Implement security workflow with Identity Server

security workflow identity server wallpaper

The goal of this post is to implement security workflow with Identity Server 4 and C# among projects and services. With a bunch of examples, I’m going to show, practically, how to do it.

Scenario

Nowadays, securing your application with username and password are not just enough. The number of cyber attacks is increasing day by day and to secure your application\APIs – you need a solid authentication and authorization system.

Scenario with Identity Server
Scenario with Identity Server

Then, as you can see in above picture, Modern applications are not just simple Server-Client applications but are more like – Web Application calls -> Web APIClient Apps calls -> Web APINative apps call -> Web APIWeb API calls -> Web API etc. In this complex structure, we need a token-based security.

Along with having a solid authentication & authorization system, we also need to have a centralized Auth logic for all our applications\APIs.

To achieve all of them – it would take much time and efforts to build this authentication & authorization system. But we can just use a ready-made framework for all our need of authentication and authorization – That framework is called IdentityServer4

What is Identity Server?

  • IdentityServer4 is the newest version of the IdentityServer
  • IdentityServer4 is open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core
  • IdentityServer4 acts as a central authentication server for multiple applications
  • It is a hostable component that allows implementing single sign-on and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2
  • IdentityServer4 is part of .NET foundation

So, in simple words:

  • if we want to implement OpenID standard then we need to implement all the rules of the standard but building that is quite hard and time-consuming
  • what if we have a component or a framework which implements all those codes for us and we can just plug it in our application? – That is nothing but the IdentityServer4
  • IdentityServer4 is a piece of software that issues security tokens to the clients
  • IdentityServer4 is responsible for creating a complete authentication service, with single session input and output for various types of applications, such as mobile, web, native or even other services
  • With the use of IdentityServer4, we just need to create a login and logout page (and maybe consent), and rest of the things can be done by IdentityServer4 middleware. Thus, client applications can communicate to it using those standard protocols
  • IdentityServer4 can be used for securing web APIs as well

Actors in a secure world

Actors in Identity Server
Actors in Identity Server
  • Users are human which needs to access the resources of the application, APIs etc
  • Client is a piece of code which internally calls the IdentityServer4
  • Client requests the token from the IdentityServer4 either to authenticate user which is nothing but the Identity tokens or to gain the access to the resources which is nothing but the Access tokens
  • Identity token contains all the identity data of the user and used for user authentication
  • Access token contains the information about the client & user and use to access the APIs
  • Resources are all those important data which are protectable – like the user details, passwords, Fingerprints, Voice phrases of the user, APIs etc
  • IdentityServer4 is our hero here – IdentityServer4 is used to issue the security tokens to clients

Some of the features of IdentityServer:

  • Authentication as a service – Centralized logic for Login for all the applications\APIs etc
  • It can be used to protect your resources
  • It is an Open Source Identity Provider
  • Authentication of the users and\or clients
  • Single Sign-on
  • Can be used to secure the APIs
  • provide session management
  • To issue identity and access tokens to clients
  • To validate tokens
  • Gateway to third-party identity providers like FacebookGoogle etc.

Explain the workflow

As I said in the introduction, I want to show how to implement a security workflow with Identity Server 4 and C#. You have documentation about Identity Server 4 in its official site.

If you want to add Identity Server to your project, it is enough to add the Nuget IdentityServer4 package from Visual Studio. In my code, I use the Quickstart for IdentityServer4 only because there are some functionalities I want to keep.

IdentityServer4 Nuget package
IdentityServer4 Nuget package

The configuration of clients, apis and users is quite straight forward and it happens in the SampleConfig.cs file.

If you download the code you can have a close look at the code and how I set up the different applications.

Generally speaking, I consider two groups of connections or applications:

  • platform apps, APIs, and services are trusted because under my direct control
  • external networks and applications such as client connections
Security Workflow with Identity Server
Security Workflow with Identity Server

Platform Apps, APIs and Services are trusted

Those kinds of applications are under my control and in an environment I control. Also, the users are coming from my internal network or connected to the same Active Directory so, the consent screen in not required.

In the Identity Server configuration, there is not big different between internal and external applications.

