Introduction to IdentityServer

Size: px

Start display at page:

Download "Introduction to IdentityServer"

Cory Sanders
5 years ago
Views:

Introduction to IdentityServer The open source OIDC framework for.net Brock Allen http://brockallen.com @BrockLAllen brockallen@gmail.

1 Introduction to IdentityServer The open source OIDC framework for.net Brock Dominick Baier Slides and code:

2 Outline Motivate IdentityServer Hosting, configuring, and running IdentityServer

3 What is IdentityServer? Framework for building application security Single sign-on Protecting Web APIs

4 Without single sign-on Authentication Registration Etc App 1 username/password Authentication Registration Etc App 2 Authentication Registration Etc App 3

5 Single sign-on with a token service Authentication Registration Etc Token Service App 1 App 2 App 3

6 API Security credentials API 1 credentials API 3 credentials API 2

7 API Security with a token service credentials Token Service API 1 API 2 API 3

8 What is IdentityServer? Free, OSS framework for building token service OpenID Connect and OAuth2 Designed for flexibility and customization More control than off-the-shelf/saas products Can be used stand-alone or can interop with other providers Helps abstract external infrastructure è Becomes your applications' identity platform

9 Architecture Designed as middleware Requires developer to build host Configuration drives token service Requires developer to provide configuration Many extensibility points Some required (core object model and configuration data) Some optional (to override default behavior)

10 Platforms IdentityServer3 (released: Jan, 2015) OWIN/Katana.NET 4.5, ASP.NET 5 (full.net framework only), Mono IdentityServer4 (released: same time as ASP.NET 5) ASP.NET 5.NET Core, full.net framework

11 Core object model

12 Configuring IdentityServer Configuration drives behavior Signing certificate needed Factory contains configuration around object model public void Configuration(IAppBuilder app) { var factory = new IdentityServerServiceFactory(); // more factory config here... var cert = X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=sts").First(); } var options = new IdentityServerOptions { SiteName = "My Token Service", Factory = factory, SigningCertificate = cert }; app.useidentityserver(options);

13 Configuring users User data normally stored in database IUserService extensibility point used to load user data from database In memory configuration useful for prototyping/development var factory = new IdentityServerServiceFactory(); var users = new List<InMemoryUser> { new InMemoryUser { Subject = "123", Username = "alice", Password = "password", } }; factory.useinmemoryusers(users);

14 Configuring scopes Identity scopes model access to user information Constants for standard identity scopes already defined Resource scopes model access to web APIs var factory = new IdentityServerServiceFactory(); var scopes = new Scope[] { StandardScopes.OpenId, // user's unique id StandardScopes. , // user's new Scope { Name = "api1", DisplayName = "My API", Type = ScopeType.Resource } }; factory.useinmemoryscopes(scopes); // custom web api

15 Configuring clients Many different configuration values depending on flow For MVC client, implicit flow commonly used var factory = new IdentityServerServiceFactory(); var clients = new Client[] { new Client { ClientId = "mvc", ClientName = "MVC App", Flow = Flows.Implicit, RedirectUris = new List<string> { " }, AllowedScopes = new List<string> { "openid", " ", "api1" } } }; factory.useinmemoryclients(clients);

16 Configuring client application OpenID Connect middleware used to obtain tokens Handles protocol details Issues cookie with cookie authentication middleware Access token returned and should be stored (usually in cookie claims) Use access token as Authorization HTTP header Using "Bearer" scheme

17 Configuring OpenID Connect middleware public void Configuration(IAppBuilder app) { app.usecookieauthentication(new CookieAuthenticationOptions { AuthenticationType = "cookies", }); JwtSecurityTokenHandler.InboundClaimTypeMap.Clear(); } app.useopenidconnectauthentication(new OpenIdConnectAuthenticationOptions { AuthenticationType = "oidc", SignInAsAuthenticationType = "cookies", UseTokenLifetime = false, Authority = " ClientId = "mvc", RedirectUri = " ResponseType = "id_token token", Scope = "openid api1", Notifications = new OpenIdConnectAuthenticationNotifications {...} });

18 Using access token to call web API [Authorize] public async Task<IActionResult> CallApi() { var client = new HttpClient(); var access_token = User.FindFirst("access_token").Value; client.defaultrequestheaders.authorization = new AuthenticationHeaderValue("Bearer", access_token); } var result = await client.getasync(" if (result.issuccessstatuscode) { var json = await result.content.readasstringasync(); return Content(json, "application/json"); } else { return Content("Error: " + result.statuscode); }

19 Protecting Web API JwtBearerTokenmiddleware validates access tokens Access token contents turned into ClaimsPrincipal on User public void Configuration(IAppBuilder app) { JwtSecurityTokenHandler.InboundClaimTypeMap.Clear(); app.useidentityserverbearertokenauthentication( new IdentityServerBearerTokenAuthenticationOptions { Authority = " RequiredScopes = new string[] { "api1" } } ); } var config = new HttpConfiguration(); //... app.usewebapi(config);

20 Beyond in-memory configuration IdentityServer designed for extensibility IdentityServer defines several interfaces to model functionality Common customizations Stores User service Branding/UI Logging/auditing

21 Client and scope stores Stores provides read-only access to configuration In-memory implementation useful for development/testing EF implementation supported Other community provided implementations public interface IClientStore { Task<Client> FindClientByIdAsync(string clientid); } public interface IScopeStore { Task<IEnumerable<Scope>> FindScopesAsync(IEnumerable<string> scopenames); Task<IEnumerable<Scope>> GetScopesAsync(bool publiconly = true); }

22 User service User service models users Contains authentication logic Provides claims for users Supports user deactivation Supported implementations In-memory MembershipReboot ASP.NET Identity public interface IUserService { Task PreAuthenticateAsync(PreAuthenticationContext context); Task AuthenticateLocalAsync(LocalAuthenticationContext context); Task AuthenticateExternalAsync(ExternalAuthenticationContext context); Task PostAuthenticateAsync(PostAuthenticationContext context); Task SignOutAsync(SignOutContext context); Task GetProfileDataAsync(ProfileDataRequestContext context); Task IsActiveAsync(IsActiveContext context); }

23 Other user service features External identity providers Social or other external providers Customizable HRD User workflow Prior to login user must perform registration At login user must accept EULA or provide 2FA User impersonation

24 Other extensibility and customization Visual assets Branding of HTML, CSS, etc. Token service configuration Claims contained in tokens are configurable Configurable expiration Access token type (JWT vs. reference tokens) Token and consent revocability Custom validation Delegation scenarios Logging and events

25 Resources Source code, samples, and issue tracker Documentation Gitter

26 Summary IdentityServer provides an OIDC and OAuth2 framework Designed for extensibility and customization

Advanced ASP.NET Identity. Brock Allen

Advanced ASP.NET Identity. Brock Allen Advanced ASP.NET Identity Brock Allen brockallen@gmail.com http://brockallen.com @BrockLAllen Advanced The complicated bits of ASP.NET Identity Brock Allen brockallen@gmail.com http://brockallen.com @BrockLAllen