is special, because the logic here is that it will only apply when it is checked and clicked "Update", and every time it enters the page, the applied resources will be automatically checked, and the list will list all the resources, no matter which "Scope" is created, will be displayed here. If Delete by check is also used here, then the deletion logic is contradictory to the application resource logic. If so, if I want to delete a resource, I need to remove the check box of my application before I can delete the resource I want to delete. If I do not remove the check box, then he will delete the resource that I have already applied (checked state).

[qq1176914912]

User
In the user groups, when I Assign a group to a user, suppose I first click "Assign groups" to assign a group to the account, and then after I click "Assign groups" button again, the pop-up window will be closed, and the group I added before will disappear. The group I first added appears only when I click another button to switch back again.

[qq1176914912]

Auditing
Display Only Errors in the audit is invalid

[qq1176914912]

Remember me
The "Remember me" function of 5001 login address does not seem to work, I operate like this, I want to access 5001/master, enter the default account password (administrator) and select "Remember me", after successful login, Click "Disconnect" on 5001/master to exit login, and then click "Authenticate" again to jump to the login page, but I didn't remember my last login account and password, and the same is true when logging out from 5002 to the 5001 login page. I am using a browser that is "MIcrosoft Edge" and does not have Traceless mode turned on.
Is this "Remember me" function used to remember the account number and password?

[qq1176914912]

Forget my password
I noticed that the Forget Password function is used to determine whether it is added by the "CanResetPassword" property, where is this property set? Is it 5002?

I also found that when I type a wrong password once, the "Forget my password" button disappears:

[qq1176914912]

As shown below:

Why are some clients empty and others have values? What values are displayed for the client here? Is the Identifier value of the client obtained or the Name value? If you are getting the Name value, which may be empty due to translation problems, can you get the Identifier value instead?

[simpleidserver]

API Resource

The UI has been reworked, and the modifications are available in the master branch.

Group is not Displayed

I cannot reproduce the problem on my local machine. Can you describe all the steps?

Display Only Errors

The issue is fixed in the master branch.

Remember Me

The "Remember Me" function is not used to remember the account number and password, but to persist the user's session cookie. Even if the browser is closed, the user's session remains active and is stored in the cookie.

Forget My Password

Indeed, the property CanResetPassword is used to display or hide the action. I made some changes in the master branch to fix the problem.

Client is not Displayed

By default, the client name is displayed. If the translation doesn't exist, then nothing is displayed. I made some modifications in the master branch to display the ClientId when there is no translation.

[qq1176914912]

Owner

API Resource
Thank you for your change, I have seen your modification, do you feel that the page layout is a little awkward, because all the list of resources and the use list are displayed in one page, it seems a little crowded, I have a suggestion that you can consider, separate the two pages, one page for creating new resources, the other page for allocating the use of resources, I think that might be easy to understand, don't you?

This is just one of my thoughts, and if you have a good way to make it easier for people to understand, you can ignore my thoughts.
Display Only Errors
The first step is to find a user that doesn't have any groups.
I recorded a video for you:
https://github.com/simpleidserver/SimpleIdServer/assets/79817742/1d650593-7cf5-42f9-9f7d-284e2bd6f745

[qq1176914912]

External login
I have configured a new third-party login (wechat), I can click on the third login on the 5001 login page to normally jump to login:

But when I go to the 5001 page and click login at this location, there is a problem:


So what's going on here? I tried other login, there is a problem with wechat login, other no problem, this is why? If the parameters are missing, why can you jump normally in the login page?

[qq1176914912]

Credentials
1、I tried "Enroll credentials" on the 5001 page and I clicked on the sms:

I successfully passed sms authentication and can see it on page 5002:

On the 5001 page, why is the sms button still under "Enroll credentials" and not under "Update your credentials"?
I did not find this to be the case with Email, which automatically goes to "Update your credentials" below when I certify it.

2、And I found that all the "Authentication methods" did not have a return button after the authentication was successful, and could only click the previous page from the browser.

