Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Identity Server and web api for user management

I'm using Identity Server3 for my project, I currently have a website and api being protected by the Id server, this is working fine however because I'm storing the users in the Id Server database I can't really change any user's data from the website like changing the profile picture or any claim value.

In order to solve this I'm thinking in creating an API on top of IdServer, this API will manage the users, changing a password, retrieving users or changing anything related to a user basically, I want to create this API on the sample project where I have my IdServer using Owin mapping.

Right now I have my idServer in the /identity route like this

public class Startup
{
    public void Configuration(IAppBuilder app)
    {

        Log.Logger = new LoggerConfiguration().MinimumLevel.Debug().WriteTo.Trace().CreateLogger();            

        app.Map("/identity", idserverApp =>
         {
             var efConfig = new EntityFrameworkServiceOptions
             {
                 ConnectionString = "IdSvr3Config"
             };

             var options = new IdentityServerOptions
             {
                 SiteName = "Identity server",
                 IssuerUri = ConfigurationManager.AppSettings["idserver:stsIssuerUri"],
                 PublicOrigin = ConfigurationManager.AppSettings["idserver:stsOrigen"],
                 SigningCertificate = Certificate.Get(),
                 Factory = Factory.Configure(efConfig),
                 AuthenticationOptions = AuthOptions.Configure(app),
                 CspOptions = new CspOptions { Enabled = false },
                 EnableWelcomePage=false
             };


             new TokenCleanup(efConfig, 3600 * 6).Start();
             idserverApp.UseIdentityServer(options);
         });

        app.UseIdServerApi();

    }        
}

My api "middleware" is as this

**public static class IdServerApiExtensions
    {
        public static void UseIdServerApi(this IAppBuilder app, IdServerApiOptions options = null)
        {
            if (options == null)
                options = new IdServerApiOptions();            

            if (options.RequireAuthentication)
            {
                var dic = app.Properties;
                JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();
                app.UseIdentityServerBearerTokenAuthentication(
                    new IdentityServerBearerTokenAuthenticationOptions
                    {
                        Authority = "https://localhost:44302/identity", //here is the problem, it says not found even though I already mapped idServer to /identity
                        RequiredScopes = new[]
                        {
                        "idserver-api"
                        },
                        ValidationMode=ValidationMode.ValidationEndpoint
                    });
            }
            var config = new HttpConfiguration();
            WebApiConfig.Register(config,options.RequireAuthentication);
            app.UseNinjectMiddleware(() => NinjectConfig.CreateKernel.Value);
            app.UseNinjectWebApi(config);
            app.Use<IdServerApiMiddleware>(options);
        }
    }**

I know is possible I just don't know if it is a good idea to have the api on the same project or not and also I don't know how to do it.

  • Is it a good idea to create this API to manage the users? If not what could I use?
  • How can I create the proper settings to fire up the API under /api and at the same time use IdServer to protect this api?

Update

Adding ValidationMode=ValidationMode.ValidationEndpoint, fixed my problem, thanks to Scott Brady

Thanks

like image 853
General Electric Avatar asked Jul 07 '16 02:07

General Electric


People also ask

What is user Management API?

The User Management API provides programmatic access to the user accounts that are associated with your Adobe organization. You can integrate this API into your organization's administrative applications and processes.

What is Identity server used for?

IdentityServer is an authentication server that implements OpenID Connect (OIDC) and OAuth 2.0 standards for ASP.NET Core. It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints.

Which type of authentication is used in Web API?

There are four ways to authenticate when calling a web API: API key authentication. Basic authentication. OAuth 2.0 Client Credentials Grant.

How does authentication and authorization work in Web API?

Authentication is knowing the identity of the user. For example, Alice logs in with her username and password, and the server uses the password to authenticate Alice. Authorization is deciding whether a user is allowed to perform an action. For example, Alice has permission to get a resource but not create a resource.


1 Answers

The general advice from the Identity Server team is to run any admin pages or API as a separate project (Most recent example). Best practice would be only to give your Identity Server and identity management applications access to your identity database/store.

To manage your users, yes, you could write your own API. Other options would be to contain it to a single MVC website or to use something like Identity Manager.

You can still use the same application approach however, using the OWIN map. To secure this you could use the IdentityServer3.AccessTokenValidation package, using code such as:

app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
{
    Authority = ConfigurationManager.AppSettings["idserver:stsOrigen"],
    RequiredScopes = new[] { "adminApi" },
    ValidationMode = ValidationMode.ValidationEndpoint
});
like image 130
Scott Brady Avatar answered Sep 27 '22 20:09

Scott Brady