How to set up cookie based authentication with NancyFx and IdentityServer3 (non-API website)

Question

We have an environment with the following:

• Standalone IdentityServer3 instance (issues reference tokens, not jwt)
• ASP.NET WebAPI resource server
• .NET client applications that authenticate against IdSvr (via resource owner flow)

...and now we'd like to start adding an OWIN-hosted web app that will use NancyFx to serve server-rendered pages as well as a couple AngularJS SPAs. This Nancy website will NOT host any APIs, but may consume data from our existing API. I'd like to add authentication in the OWIN pipeline to help secure our Angular applications from being sent down to users who don't have access.

This would be in contrast to sending down the SPA code, and having Angular determine if the user should see anything. In that case we've already exposed the javascript code base, and this we want to avoid.

I'm trying to understand how I should configure this Nancy site to authenticate users against IdentityServer using the implicit flow. I have implemented this authentication scheme in standalone SPAs before (where all authentication was handled by AngularJS code and tokens were stored in HTML5 local storage), but I'm a bit lost on how to properly tackle this within the OWIN pipeline.

I'm thinking that the OWIN cookie authentication middle-ware is the answer, but does that mean the following?

• I need to redirect the user to IdentityServer (using the proper url arguments for implicit flow)?
• IdentityServer will redirect the user back to my site on a successful login, so is that where I hook into the OWIN Authorization manager to set the appropriate cookie?

...or am I thinking about this all wrong?

For reference, I've read through the following posts, and they're very helpful but I'm not quite seeing the big picture with OWIN. I'm going to experiment with the UseOpenIdConnectAuthentication middle-ware next, but I would appreciate any guidance SO might have here.

http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

https://github.com/IdentityServer/IdentityServer3/issues/487

Answer 1

Fundamentally, implementing OpenID Connect authentication in a Nancy app hosted via OWIN is really not different from implementing it in any MVC/Katana app (the Thinktecture team has a sample for this scenario: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients/MVC%20OWIN%20Client)

You basically need 3 things: the cookie middleware, the OpenID Connect middleware and the Nancy middleware:

public class Startup {
    public void Configuration(IAppBuilder app) {
        app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

        app.UseCookieAuthentication(new CookieAuthenticationOptions {
            AuthenticationMode = AuthenticationMode.Active,
            AuthenticationType = CookieAuthenticationDefaults.AuthenticationType
        });

        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions {
            AuthenticationMode = AuthenticationMode.Active,

            // Set the address of your OpenID Connect server:
            Authority = "http://localhost:54541/"

            // Set your client identifier here:
            ClientId = "myClient",

            // Set the redirect_uri and post_logout_redirect_uri
            // corresponding to your application:
            RedirectUri = "http://localhost:56765/oidc",
            PostLogoutRedirectUri = "http://localhost:56765/"
        });

        app.UseNancy(options => options.PerformPassThrough = context => context.Response.StatusCode == HttpStatusCode.NotFound);
    }
}

If you're looking for a functional demo, you can take a look at https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/dev/samples/Nancy/Nancy.Client (note: it doesn't use IdentityServer3 for the OIDC server part but it shouldn't make any difference for the client app).