Essentially, this is an update to this question from nearly two years ago answered very helpfully by @Pinpoint of AspNet.Security.OpenIdConnect.Server
fame.
I'll just put the rant at the bottom for all who care to indulge themselves in the 4am blasphemes of a frustrated developer.
I am starting some new projects and for my own reasons I would like to use the latest versions of ASP.NET technologies (ASP.NET 5 vNext and MVC 6) to get going.
Typically OAuth2 can be used for the authentication.
ASP.NET used to support the creation of tokens with OAuth2, but it doesn't any more and isn't going to, and apparently it wasn't very good anyway. There is some help, but I'm still a little lost as to how to tie it in with ASP.NET Identity and the new Authorize
attribute.
So onto my actual question.
AccountController
merrily creating accounts and serving tokens for social logins or individual logins, with a lovely ASP.NET Identity user store to keep things tidy, password recovery and a range of the standard, modern account stuff, and authorisation screens to confirm permissions requests ("XXX would like to access your account, is this OK?" etc.)I've found some things that are close, closer and so on. But none that match.
As far as I understand, I can't use ASP.NET 5's new policy based authorisation stuff with IdentityServer3
. I can't be the only human wanting this architecture, has someone accomplished this?
I feel like each time I come to secure my app, I'm inventing the wheel a little.
I have been away from authorisation stuff for over a year, but I've come back in and boy things have changed. And it's all rather confusing with OWIN, Katana, ASP.NET Identity, IdentityServer3, AspNet.Security.OpenIdConnect.Server. It seems there are only (albeit very excellent) side projects to fully support having a .NET based secure token server. By "side projects", I mean no offence to these great projects, only that there is nothing Microsoft and/or paid supported.
I want to get going with a whole load of development, but I am always stalled at the implementation of authentication in what I can't imagine is an unpopular architecture.
It seems so incredible to me that such a standard architectural scenario is so deftly considered by Microsoft.
When I want to implement logins in my REST app, I find myself upside-down and inside-out in a confusingly loud orchestra of cross firing information.
If anyone would like to start a maintained, open source template solution, let me know. I'm fed up of the start of building REST, token based apps being so unnecessarily complex for something so basically standard.
Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.
ASP.NET Core Identity: Is an API that supports user interface (UI) login functionality. Manages users, passwords, profile data, roles, claims, tokens, email confirmation, and more.
Is there a sample anywhere on this wavy, windy, scary internet that demonstrates the following:
ASP.NET 5/MVC 6 based REST API, secured with ASP.NET Identity and OAuth2, with an AccountController merrily creating accounts and serving tokens for social logins or individual logins, with a lovely ASP.NET Identity user store to keep things tidy, password recovery and a range of the standard, modern account stuff, and authorisation screens to confirm permissions requests ("XXX would like to access your account, is this OK?" etc.)
I'm currently working on a whole new identity server named OpenIddict: it's based on ASP.NET Identity 3 (that comes with ASP.NET 5) and uses AspNet.Security.OpenIdConnect.Server internally to control the entire OIDC flow. It's meant to offer the easiest way to get started with token authentication and it's compatible with both the full .NET framework and the new .NET Core.
Of course, it's neither developed nor founded by Microsoft (feel free to suggest them to support us), but it corresponds to your requirements: it comes with an internal controller that controls the authorization experience (i.e the consent form part) and relies on the AccountController
you add to your application to handle the local/external authentication process.
It's still at the early stages and you need the ASP.NET 5/DNX RC2 nightly builds to use it, but it's quite easy to configure. You just need to call AddOpenIddict()
from ConfigureServices
and add UseOpenIddict()
from Configure
. You can find more information on the GitHub repository.
public void ConfigureServices(IServiceCollection services) {
services.AddMvc();
services.AddEntityFramework()
.AddSqlServer()
.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(Configuration["Data:DefaultConnection:ConnectionString"]));
services.AddIdentity<ApplicationUser, IdentityRole>()
.AddEntityFrameworkStores<ApplicationDbContext>()
.AddDefaultTokenProviders()
.AddOpenIddict(); // Add the OpenIddict services after registering Identity.
}
public void Configure(IApplicationBuilder app) {
app.UseIdentity();
// Add all the external providers you need before registering OpenIddict:
app.UseGoogleAuthentication();
app.UseFacebookAuthentication();
app.UseOpenIddict();
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With