asp.net 5 and IdentityServer4

Question

I am working on a prototype for a site re-architecture using ASP.NET 5 and I am debating using IdentityServer4 for my Authentication and Authorization. I have reviewed a lot of samples and articles about setting up IdentityServer3 and 4 and I am trying to wrap my head around if it can handle my client’s requirements in a proper way. Here are my requirements.

I have 3 sites that need authorization. Site 1 (abc.com) will require windows authentication and will be a combination of mvc and webapi calls using roles (or roles converted to claims) for authorization. Site 2 (def.com) is a trusted site that wants a login widget with a username/password/rememberme text box on their site that when submitted will authenticate the user and redirect them to site 3 (xyz.com). Site 3 will also have its own login page and will be a combination of mvc and webapi calls using claims. Site 2 and 3 will not be using windows authentication and the client does not want them redirecting to the identity server login screen, but rather having their own login screen and calling the identity server from code with the credentials to login.

Here are my questions regarding this scenario and IdentityServer4.

1. Can Idsvr4 handle one client using windows authentication and another using username/password authentication?
   • If so, is there a reason to have windows auth in idsvr4 or should it just use standard windows auth within the webapp?

2. Can idsvr4 be setup to have the client collect the username/password/rememberme values and pass them through code to get the proper jwt tokens for both mvc and webapi?

   • If so, can it log them into both the mvc and webapi applications on another site?

   • If so, is this circumventing the real purpose of identityserver4 and therefor is a bad idea?

3. If it can handle this scenario and is a good idea, how would I setup the client, scopes and code to handle the login through code and redirect?

Examples are great and very welcome, but I am not even sure what verbiage to use to search for this scenario so even pointing me in the right direction would be of great help.

Answer 1

Not sure if this question is still active. But yes, i believe you can do all that.

1) You can setup which ldp is available for each client by setting IdentityProviderRestrictions on the client (docs)

1.1) - Not sure what you mean, i believe one of the points of having idsrv is to sentralize you authentication, and it makes it easier for future websites to integrate with the same service.

2) When logging in using a client (application), you also specify which apiResource the client has access to - and the application needs to add this to the requested scopes when signing in. So if your client is the mvc application, you just add the ApiResource in the AllowedScopes - and set the request_type to id_token code - this would then give the user a access_token that is passed with each request to the backend api. (docs)

2.1) - This would basically log the user in on both sites - using an access token that says that the user is authorized to use the backend api.

2.2) - In my opinion this flow is one of the things that makes idsrv great - and they even mention this as a great feature of idsrv themself. You just need 1 trip to the authserver to gain access to all systems.

as for pt. 3 - Take an extra look at the docs, try to setup a blank project following the quickstarts.

For logging in from your own login page, you need to use the grant type Resource Owner password - Altough they dont recommend doing this for security issues (transmitting passwords over the wire) - it is supported.