[qq1176914912]

**Register user **
When I use email to register a user, I randomly enter 123 in the email address, and after clicking Send, an error will be reported, which requires a format judgment, and whether the current email exists is indicated after I receive the verification code and click confirm. Should I apply this judgment before clicking Send button (for registration only)?


Do you have Settings in place to ensure that such pages are not displayed in the 'Release' environment?

[qq1176914912]

Email and SMS registration page
Why did you set this to 3 input fields?

Could you consider changing it to 2 input boxes, like this:

[qq1176914912]

Registration Workflows
Click the "webauth" button in the 5001 address to add credentials:

When I successfully obtain the password through the fingerprint verification, the page will not respond, will be stuck here.

But the credentials have already been added to the account.
I also found that if I repeat the above, he can keep adding credentials to the account:

Moreover, these duplicate credentials cannot be deleted. After clicking delete in the user and refreshing the page again, the deleted credentials are still there and can only be deleted in the data.

[simpleidserver]

API Resource

I agree that the previous implementation was a bit awkward and didn't follow the same logic used in the rest of the application.
However, in the new implementation, I'm using a standard logic that is used in other applications.
You can find this component in Material UI for Angular: Material Angular Drag and Drop - Disabled Sorting (https://material.angular.io/cdk/drag-drop/overview#disabled-sorting).
I think it is better to have the available and assigned resources in one view to decrease the number of clicks needed to assign/unassign resources and to offer better visibility.

Group Disappearance

The issue has been fixed in the master branch. Now, the groups do not disappear when the window popup is closed.

Exception: WexinAuthenticationHandler

The exception is probably thrown because the redirect URL is not passed in the AuthenticationProperties.
I made some modifications in the master branch to pass this information. Can you try again?

Sms is still displayed under enroll credentials

The algorithm used to check if the user has the claim was not correct and has been fixed in the master branch.

When Credential is Updated, Add a Link to Redirect to the Previous Page

The returnUrl was not passed in the HTTP request.
This issue has been fixed in the master branch.

Ignore unhandled exception

have added logic in the Startup.cs to ignore the Developer Exception Middleware when the development mode is set to false.
When an exception is thrown, you will be redirected to the /Error page.

Email validation

I have added email validation logic in the backend.

Keep 2 fields (SMS & Email)

The UI (SMS & email) has been updated to keep only two fields.

Webauthn problem

It is now possible to update the webauthn credential on the Identity Server website. The remove feature is also fixed.

[qq1176914912]

API Resource

I agree that the previous implementation was a bit awkward and didn't follow the same logic used in the rest of the application. However, in the new implementation, I'm using a standard logic that is used in other applications. You can find this component in Material UI for Angular: Material Angular Drag and Drop - Disabled Sorting (https://material.angular.io/cdk/drag-drop/overview#disabled-sorting). I think it is better to have the available and assigned resources in one view to decrease the number of clicks needed to assign/unassign resources and to offer better visibility.

Group Disappearance

The issue has been fixed in the master branch. Now, the groups do not disappear when the window popup is closed.

Exception: WexinAuthenticationHandler

The exception is probably thrown because the redirect URL is not passed in the AuthenticationProperties. I made some modifications in the master branch to pass this information. Can you try again?

Sms is still displayed under enroll credentials

The algorithm used to check if the user has the claim was not correct and has been fixed in the master branch.

When Credential is Updated, Add a Link to Redirect to the Previous Page

The returnUrl was not passed in the HTTP request. This issue has been fixed in the master branch.

Ignore unhandled exception

have added logic in the Startup.cs to ignore the Developer Exception Middleware when the development mode is set to false. When an exception is thrown, you will be redirected to the /Error page.

Email validation

I have added email validation logic in the backend.

Keep 2 fields (SMS & Email)

The UI (SMS & email) has been updated to keep only two fields.

Webauthn problem

It is now possible to update the webauthn credential on the Identity Server website. The remove feature is also fixed.