External networks/applications

I associate those kind of applications as third-party applications or APIs. Usually, applications and APIs can connect to my systems using the credentials (client Id and client secret).

Also, external users login with an account I created for them with specific claims or roles.

Projects

Now, it is time to look at the code to show how to implement a security workflow with Identity Server 4 and C#.

External application for security workflow with Identity Server 4
External application for security workflow with Identity Server 4
External application for security workflow with Identity Server 4: consent screen
External application for security workflow with Identity Server 4: consent screen

IdentityServerHost

So, This ASP.NET Core 2.0 application hosts the IdentityServer. All configurations like users, APIs and clients are static in the SampleConfig.cs file.

The IdentityServer is registered inside of Startup.cs. The sources inside the Quickstart are taken from https://github.com/IdentityServer/IdentityServer4.Quickstart.UI without modifications.

BaseApiSDK

First, this project provides basic stuff for accessing an API with the help of a SDK. In a productive environment this would be a NuGet package.

TodoApi

Second, this ASP.NET Core 2.0 application hosts the demo API of to-dos. All configurations like users, APIs and clients are static in the ApiSampleOptions.cs file.

TodoApiSdk

This project provides a client TodoApiClient for accessing the TodoApi. It gives you a client for authentication and receiving typed data.

In a productive environment this would be a NuGet package.

PortalWebApp

This ASP.NET Core 2.0 application represents the “Portal Web Application” the user interacts with.

Then, you have a navigation element to receive the tasks from the TodoApi with the help of the TodoApiSdk and you have a navigation element to watch your claims.

Finally, both clicks will redirect you to the IdentityServerHost where you have to log in. Afterwards to will be redirected to this application.

ExternalWebApp

This ASP.NET Core 2.0 application represents an “External Web Application” which is not part of the platform and maybe run by an external company.

Also, this application provides a navigation element for tasks and claims but after the login the user has to accept the access for this application via via IdentityServer Consent as shown above.

AdminConsoleClient

This is just a simple console application with a usual name based on .NET Core 2.0. It represents a simple client which calls the API with the TodoApiSdk and hard coded user credentials.

In a real-world scenario this could be any .NET desktop/server/mobile application.

Run my examples

Clone this repository or download this repository as zip file.

git clone https://github.com/erossini/SecurityWithIdSrv4.git

See all information to run this demo below:

Endpoints

ApplicationUrl
Todo APIhttps://localhost:9011/api/TasksReturns a sample task collection
Portal Webhttps://localhost:9012/“Internal” Web App
External Webhttps://localhost:9015/“External” Web App

Sample Credentials

Username: enrico

Password: password

Portal WebApp

Start IdentityServerHostTodoApi and PortalWebApp via dotnet.exe on your cmd or use the parallel project startup configuration of Visual Studio (right click on the solution -> set startup projects)

Multiple startup projects for security with Identity Server 4
Multiple startup projects for security with Identity Server 4

Once started, two browser instances will launch for IdentityServerHost and PortalWebAppTodoApi will start without a browser instance.

Click on Tasks in PortalWebApp. Unauthorized it will redirect you to the login site of the IdentityServer. 

After your login was successful you will be redirected to the Tasks view.

Workflow: the PortalWebApp application uses the TodoApi client to receive the tasks from the TodoApi.

Claims for my user with security with Identity Server 4
Claims for my user with security with Identity Server 4

External WebApp

Start IdentityServerHostTodoApi and ExternalWebApp.

Click on Tasks and you will have to log into the IdentityServer and accept the application access request.

Afterwards you will be redirected to the WebApp and will see the tasks loaded from the TodoApi.

Admin Console

Start IdentityServerHostTodoApiAdminConsoleClient

Multiple startup projects for security with Identity Server 4
Multiple startup projects for security with Identity Server 4

The console will now authenticate your instance with the hard-coded credentials and will request the TodoApi to get the tasks.

Security with Identity Server 4 in a console application
Security with Identity Server 4 in a console application

Conclusion

Also, if you want to add third parties’ access, I have posted some time ago how to connect Microsoft login to Identity Server 4.

You find the source code of this post on GitHub.