Menu
I've been studying ASP.NET 5 for some time now and there is something I'm yet confused. To implement authentication in Web API 2 what I used to do was basically use the OWIN OAuth Authentication Server Middleware. It was simple to use, I could configure just what I needed and there wasn't a bunch of stuff I needed to put on the app without need for it.
Now, at first I didn't find this in ASP.NET 5 and I thought it was a matter of time to wait the middleware to show up. But yesterday, reading on the issues on the Security repo I found out that apparently there is no intention to port this middleware to the new version of the framework.
Instead, it seems people are encouraged to use Identity Server 3. I took a look on the project and although it is nice and has many usages I really prefer to configure just the minimum I need sometimes. Also, another drawback is that Identity Server 3 needs the full CLR, so if I need to use it in order to provide authentication on my application I would need to stop using Core CLR, which for me is a huge disadvantage since Core CLR is a lot more lightweight.
So, if I don't want to use the Identity Server 3 on ASP.NET 5, how can I implement authentication for Web API if the OAuth Authentication Server middleware is gone? Has anyone been through that and found a way to deal with it?
How to deal with authentication on ASP.NET 5 Web API without using Identity Server 3?
889
Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.
OAuth (specifically, OAuth 2.0) is considered a gold standard when it comes to REST API authentication, especially in enterprise scenarios involving sophisticated web and mobile applications. OAuth 2.0 can support dynamic collections of users, permission levels, scope parameters and data types.
Indeed, there'll be no OAuthAuthorizationServerMiddleware in ASP.NET 5.
If you're looking for the same low-level approach, you should take a look at AspNet.Security.OpenIdConnect.Server: it's an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3 but that targets OpenID Connect, as you already figured out ( OAuth Authorization Service in ASP.NET Core).
https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server
OpenID Connect is itself based on OAuth2 and is basically a superset offering standardized authentication features. Don't worry: you can, of course, use ANY OAuth2 client with ANY OpenID Connect server, including AspNet.Security.OpenIdConnect.Server.
Don't miss the MVC 6 sample: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/dev/samples/Mvc
app.UseJwtBearerAuthentication(new JwtBearerOptions { AutomaticAuthenticate = true, AutomaticChallenge = true, Audience = "http://localhost:54540/", Authority = "http://localhost:54540/" }); app.UseOpenIdConnectServer(options => { options.Provider = new AuthorizationProvider(); }); Good luck, and don't hesitate to ping me if you need help.
171
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
