Aspnetcore: Discussion for API authentication and Identity Server

Created on 1 Nov 2018  Â·  17Comments  Â·  Source: dotnet/aspnetcore

Some of you may have noticed that the Identity Server integration is now in the master branch along with a sample on how it all hangs together.

This issue is meant to centralize feedback as much as possible, so let's first discuss what this feature is aimed at and its limits

  • The feature will appear as an authorization option for API and SPA templates where you require Individual Authentication with a local database.
  • This will _not_ appear as an option for MVC or Razor Pages applications, those will continue as is for now.
  • It is meant as a _simple_ starting point, supporting APIs and first party clients.
  • It uses conventions to register the clients and apis without the need for configuring Identity Server beyond the helper methods in ConfigureServices()
            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlite(Configuration.GetConnectionString("DefaultConnection")));

            services.AddDefaultIdentity<ApplicationUser>()
                .AddEntityFrameworkStores<ApplicationDbContext>();

            services.AddIdentityServer()
                .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

            services.AddAuthentication()
                .AddIdentityServerJwt();
  • It still uses ASPNET Identity for the user database, and thus requires EF.
  • It will not support any advanced usage of Identity Server, like federation, WS-Fed, client certificates etc. although nothing will stop you migrating to those should you require them, you just have to abandon the helper functions and go full throttle with Identity Server's configuration system.
  • We'll be examining service to service authentication at some point.

So, have at it.

area-identity identity-service
Source
picture blowdart

Most helpful comment

We'll be examining service to service authentication at some point.

Please do

picture LindaLawton on 2 Nov 2018
👍11

All 17 comments

We'll be examining service to service authentication at some point.

Please do

LindaLawton picture LindaLawton on 2 Nov 2018
👍11

@blowdart Please update the Repository and Sample links, as we know that the repository has been merged to aspnet/AspNetCore

Sample : https://github.com/aspnet/AspNetCore/tree/master/src/Identity/samples/ApiAuthSample
Source : https://github.com/aspnet/AspNetCore/tree/master/src/Identity

Praveen-Rai picture Praveen-Rai on 21 Dec 2018

I wanted to have a look at the sample, checked out the current master of this repo, but the ApiAuthSample project does not compile (using the 3.0.100-preview-009812 of the dotNet core SDK).
First of all, the compiler can't find the .AddDefaultIdentity<TUserModel>() extension, and if I change that to .AddIdentity<ApplicationUser, IdentityRole>() it still won't compile as the compiler says

Build FAILED.

C:\Program Files\dotnet\sdk\3.0.100-preview-009812\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.Sdk.targets(125,5): error NETSDK1007: Cannot find project info for 'D:\Dev\sg\AspNetCore\src\Identity\src\Identity\Microsoft.AspNetCore.Identity.csproj'. This can indicate a missing project reference. [D:\Dev\sg\AspNetCore\src\Identity\samples\ApiAuthSample\ApiAuthSample.csproj]
    0 Warning(s)
    1 Error(s)

Which is strange, as the Microsoft.AspNetCore.Identity project is available at this path, and restores and builds just fine.

Any hints on what I need to do to get the sample running?

gingters picture gingters on 27 Dec 2018

@javiercn ?

blowdart picture blowdart on 3 Jan 2019

I updated to the latest state of master branch yesterday, and the sample project still does not compile. The error changed to not being able to find the project info for Microsoft.AspNetCore.Antiforgery.csproj now:

Build FAILED.

C:\Program Files\dotnet\sdk\3.0.100-preview-009812\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.Sdk.targets(125,5): error NETSDK1007: Cannot find project info for 'C:\Dev\sg\AspNetCore\src\Antiforgery\src\Microsoft.AspNetCore.Antiforgery.csproj'. This can indicate a missing project reference. [C:\Dev\sg\AspNetCore\src\Identity\ApiAuthorization.IdentityServer\samples\ApiAuthSample\ApiAuthSample.csproj]
    0 Warning(s)
    1 Error(s)

The ASP.NET repo by itself compiles without errors, when I run the restore.cmd or build.cmd in the root directory.
I then went into the \src\Identity\ApiAuthorization.IdentityServer\samples\ApiAuthSample directory, ran dotnet restore and dotnet build, and then I run into this problem.

