Problem
How to use Identity Server 4 with ASP.NET Core 2.0
Solution
I am assuming you have the basic understanding of Identity Server. To know more, refer to its documentation here.
I’ll implement 3 projects here.
- Server – running on port 5000
- API (i.e. protected resource) – running on port 5001
- Client – running on port 5002
Auth. Server
Create an empty web application and copy Quickstart, Views, and wwwroot folders from GitHub. Create a Startup class.
- public class Startup
- {
- public void ConfigureServices(
- IServiceCollection services)
- {
- services.AddMvc();
- services.AddIdentityServer()
- .AddDeveloperSigningCredential(filename: "tempkey.rsa")
- .AddInMemoryApiResources(Config.GetApiResources())
- .AddInMemoryIdentityResources(Config.GetIdentityResources())
- .AddInMemoryClients(Config.GetClients())
- .AddTestUsers(Config.GetUsers());
- }
-
- public void Configure(
- IApplicationBuilder app,
- IHostingEnvironment envloggerFactory)
- {
- app.UseIdentityServer();
- app.UseStaticFiles();
- app.UseMvcWithDefaultRoute();
- }
- }
Create a class Config and add the methods for getting API, identity, clients and users.
- public static class Config
- {
- public static IEnumerable<ApiResource> GetApiResources()
- {
- return new List<ApiResource>
- {
- new ApiResource("fiver_auth_api", "Fiver.Security.AuthServer.Api")
- };
- }
-
- public static IEnumerable<IdentityResource> GetIdentityResources()
- {
- return new List<IdentityResource>
- {
- new IdentityResources.OpenId(),
- new IdentityResources.Profile(),
- };
- }
-
- public static IEnumerable<Client> GetClients()
- {
- return new List<Client>
- {
- new Client
- {
- ClientId = "fiver_auth_client",
- ClientName = "Fiver.Security.AuthServer.Client",
- ClientSecrets = { new Secret("secret".Sha256()) },
-
- AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
- AllowOfflineAccess = true,
- RequireConsent = false,
-
- RedirectUris = { "http://localhost:5002/signin-oidc" },
- PostLogoutRedirectUris =
- { "http://localhost:5002/signout-callback-oidc" },
-
- AllowedScopes =
- {
- IdentityServerConstants.StandardScopes.OpenId,
- IdentityServerConstants.StandardScopes.Profile,
- "fiver_auth_api"
- },
- }
- };
- }
-
- public static List<TestUser> GetUsers()
- {
- return new List<TestUser>
- {
- new TestUser
- {
- SubjectId = "1",
- Username = "james",
- Password = "password",
- Claims = new List<Claim>
- {
- new Claim("name", "James Bond"),
- new Claim("website", "https://james.com")
- }
- }
- };
- }
- }
API
Create an API project and update its Startup class.
- public class Startup
- {
- public void ConfigureServices(
- IServiceCollection services)
- {
- services.AddAuthentication(
- IdentityServerAuthenticationDefaults.JwtAuthenticationScheme)
- .AddIdentityServerAuthentication(options =>
- {
- options.Authority = "http://localhost:5000"; // Auth Server
- options.RequireHttpsMetadata = false;
- options.ApiName = "fiver_auth_api";
- });
-
- services.AddMvc();
- }
-
- public void Configure(
- IApplicationBuilder app,
- IHostingEnvironment env)
- {
- app.UseAuthentication();
- app.UseMvcWithDefaultRoute();
- }
- }
Create a Controller and protect using [Authorize] attribute.
- [Authorize]
- [Route("movies")]
- public class MoviesController : Controller
- {
Client
Create a web application and update its Startup class.
- public class Startup
- {
- public void ConfigureServices(
- IServiceCollection services)
- {
- JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
-
- services.AddAuthentication(options =>
- {
- options.DefaultScheme =
- CookieAuthenticationDefaults.AuthenticationScheme;
- options.DefaultChallengeScheme =
- OpenIdConnectDefaults.AuthenticationScheme;
- })
- .AddCookie()
- .AddOpenIdConnect(options =>
- {
- options.SignInScheme =
- CookieAuthenticationDefaults.AuthenticationScheme;
- options.Authority = "http://localhost:5000"; // Auth Server
- options.RequireHttpsMetadata = false;
- options.ClientId = "fiver_auth_client";
- options.ClientSecret = "secret";
- options.ResponseType = "code id_token";
- options.Scope.Add("fiver_auth_api");
- options.Scope.Add("offline_access");
- options.GetClaimsFromUserInfoEndpoint = true;
- options.SaveTokens = true;
- });
-
- services.AddMvc();
- }
-
- public void Configure(
- IApplicationBuilder app,
- IHostingEnvironment env)
- {
- app.UseAuthentication();
- app.UseMvcWithDefaultRoute();
- }
- }
Add a Controller to access the API.