Thanks for your hard work, I have tested it again, and the following problems still exist:
API Resource
When I don't tick the resource I want in the "Available resources" list and instead click the "Assign" button, the contents of the "Available resources" list will disappear.
Email validation
Are you sure you changed the logic? I tested the same thing as before. The verification should be determined after clicking the "Send confirmation code", if there is the same, stop sending the verification code and prompt that the same email already exists, instead of clicking the registration (or modify) prompt. SMS should be the same, judged after clicking "Send confirmation code".
Webauthn problem
Unfortunately, the problem still exists. When I add webauthn to the user on page 5001 and repeat the operation to add another one, two webauthn will be displayed below the credentials of the account, and only one can be deleted, while the other cannot be deleted all the time. Moreover, I find that webauthn also has a "Reset" button. When you click on it, there is a blank page, which is also shown at the end of the video, video:
video.zip

[qq1176914912]

Forgot password
1、The Forgot Password feature also lacks a return button after sending and reconnecting.

2、At present, the password is retrieved through the mailbox, does he support other ways? How do I change the support? If not, there must be an email in the registration process, otherwise the password cannot be retrieved, is that the understanding?

[qq1176914912]

ACR
1、Every page in ACR will have a "Remember my login" when you click on it and what does that do? Is it the same as "Remember me" on the login page?

2、SMS ACR when you do not enter the phone number directly click the two buttons in the page, no error message

It seems that all methods in acr are like this, because I found that console is the same way, when the button is empty, there is no error message.

[qq1176914912]

Validity time of the verification code
Where is the validity time of the verification code set? Using the console example, isn't the validity time of the verification code set here?

If so, why am I using console in acr to send the CAPTCHA or display it for 30 seconds?

[qq1176914912]

TRANSLATORS
Where is the sentence that disconnects the home page? I tried to translate it but I couldn't find it

[qq1176914912]

Add Identity Provider
1、When adding a third-party login, in the "Details" step, you can click Next even if the data is not empty:
/
2、In the "Details" step, fill in only one Name, after the successful addition, the list is blank:


3、There was no nonnull judgment in the third "Properties" section, and I could add success even if my appid and appsecret were empty.

[qq1176914912]

API Resources
No non-empty judgment is made on "Audience".

[qq1176914912]

Certificate Authorities
1、The number of days filled with a negative number can also be successfully generated.

2、In addition, if I do not click the Save button after generating the Certificate, then close the pop-up window, and then click "Add Certificate Authority" again, the previous generated certificate still exists:

3、
When I first select "Generate" type to generate the Certificate, instead of saving it, I click on the previous step and select "Certificate store" type. After entering, "Subject Name" will appear.
Fields such as "Valid from" and "Valid to" do not exist before I Generate the Certificate. In addition, I can save the certificate generated in the "generate" type in the "Certificate store" type.
Like the video:
录屏.zip

[qq1176914912]

The popup error persists
In the pop-up window of "Generate new key" on the client, as long as there is an error, even if the pop-up window is closed, the error still exists.

Add user
When you click "Add user" to add an existing user, there is no prompt.
Remove realm
At present, there are only adding realms, but not removing realms

[qq1176914912]

Login method
At present, the default login method of your system is to use the password. If I want to use the mailbox, webauthn, SMS login, where should I configure? How do you do that?

[qq1176914912]

realm

1. I created a "realm" called gmzta and switched to that "realm" where I created a "Registration Workflows" :
   
   Then I click on the "Registration Workflows" I created, and there's a problem, and I also see that his address is still /maste instead of /gmzta:
   
   2、I try to put your project 5002 certification address is changed to https://localhost:5001/gmzta, you can normal to jump to the login page, when login successful jump after 5002, 5002 error:
   
   
   Are all your features currently only supported in the master environment and not tested in other environments?

[qq1176914912]

DistributedCacheConfiguration
The previous implementation of sqlite, regarding the cache configuration of sqlite is written in the code:

I found that the "conf.ConnectionString" in it can get the connection address, so I tried to change it, not to write it in the code, but to write it in the appsetting, as shown below:


But I found that if I did this, when I visited the 5002 address, the 5001 would get an error，But accessing the 5001 address does not present this problem.:

In this way, it only changes the connection address to appsetting. Why does this problem occur? Is there a logic problem here?

