Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Implement identity server authentication in real world scenario

I am investigating how IdentityServer 3 works and I still have problem to fully understand.

In general concept is clear to me but still I am not sure how to implement this on real project.

This is basic example that I am trying to implement in my case: link

I have web api project and I want to call my api methods from any client (mvc, wpf, phone…) So I need implementation that is suitable for all clients.

If I understand well (and probably I am not understand completely), I should have 3 projects:

  • Client
  • Api
  • Project that host IdentityServer

And all projects should have required stuff like on picture: enter image description here Steps on picture:

  1. Get token
  2. Return token
  3. Call api
  4. Check if Token is OK
  5. If Token is fine than return data else show error

My questions are:

  • Is my thinking about how this works ok?
  • Where I making mistakes?
  • Is this example good enough for my case? Am I missing something important?
  • Do I have to create project that host IdentityServer, or this is needed just for example code ?
  • Does IdentityServer host project must be console application that communicate with api and client(like in example), or in real world this is done differently ?
  • Should project that host identity server be aware of Clients and Users ?
  • Should some other project except host identity server project be aware of Clients and Users ?
  • What is diference between implicit and hybrid flow, what I need in my case and why?
  • How do I create my own login view? I want have html page for login if I use web client, but to have wpf login view if I use wpf, also different view for mobile client.

EDIT: I think that I need Resource Owner flow . I supose that resource i view where user type user name and password.

like image 510
Raskolnikov Avatar asked Jan 14 '16 12:01

Raskolnikov


People also ask

What is Identity Server used for?

IdentityServer is an authentication server that implements OpenID Connect (OIDC) and OAuth 2.0 standards for ASP.NET Core. It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints.

How does Identity Server authentication work?

Identity Server implements authentication service and policy administration to regulate access to a company's information and applications. These features make it possible to verify that a user is who he says he is, and that the user is authorized to access web or application servers deployed within the enterprise.

Is Identity Server 4 still free?

About IdentityServer4 IdentityServer is a free, open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.


1 Answers

Your basic flow is correct, with Identity Server acting as your authorization server and your client and web API separate.

You should host Identity Server in its own project to ensure it is separate from any other logic which has the potential to introduce security concerns. How you host it is up to you and your use case. Typically you would see it hosted within an ASP.NET project on an IIS Server.

Identity Server must be aware of clients and users in order to authenticate them. The only other projects that should be aware of your identity store (users) is any applications that concern things like admin, user registration, etc. The client store would only ever be used by Identity Server.

Views can be modified using the Identity Server templates or by introducing your own ViewService. See the docs for more info: https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html

Regarding flows, the Resource Owner flow is OAuth only, so there will be no authentication (log in page), only authorization (server to server).

like image 117
Scott Brady Avatar answered Oct 06 '22 00:10

Scott Brady