- [Authorize]
- public class HomeController : Controller
- {
- [AllowAnonymous]
- public IActionResult Index()
- {
- return View();
- }
-
- public async Task<IActionResult> Movies()
- {
- var accessToken = await HttpContext.GetTokenAsync("access_token");
-
- var client = new HttpClient();
- client.DefaultRequestHeaders.Authorization = new
- AuthenticationHeaderValue("Bearer", accessToken);
- var content = await client.GetStringAsync("http://localhost:5001/movies");
-
- var model = JsonConvert.DeserializeObject<List<MovieViewModel>>(content);
-
- return View(model);
- }
-
- public async Task Logout()
- {
- await HttpContext.SignOutAsync(
- CookieAuthenticationDefaults.AuthenticationScheme);
- await HttpContext.SignOutAsync(
- OpenIdConnectDefaults.AuthenticationScheme);
- }
- }
Note
You can download the source code from my GitHub repository.
Discussion
IdentityServer4 website defines it as an OpenID Connect and OAuth 2.0 framework for ASP.NET Core that enables following features:
- Centralize login logic for your applications
- Single sign-on
- Issues access tokens for APIs
- Gateway to external identity providers like Google, Facebook etc.
- Customizable
I’ll briefly discuss OAuth 2.0 and OpenID Connect here however for a much more in-depth discussion of OAuth 2.0 and OpenID Connect, I suggest looking at online courses and blog posts by Identity Server developer: Dominick Baier
OAuth 2 Flows
OAuth 2 provides several flows or grant types for various use cases. I personally group them into two categories; flows that require user interaction with authorization server and flows that don’t. Let’s first define the terms I’ll be using when discussing flows:
Definitions
- User - the person using a Client and the owner of Protected Resource.
- Client - the application that needs access to Protected Resource.
- Protected Resource - the resource being protected from unauthorized access (e.g. Web API).
- Server - the server that authorizes User and returns Access Tokens.
- Access Token - a secret key used to access Protected Resource.
- Scopes - values based on which the access to Protected Resource features is limited
- Redirect URI - the location where User returns after Auth. Server completes authorization
- Client ID - Client’s identifier registered with the Auth. Server.
- Client Secret - Client’s secret registered with the Auth. Server. This must be kept confidential.
Requiring User Interaction with Auth. Server
Implicit Grant
The flow is usually used for native/local/mobile clients and has following high-level steps:
- User accesses the Client.
- User is redirected to Auth. Server.
- User provides username/password.
- User is redirected back to Client with an Access Token.
Note
Access Token is exposed to the user.
- Client access the Protected Resource using the Access Token.
Note
it is recommended to use Authorisation Code instead of Implicit Grant.
Authorisation Code
The flow is usually used for web application clients and has following high-level steps:
- User accesses the Client.
- User is redirected to Auth. Server.
- User provides username/password.
- User is redirected back to Client with a code.
Note
Code is exposed to the user.
- Client accesses the Auth. Server to exchange the code with an Access Token.
Note
Access Token is not exposed to the user.
- Client access the Protected Resource using the Access Token.
Not Requiring User Interaction with Auth. Server
Resource Owner Password Credentials
The flow is usually used for trusted clients and has following high-level steps,
- User access the Client and provide username/password.
Note
username/password is exposed to the Client.
- Client access to the Auth. Server to exchange username/password with an Access Token.
- Client access to the Protected Resource using the Access Token.
Client Credentials
The flow is usually used for client-server communication, without human involvement, and has the following high-level steps:
- Client access the Auth. Server to exchange Client ID and Secret with an Access Token.
- Client access the Protected Resource using the Access Token.
OpenID Connect
OpenID Connect is a layer on top of OAuth 2.0 and uses claims to communicate information about users. It provides services to verify user identity and obtain their profile information.
OpenID Connect uses OAuth 2.0 flows to obtain Identity Token, which asserts things like identity of the user (aka sub), issuing authority (aka iss), client (aka aud) and issue/expiry dates. The token is in JWT format and base-64 string.
Source Code
GitHub