IdentityServer

IdentityServer is a framework and a hostable component that allows implementing single sign-on and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2. It supports a wide range of clients like mobile, web, SPAs and desktop applications and is extensible to allow integration in new and existing architectures.

OpenID Connect

Authentication is different of Authorization.

OpenID Connect provides both authentication and authorization in one protocol by layering authentication on top of the OAuth2 authorization protocols. Both protocols uses HTTP and JSON.

Tokens Types

Scopes

Scopes are identifiers for resources that a client wants to access. When a client request a token to the identity Server, it should include in the request the list of scopes that it want to have access to.

There are 02 types of scopes:

Workflow

Authorization Code Flow (Uses Front channel + Back channel)

Most suitable for server-side clients where the client can securely maintain a secret

Implicit Flow (Uses Front channel only)

Most suitable for browser based clients which cannot sensibly maintain a client secret and cannot therefore authenticate themselves with the authorization server

Because an authenticated session exists between the browser and the authorization server it is possible to resubmit the authentication request and receive a new set of tokens when the current access token expires.

Hybrid Flow

Most suitable for native and mobile apps. It is best used combined with PKCE, (Proof Key for Code Exchange), which ensures that another client cannot use the Code to request tokens.

Resource Owner (Credentials) Flow (Uses Back channel only)

Used in highly trusted applications if the password is stored

A reflesh token cannot be requested, the client must re-authenticate itself and request another access token when necessary

Client Credentials Flow (Uses Back channel only)

Used for highly trusted clients when no other flow can be used.

A reflesh token cannot be requested, the client must re-authenticate itself and request another access token when necessary

Single Sign On

On Single Sign On, the user authenticated with an authorization server is not requested to enter the credentials when running another application that connects to the same authorization server.

Identity Server .Net Core

It will have 02 parts to use the Identity Server Framework:

1- Server: ASP.NET application that implements the interface of the supported protocols (OAuth2) using a middleware.

2- Client: ASP.NET application that will talk to the Server requesting authorization and validation

In order to provide the proper user access to the Client, you have to inform (configure) the Server about the User and the Application.

Jargons

OAuth2 authorization code flow

Authorization code flow

OpenId Connect (OIDC)

It is basically OAuth2 with extensibility to also request an ID token (JWT)

How-to

Examples

References