Table of contents
Nowadays, securing your application with username and password are not just enough. The number of cyber attacks is increasing day by day and to secure your application\APIs – you need a solid authentication and authorization system.
Then, as you can see in above picture, Modern applications are not just simple Server-Client applications but are more like – Web Application calls -> Web API, Client Apps calls -> Web API, Native apps call -> Web API, Web API calls -> Web API etc. In this complex structure, we need a token-based security.
Along with having a solid authentication & authorization system, we also need to have a centralized Auth logic for all our applications\APIs.
To achieve all of them – it would take much time and efforts to build this authentication & authorization system. But we can just use a ready-made framework for all our need of authentication and authorization – That framework is called IdentityServer4
What is Identity Server?
- IdentityServer4 is the newest version of the IdentityServer
- IdentityServer4 is open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core
- IdentityServer4 acts as a central authentication server for multiple applications
- It is a hostable component that allows implementing single sign-on and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2
- IdentityServer4 is part of .NET foundation
So, in simple words:
- if we want to implement OpenID standard then we need to implement all the rules of the standard but building that is quite hard and time-consuming
- what if we have a component or a framework which implements all those codes for us and we can just plug it in our application? – That is nothing but the IdentityServer4
- IdentityServer4 is a piece of software that issues security tokens to the clients
- IdentityServer4 is responsible for creating a complete authentication service, with single session input and output for various types of applications, such as mobile, web, native or even other services
- With the use of IdentityServer4, we just need to create a login and logout page (and maybe consent), and rest of the things can be done by IdentityServer4 middleware. Thus, client applications can communicate to it using those standard protocols
- IdentityServer4 can be used for securing web APIs as well
Actors in a secure world
- Users are human which needs to access the resources of the application, APIs etc
- Client is a piece of code which internally calls the IdentityServer4
- Client requests the token from the IdentityServer4 either to authenticate user which is nothing but the Identity tokens or to gain the access to the resources which is nothing but the Access tokens
- Identity token contains all the identity data of the user and used for user authentication
- Access token contains the information about the client & user and use to access the APIs
- Resources are all those important data which are protectable – like the user details, passwords, Fingerprints, Voice phrases of the user, APIs etc
- IdentityServer4 is our hero here – IdentityServer4 is used to issue the security tokens to clients
Some of the features of IdentityServer:
- Authentication as a service – Centralized logic for Login for all the applications\APIs etc
- It can be used to protect your resources
- It is an Open Source Identity Provider
- Authentication of the users and\or clients
- Single Sign-on
- Can be used to secure the APIs
- provide session management
- To issue identity and access tokens to clients
- To validate tokens
- Gateway to third-party identity providers like Facebook, Google etc.
Explain the workflow
If you want to add Identity Server to your project, it is enough to add the Nuget IdentityServer4 package from Visual Studio. In my code, I use the Quickstart for IdentityServer4 only because there are some functionalities I want to keep.
The configuration of clients, apis and users is quite straight forward and it happens in the SampleConfig.cs file.
If you download the code you can have a close look at the code and how I set up the different applications.
Generally speaking, I consider two groups of connections or applications:
- platform apps, APIs, and services are trusted because under my direct control
- external networks and applications such as client connections
Platform Apps, APIs and Services are trusted
Those kinds of applications are under my control and in an environment I control. Also, the users are coming from my internal network or connected to the same Active Directory so, the consent screen in not required.
In the Identity Server configuration, there is not big different between internal and external applications.
I associate those kind of applications as third-party applications or APIs. Usually, applications and APIs can connect to my systems using the credentials (client Id and client secret).
Also, external users login with an account I created for them with specific
Now, it is time to look at the code to show how to implement a security workflow with Identity Server 4 and C#.
So, This ASP.NET Core 2.0 application hosts the IdentityServer. All configurations like users, APIs and clients are static in the SampleConfig.cs file.
The IdentityServer is registered inside of Startup.cs. The sources inside the Quickstart are taken from https://github.com/IdentityServer/IdentityServer4.Quickstart.UI without modifications.
First, this project provides basic stuff for accessing an API with the help of a SDK. In a productive environment this would be a NuGet package.
Second, this ASP.NET Core 2.0 application hosts the demo API of to-dos. All configurations like users, APIs and clients are static in the ApiSampleOptions.cs file.
This project provides a client
TodoApiClient for accessing the TodoApi. It gives you a client for authentication and receiving typed data.
In a productive environment this would be a NuGet package.
This ASP.NET Core 2.0 application represents the “Portal Web Application” the user interacts with.
Then, you have a navigation element to receive the tasks from the TodoApi with the help of the TodoApiSdk and you have a navigation element to watch your claims.
Finally, both clicks will redirect you to the IdentityServerHost where you have to log in. Afterwards to will be redirected to this application.
This ASP.NET Core 2.0 application represents an “External Web Application” which is not part of the platform and maybe run by an external company.
Also, this application provides a navigation element for tasks and claims but after the login the user has to accept the access for this application via via IdentityServer Consent as shown above.
This is just a simple console application with a usual name based on .NET Core 2.0. It represents a simple client which calls the API with the TodoApiSdk and hard coded user credentials.
In a real-world scenario this could be any .NET desktop/server/mobile application.
Run my examples
Clone this repository or download this repository as zip file.
git clone https://github.com/erossini/SecurityWithIdSrv4.git
See all information to run this demo below:
|Todo API||http://localhost:9011/api/Tasks||Returns a sample task collection|
|Portal Web||http://localhost:9012/||“Internal” Web App|
|External Web||http://localhost:9015/||“External” Web App|
PortalWebApp via dotnet.exe on your cmd or use the parallel project startup configuration of Visual Studio (right click on the solution -> set startup projects)
Once started, two browser instances will launch for
TodoApi will start without a browser instance.
After your login was successful you will be redirected to the Tasks view.
Workflow: the PortalWebApp application uses the
TodoApi client to receive the tasks from the
Tasks and you will have to log into the IdentityServer and accept the application access request.
Afterwards you will be redirected to the WebApp and will see the tasks loaded from the
The console will now authenticate your instance with the hard-coded credentials and will request the
TodoApi to get the tasks.
Also, if you want to add third parties’ access, I have posted some time ago how to connect Microsoft login to Identity Server 4.
You find the source code of this post on GitHub.