[simpleidserver]

API Resource

The problem has been resolved in the master branch.

Check Email

The logic has been updated. Before sending the confirmation code, we now check if the user already exists.

WebAuthn

I removed the reset button from the UI. The WebAuthn credential is now added only once.

Forgot Password

We made some changes to display the back button in the UI and also on the confirmation screen. The reset password link is now sent only via email. To enroll the email, you can create a manual identity provisioning workflow consisting of two steps: password and email.

Remember My Login

I made some changes to display the "Remember Me" option only in the first authentication window.

Validity of the Verification Code

Indeed, the validity of the verification code is specified by the TOTP step field. The console authentication method is used only for development purposes.

Translation

This message originates from the Blazor framework.

Add Identity Provider

The name, display name, app ID, and app secret are now required parameters.

API Resource

The audience is now a required property.

Certificate Authorities

We are now checking if the number of days is greater than 1, and the previously generated certificate is no longer displayed.

Popup Error Persistence

This issue has been resolved.

Remove Realm

It is not a bug but a new feature. I have created ticket #716 to support it.

Login Method

The default login method can be specified in the DefaultAcrValue property. For example:

services.AddSIDIdentityServer(callback: cb =>
{
    cb.DefaultAcrValue = "pwd-email";
    if (!string.IsNullOrWhiteSpace(identityServerConfiguration.SessionCookieNamePrefix)) 
        cb.SessionCookieName = identityServerConfiguration.SessionCookieNamePrefix;
    cb.Authority = identityServerConfiguration.Authority;
}, cookie: c =>
{
    if(!string.IsNullOrWhiteSpace(identityServerConfiguration.AuthCookieNamePrefix)) 
        c.Cookie.Name = identityServerConfiguration.AuthCookieNamePrefix;
}, dataProtectionBuilderCallback: ConfigureDataProtection)

Registration Workflow

The demo link has been fixed and now redirects to the correct realm.

Distributed Cache Configuration

There was a small issue in the Startup.cs class where the distributed cache was using the wrong connection string. This issue has also been resolved in the master branch.

[qq1176914912]

External identity providers
Hello.
I am currently using the "POSTGRE" database, and when I delete all the contents of the "External identity providers" list in "Authentications" :

Then I restarted Project 5001, and I found that the project would try to insert data into the library again, resulting in an error:

I also tested SQLITE, and he will do the same.

[qq1176914912]

Do you remember changing DateTime.UtcNow to DateTime.Now? When I was using postgresql, I found that when I performed "Add Certificate Authority", I would get an error, which said that postgresql only supports utc time. So I am "SimpleIdServer. IdServer/Api/CertificateAuthorities CertificateAuthoritiesController. Cs" has carried on the following changes:

Will this affect other database types?

[simpleidserver]

Exception

The exception has been resolved in the master branch. When the identity server is restarted, the authentication scheme providers are properly restored.

Datetime
As I explained in our previous conversation, DateTime.UtcNow should not be altered to DateTime.Now.
Therefore, the backend code must remain unchanged. I have already implemented modifications in the administration website to convert all UTC datetimes to local datetimes: 0466613

[qq1176914912]

Exception

The exception has been resolved in the master branch. When the identity server is restarted, the authentication scheme providers are properly restored.

Datetime As I explained in our previous conversation, DateTime.UtcNow should not be altered to DateTime.Now. Therefore, the backend code must remain unchanged. I have already implemented modifications in the administration website to convert all UTC datetimes to local datetimes: 0466613

Exception
I noticed your change, and when I clear it, it will rejoin the default login method. If I want to implement that I don't need "External identity providers" and just want to log in with a default account and password, I can currently do this by creating a new "Realm". Because if the master clears "External identity providers", it will re-add the default "External identity providers".
Datetime
Yes, the previous modification was to display the local time on the 5002 address, which was not found when I used SQLITE before, but I found the problem when I used the POSTGRE database, when I tried to add a "Certificate Authority", there was a problem in 5001 when I clicked the save button:


So I just changed the "CertificateAuthoritiesController" in the "Add" method.

