Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Implement identity server authentication in real world scenario

Tags:

c#

security

authentication

asp.net-web-api2

thinktecture-ident-server

I am investigating how IdentityServer 3 works and I still have problem to fully understand.

In general concept is clear to me but still I am not sure how to implement this on real project.

This is basic example that I am trying to implement in my case: link

I have web api project and I want to call my api methods from any client (mvc, wpf, phone…) So I need implementation that is suitable for all clients.

If I understand well (and probably I am not understand completely), I should have 3 projects:

  • Client
  • Api
  • Project that host IdentityServer

And all projects should have required stuff like on picture: enter image description here Steps on picture:

  1. Get token
  2. Return token
  3. Call api
  4. Check if Token is OK
  5. If Token is fine than return data else show error

My questions are:

  • Is my thinking about how this works ok?
  • Where I making mistakes?
  • Is this example good enough for my case? Am I missing something important?
  • Do I have to create project that host IdentityServer, or this is needed just for example code ?
  • Does IdentityServer host project must be console application that communicate with api and client(like in example), or in real world this is done differently ?
  • Should project that host identity server be aware of Clients and Users ?
  • Should some other project except host identity server project be aware of Clients and Users ?
  • What is diference between implicit and hybrid flow, what I need in my case and why?
  • How do I create my own login view? I want have html page for login if I use web client, but to have wpf login view if I use wpf, also different view for mobile client.

EDIT: I think that I need Resource Owner flow . I supose that resource i view where user type user name and password.

like image 510
Raskolnikov Avatar asked Jan 14 '16 12:01

Raskolnikov

People also ask

What is Identity Server used for?

IdentityServer is an authentication server that implements OpenID Connect (OIDC) and OAuth 2.0 standards for ASP.NET Core. It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints.

How does Identity Server authentication work?

Identity Server implements authentication service and policy administration to regulate access to a company's information and applications. These features make it possible to verify that a user is who he says he is, and that the user is authorized to access web or application servers deployed within the enterprise.

Is Identity Server 4 still free?

About IdentityServer4 IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.

1 Answers

Your basic flow is correct, with Identity Server acting as your authorization server and your client and web API separate.

You should host Identity Server in its own project to ensure it is separate from any other logic which has the potential to introduce security concerns. How you host it is up to you and your use case. Typically you would see it hosted within an ASP.NET project on an IIS Server.

Identity Server must be aware of clients and users in order to authenticate them. The only other projects that should be aware of your identity store (users) is any applications that concern things like admin, user registration, etc. The client store would only ever be used by Identity Server.

Views can be modified using the Identity Server templates or by introducing your own ViewService. See the docs for more info: https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html

Regarding flows, the Resource Owner flow is OAuth only, so there will be no authentication (log in page), only authorization (server to server).

like image 117
Scott Brady Avatar answered Oct 06 '22 00:10

Scott Brady
Sign in to Comment

Related questions

How to create an async method in C# 4 according to the best practices?
Why did changing my target framework from ".NET Framework 4 Client Profile" to ".NET framework 4" give me warning messages?
.NET WebBrowser - FireBug Style Inspect HTML Element
Why are some objects not accessible from different threads?
Visual Studio 2012 testing with csla and entity framework
Get Localized Names of Installed Windows Store Apps in Windows 8
Combining multiple pixel shaders efficiently
There exists both implicit conversions from 'float' and 'float' and from 'float' to 'float'
Using C# to get the Public Key from my cert for Java
Parsing SQL Statement With Irony
Preserve Case in Route Parameters with LowercaseUrls enabled
SqlConnection vs Sql Session. Do their lifetimes coincide?
Binding DataGridTemplateColumn
Visual studio 2013 Slow in editing razor files
How do multiple applications listen on same port (80)?
unable to step into my local service that is in my solution
What's the best pattern for passing Immutable Collections across APIs
ASP.NET MVC 5 and WebApi 2 Authentication
Visual studio 2015 Intellitest not working on 64bit projects
Print Pdf document Barcode generated by font in C#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!