Thing is, I should hand in a magazine article about that in 3 days, and I'd love to see that running before I hand in some stuff that maybe won't work for the readers :) Any ideas?

gingters picture gingters on 17 Jan 2019

@gingters I've been able to build and run the app without problems. There was a small issue due to us not updating the sample after some MVC change, but that's it.

https://github.com/aspnet/AspNetCore/pull/6805

I recommend you run .\build.cmd /t:Restore from the repo root and then dotnet build from the project folder and that should get you on your way.

javiercn picture javiercn on 17 Jan 2019

I updated the repo again, followed your steps, and I still have the issue that the build can't find the project info for the Microsoft.AspNetCore.Antiforgery project and errors out. Another clean checkout ran into the very same issue.
Did you try it on a clean checkout too, or in an already working copy, where you maybe have some old artifacts around?

gingters picture gingters on 18 Jan 2019

It's working for me on the rel/2.2 branch. Clean checkout, run the build.cmd, then I run startvs.cmd identity.sln to open the solution.

brockallen picture brockallen on 18 Jan 2019

Then there must be some undocumented dependencies, or something else I can't find out. 🤔

Also on the rel/2.2 branch, the build of the sample project fails with the same error.
When I open the Identity.sln, VS shows me about 280 build errors, all related to project information for referenced projects that somehow can't be found.

I have the .NET Core SDK 3.0.100-preview-009812 installed, VS 2017, 2017 Preview and 2019 Preview. I used the eng\scripts\InstallVisualStudio.ps1 script to install all required workloads of VS 2017 for that.

gingters picture gingters on 18 Jan 2019

It seems the sample has been moved to this location - ApiAuthSample

Ibro picture Ibro on 9 Feb 2019
👍3

Hi!

One question, why everything related to SPA in https://github.com/aspnet/AspNetCore/blob/master/src/Identity/ApiAuthorization.IdentityServer/src/Options/ClientBuilder.cs is using Implicit Grant Type?

Since December of last year I think it's not recommended https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1.2

Thanks for all!

andresrsanchez picture andresrsanchez on 13 Mar 2019

The opinions of the OAuth folks are still in draft, and are the subject of some contention. While arguable same site cookies might provide the same protections we have problems with the implementation being different on Safari, because apple reads the spec a different way. Furthermore by sticking to JWT and the implicit flows we're opening up support for other applications by embedding Identity Server. It will be revisited again, but for now we're staying where we are.

blowdart picture blowdart on 4 Apr 2019
👍1

I think this is more about „implicit vs code + pkce“. Iirc we already discussed to move to code in a later preview.

leastprivilege picture leastprivilege on 4 Apr 2019
👍2

The links included in the issue above are invalid (404 pages).

reiniellematt picture reiniellematt on 7 Jul 2019
👍1

The links included in the issue above are invalid (404 pages).

sample
Source

Rick-Anderson picture Rick-Anderson on 11 Sep 2019

I have a project, configured using IdentityServerSPA, where everything works fine on a local dev machine, but there seems to be issues when validating tokens, when deployed to a Linux based App service on aspnet core 3.1.

It looks like when hosted on Linux, the internal IdentityServerJwtBearerOptionsConfiguration.ResolveAuthorityAndKeysAsync method, sets the Authority and ValidIssuer to the internal docker IP as the host (127.0.0.1), obtained using the IdentityServer4.Extensions.GetIdentityServerIssuerUri, instead of the actual host name of the App Service

Is there a solution or work around for this?

Pete-PlaytimeSolutions picture Pete-PlaytimeSolutions on 11 Apr 2020

@Pete-PlaytimeSolutions thanks for contacting us. This is a general discussion issue not meant for specific problems.

I would check if you are forwarding the headers to the host appropriately or check how to configure that.

If you still have issues afterwards, please file a separate issue (if you haven’t done so) so that we can follow up there.

We won’t be updating this thread further for this topic.

javiercn picture javiercn on 11 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

markrendle picture markrendle  Â·  3Comments
snebjorn picture snebjorn  Â·  3Comments
aurokk picture aurokk  Â·  3Comments
Pixel-Lord picture Pixel-Lord  Â·  3Comments
ipinak picture ipinak  Â·  3Comments