[qq1176914912]

Add user
Hello.
When adding a user, if an existing user is added, there is no prompt or response after clicking the Add button

[qq1176914912]

webauthn
1、When I select "webauthn" in ACRS on page 5002:

Then enter an account that has not been bound to "webauthn" and click the "Authenticate" button to authenticate without any prompt

5001 Error:

I'm guessing it's because there's no way to check if an account is bound to "webauthn"?
2、When I pass the 5001 address, Enroll credentials for the account: After "webauthn", then go to "User details->Credentials" in 5002 to delete the newly added webauthn. When I refresh the page again after the deletion is complete, the deleted "webauthn" appears again.

[qq1176914912]

Validity of the Verification Code
As you said, "the validity of the CAPTCHA is specified by the TOTP step field", when I set the TOTP step of the email to 300:

Then I click on email in 5002ACR:

After sending the verification code, the valid time is still displayed as 30 seconds

[simpleidserver]

External Identity Providers Added

If you prefer not to re-add the identity provider, you can modify the Program.cs file and comment out the AddMissingAuthenticationSchemeProviders procedure.

PostgreSQL Problem

The issue with the PostgreSQL database has been resolved in the master branch. Certificate datetimes are now converted to UTC in the UI.

No Error in Add User Popup Window

Error messages are now displayed in the UI popup window when an issue occurs.

WebAuthn Credential Not Enrolled

An error message is displayed when the user does not have a WebAuthn credential.

TOTP Step

I provided an incorrect explanation about the TOTP step. The fields OTP Algorithm, OTP Value, and TOTP Step, present in the authentication methods email, console, and mobile, are used to generate an OTP code, which will be sent with the reset password link.

Cannot Remove WebAuthn

This feature is functional on my local machine. I tested it with the latest version in the master branch with PostgreSQL.

[qq1176914912]

External Identity Providers Added

If you prefer not to re-add the identity provider, you can modify the Program.cs file and comment out the AddMissingAuthenticationSchemeProviders procedure.

PostgreSQL Problem

The issue with the PostgreSQL database has been resolved in the master branch. Certificate datetimes are now converted to UTC in the UI.

No Error in Add User Popup Window

Error messages are now displayed in the UI popup window when an issue occurs.

WebAuthn Credential Not Enrolled

An error message is displayed when the user does not have a WebAuthn credential.

TOTP Step

I provided an incorrect explanation about the TOTP step. The fields OTP Algorithm, OTP Value, and TOTP Step, present in the authentication methods email, console, and mobile, are used to generate an OTP code, which will be sent with the reset password link.

Cannot Remove WebAuthn

This feature is functional on my local machine. I tested it with the latest version in the master branch with PostgreSQL.

Hello, thank you for your reply.
TOTP Step
Do you mean that the TOTP Step set in "Authentications" is only used to reset the validity time of the password link? If so, where is the effective time for sending verification codes such as email and console in ACR configured?
Cannot Remove WebAuthn
I downloaded your latest project again and tried it again, but it still failed to delete, and the 5001 project showed a 404 error when deleting. Database type I use "INMEMORY" to avoid deletion failure caused by data, the process can view my recorded video:
video.zip

[simpleidserver]

Credential identifier
Thanks to your video, I understand the problem.
The credential identifier contains a separator '/', hence a 404 error is returned.
I have updated the technical identifier of the credential, and this exception should not occur anymore.

TOTP
Indeed, the TOTP set in the 'Authentications' is only used to reset the validity time of the password link.
Currently, it is not possible to update the user's TOTP step, which is displayed in the authentication method. By default, the value is set to 30.

[qq1176914912]

Credential identifier Thanks to your video, I understand the problem. The credential identifier contains a separator '/', hence a 404 error is returned. I have updated the technical identifier of the credential, and this exception should not occur anymore.

TOTP Indeed, the TOTP set in the 'Authentications' is only used to reset the validity time of the password link. Currently, it is not possible to update the user's TOTP step, which is displayed in the authentication method. By default, the value is set to 30.

Thank you for your reply