ASP.NET 5 Web API supporting social logins, individual accounts, account management, authorisation screens and ASP.NET Identity. Does it exist?

Question

Essentially, this is an update to this question from nearly two years ago answered very helpfully by @Pinpoint of AspNet.Security.OpenIdConnect.Server fame.

I'll just put the rant at the bottom for all who care to indulge themselves in the 4am blasphemes of a frustrated developer.

I am starting some new projects and for my own reasons I would like to use the latest versions of ASP.NET technologies (ASP.NET 5 vNext and MVC 6) to get going.

A very popular modern application architecture

• Secure REST API using tokens
• Support for individual logins
• Support for social logins

Latest and greatest techy .NET stuff

• ASP.NET 5 (almost..)
• ASP.NET Identity (with all its user data stores and wonderful policy stuff)
• MVC 6

Typically OAuth2 can be used for the authentication.

The Problem

ASP.NET used to support the creation of tokens with OAuth2, but it doesn't any more and isn't going to, and apparently it wasn't very good anyway. There is some help, but I'm still a little lost as to how to tie it in with ASP.NET Identity and the new Authorize attribute.

So onto my actual question.

Is there a sample anywhere on this wavy, windy, scary internet that demonstrates the following:

• ASP.NET 5/MVC 6 based REST API, secured with ASP.NET Identity and OAuth2, with an AccountController merrily creating accounts and serving tokens for social logins or individual logins, with a lovely ASP.NET Identity user store to keep things tidy, password recovery and a range of the standard, modern account stuff, and authorisation screens to confirm permissions requests ("XXX would like to access your account, is this OK?" etc.)
• (optionally) Client app (I don't care if it is WPF, Cordova, AngularJS, written in assembler or running on a ZX81 with Meccano automating the tests) that supports logging in, both socially and with individual accounts, to a REST API and gets a nice little token to fan in the air like a polaroid

I've found some things that are close, closer and so on. But none that match.

As far as I understand, I can't use ASP.NET 5's new policy based authorisation stuff with IdentityServer3. I can't be the only human wanting this architecture, has someone accomplished this?

I feel like each time I come to secure my app, I'm inventing the wheel a little.

Rant

I have been away from authorisation stuff for over a year, but I've come back in and boy things have changed. And it's all rather confusing with OWIN, Katana, ASP.NET Identity, IdentityServer3, AspNet.Security.OpenIdConnect.Server. It seems there are only (albeit very excellent) side projects to fully support having a .NET based secure token server. By "side projects", I mean no offence to these great projects, only that there is nothing Microsoft and/or paid supported.

I want to get going with a whole load of development, but I am always stalled at the implementation of authentication in what I can't imagine is an unpopular architecture.

It seems so incredible to me that such a standard architectural scenario is so deftly considered by Microsoft.

When I want to implement logins in my REST app, I find myself upside-down and inside-out in a confusingly loud orchestra of cross firing information.

If anyone would like to start a maintained, open source template solution, let me know. I'm fed up of the start of building REST, token based apps being so unnecessarily complex for something so basically standard.

Answer 1

Is there a sample anywhere on this wavy, windy, scary internet that demonstrates the following:

ASP.NET 5/MVC 6 based REST API, secured with ASP.NET Identity and OAuth2, with an AccountController merrily creating accounts and serving tokens for social logins or individual logins, with a lovely ASP.NET Identity user store to keep things tidy, password recovery and a range of the standard, modern account stuff, and authorisation screens to confirm permissions requests ("XXX would like to access your account, is this OK?" etc.)

I'm currently working on a whole new identity server named OpenIddict: it's based on ASP.NET Identity 3 (that comes with ASP.NET 5) and uses AspNet.Security.OpenIdConnect.Server internally to control the entire OIDC flow. It's meant to offer the easiest way to get started with token authentication and it's compatible with both the full .NET framework and the new .NET Core.

Of course, it's neither developed nor founded by Microsoft (feel free to suggest them to support us), but it corresponds to your requirements: it comes with an internal controller that controls the authorization experience (i.e the consent form part) and relies on the AccountController you add to your application to handle the local/external authentication process.

It's still at the early stages and you need the ASP.NET 5/DNX RC2 nightly builds to use it, but it's quite easy to configure. You just need to call AddOpenIddict() from ConfigureServices and add UseOpenIddict() from Configure. You can find more information on the GitHub repository.

public void ConfigureServices(IServiceCollection services) {
    services.AddMvc();

    services.AddEntityFramework()
        .AddSqlServer()
        .AddDbContext<ApplicationDbContext>(options =>
            options.UseSqlServer(Configuration["Data:DefaultConnection:ConnectionString"]));

    services.AddIdentity<ApplicationUser, IdentityRole>()
        .AddEntityFrameworkStores<ApplicationDbContext>()
        .AddDefaultTokenProviders()
        .AddOpenIddict(); // Add the OpenIddict services after registering Identity.
}


public void Configure(IApplicationBuilder app) {
    app.UseIdentity();

    // Add all the external providers you need before registering OpenIddict:
    app.UseGoogleAuthentication();
    app.UseFacebookAuthentication();

    app.UseOpenIddict();
}