Bug w/ External "SSO" Provider having Multiple Clients

[b-earendil]

Which version of Duende IdentityServer are you using?
v7.0.0

Which version of .NET are you using?
v8.0.204

Describe the bug

• We have a Duende Identity Server License

• We have two Web Clients.

• Each has its own IdentityServer project based off of "QuickStart 2 - Interactive Applications with AspNet Core".

• We have a third IdentityServer project which is meant to server as an external "SSO" Identity Provider.

• After using the External SSO Provider to login to one of our Web Clients, attempting to do the same with the other Web Client logs the user out of the SSO External Provider, as well as the first Web Client.

To Reproduce

1. Clone : https://github.com/b-earendil/duende-external-provider
2. Launch : each of the following projects

• 1_IdentityServer
• 1_WebClient
• 2_IdentityServer
• 2_WebClient
• SSO_Identity_Server

3. Login : with 1_WebClient using "External Account > Custom-SSO"

• Credentials: uname - bob, pw - bob
• Note: Observe that the user is successfully logged in to 1_WebClient

5. Login : with 2_WebClient using "External Account > Custom-SSO"

• Credentials: uname - bob, pw - bob
• Note: Upon clicking Custom-SSO the user is not automatically logged in to WebClient2. Instead, they are prompted to re-enter the SSO login credentials.
• Note: Upon re-entering the SSO-login credentials, the user will be logged out of 1_WebClient and logged into 2_WebClient.

Expected behavior

1. Clone : https://github.com/b-earendil/duende-external-provider
2. Launch : each of the following projects

• 1_IdentityServer
• 1_WebClient
• 2_IdentityServer
• 2_WebClient
• SSO_Identity_Server

3. Login : with 1_WebClient using "External Account > Custom-SSO"

• Credentials: uname - bob, pw - bob
• Note: Observe that the user is successfully logged in to 1_WebClient

5. Login : with 2_WebClient using "External Account > Custom-SSO"

• Credentials: uname - bob, pw - bob
• Note: Upon clicking Custom-SSO the user should be automatically logged into 2_WebClient.. without being prompted again for their SSO login credentials.. and they should remain logged in to 1_WebClient as well.

Additional context

Our intention is to build a custom SSO solution which will work with a number of pre-existing web applications--each with their own existing 'Auth' project. Within the SSO_Identity_Server UserStore, each user has an associated claim for each web application for which they have access. Each claim contains the UserId of the user within one specific web application's IdentityServer.

Example: Within the SSO_Identity_Server UserStore, the user Bob has claims

• new Claim("Client1_UserId", "2") // Bob is UserId 2 in 1_IdentityServer
• new Claim("Client2_UserId", "12") // Bob is UserId 12 in 2_IdentityServer

When a user attempts to access 1_WebClient, they must login with 1_IdentityServer. We provide a "Custom-SSO" button on this login screen that allows them to login via the external-provider SSO_Identity_Server instead. Behind the scenes, 1_IdentityServer will act as a Client to SSO_Identity_Server.. displaying the SSO_Identity_Server login page to the user. After entering their SSO_Identity_Server credentials, the user is logged in with the external-provider and 1_IdentityServer receives the claim information from SSO_Identity_Server indicating which user from its internal user store should be logged in. Finally, this user should be logged in.

If the user then attempts to access 2_WebClient, we would expect the Custom-SSO button to

• automatically log the user in without prompting for re-entry of SSO credentials
• leave the logged-in state of 1_WebClient untouched