IdentityServer3 icon indicating copy to clipboard operation
IdentityServer3 copied to clipboard
verified publisher icon IdentityServer

External identity providers restrictions affects local login

Open pbartos opened this issue 9 years ago • 3 comments

When I enable IdentityProviderRestrictions then I get message "User is logged in with idp: idsrv, but idp not in client restriction list." on local login. This is due to fact that in ProcessClientLoginAsync is checked restriction list even the currentIdp is BuiltInIdentityProvider (idsrv).

Shouldn't be there: if (currentIdp != Constants.BuiltInIdentityProvider && request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any())

instead of current:

if (request.Client.IdentityProviderRestrictions != null && request.Client.IdentityProviderRestrictions.Any())

Thanks.

pbartos avatar Jun 16 '16 16:06 pbartos

Have you tried adding idsrv to the restriction list?

leastprivilege avatar Jun 21 '16 05:06 leastprivilege

Yeah, of course. And it works. Restriction list should be used only for external providers (by @brockallen ). There is no reason to fact that you have to define also idrsv in restriction list. It's nothing critical but it cause confusions and small problems when you try to use restriction list.

pbartos avatar Jun 21 '16 06:06 pbartos

@pbartos I took the liberty of adding your proposed solution including a unit test in PR #3673

steven-hack avatar May 05 '17 15:05 steven-hack