oauth2 and identityserver3
TRANSCRIPT
![Page 1: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/1.jpg)
OAUTH2 AND IDENTITYSERVER3
Integrating into your application
![Page 2: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/2.jpg)
What we will and won’t cover
■ Will – What is Identity Server and why use it.■ Will – How to start integrating into your app.■ Will – Extension points, customisation points, token types.■ Will – Nasty bits, hard stuff, pain points.■ Won’t – Detail or explain all OAuth2 flows.■ Won’t – Show every possible integration scenario and customisation point■ Take away
– Having a good idea on technical cost, difficulty and suitability for a given situation.
– How to begin and where to go from there.
![Page 3: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/3.jpg)
Its not you, It’s me
■ Paul Glavich■ @glav, [email protected]■ ASP.Net MVP 12 years■ Author 3 books, various articles, http://weblogs.asp.net/pglavich ■ International speaker (does NZ count?)■ ASPInsider■ CTO Saasu.com
![Page 4: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/4.jpg)
What is Identity Server
■ Spec compliant OAuth2 Authorisation server (STS)– (That means it’s big and complex)
■ OAuth2 flows and OpenID connect■ Can integrate with external providers (google etc)■ Open source, (Dominick Baier and Brock Allen)
– Identity Server 3 v2.5 (latest)– Identity Server 4 (support for .Net core/vNext) – In progress
■ Series of Nuget packages, Owin based implementation
![Page 5: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/5.jpg)
Free accessories
■ Identity Manager– In beta– Tool to admin users, claims etc.– Similar to website admin tool
■ Identity Model– Helper classes– Client code
■ https://identityserver.github.io/
![Page 6: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/6.jpg)
Why bother?
■ Can develop your own right . . . . .?
![Page 7: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/7.jpg)
Writing your own OAuth/Identity Server■ It can be done…..
■ But often ends in tears.
![Page 8: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/8.jpg)
Alternatives
■ Other alternatives– Auth0 ( https://auth0.com/ )
■ Cloud based, good integration hooks, some cost– Azure/AD (
https://azure.microsoft.com/en-us/services/active-directory/ )■ Cloud, multi-protocol, some cost
– WS02 ( http://wso2.com/ )■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid
versions.
![Page 9: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/9.jpg)
Getting started
■ Install nuget package “IdentityServer3”■ Configure startup
■ Demo: Simplest setup
![Page 10: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/10.jpg)
Logging
■ Supports a variety of pluggable log sources.■ Get logging working first and worry about all the flows later.■ Saves hours in debugging time.■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe.
– Install requisite nuget package
![Page 11: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/11.jpg)
High level ViewIdSrv Endpoints
AssetsExternal Integration Application
Services
Repository Stores
* Can customise
* Can customise
* Can customise* Can
configure
* Not applicable to all OAuth flows
![Page 12: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/12.jpg)
Customising Assets
■ Stylesheets■ Html Views/Templates
– Login/Logout form– Consent form– Permissions view– Error form
■ Loaded via DefaultViewService (implements IViewService)■ Customise loading via custom IViewService implementation
<Asset> <img src=“funny-cat.gif” /></Asset>
![Page 13: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/13.jpg)
Configuring custom assets
■ Only the welcome page is not configurable (but is replaceable)– Can disable
■ Setup loading of custom partial views
■ Demo
![Page 14: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/14.jpg)
What about the data store?
■ EntityFramework 6 Nuget package■ Fully customisable storage engine via custom interface implementation
– TokenHandleStore, ConsentStore, ClientStore, etc…– TokenHandleService, ConsentService, ClientService
■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory).– AuthorizationCodeStore, TokenHandleStore, RefreshTokenStore,
ConsentStore (mandatory for prod)
■ Demo with dapper
![Page 15: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/15.jpg)
Embedded IdentityServer with OpenId■ IdentityServer to manage the authentication of users and token/cookies.■ [Authorise] – just works
[Authorize]public ActionResult Index(){ ViewBag.Title = "Secured Page"; return View();}
■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action– Requires nuget package
IdentityModel.Owin.ResourceAuthorization.Mvc■ Demo
![Page 16: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/16.jpg)
It is not all unicorns and rainbows…■ Integrating IdentityServer is far from simple.
– In reality, it will take some time■ Errors are not always obvious■ Look to the samples. There are many.■ Get used to reading the issue register and following threads.■ Testing, particularly Authorization Code and hybrid flow can be tricky
– Utilise this test harness/console app or write your own
![Page 17: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/17.jpg)
Takeaways and items to remember■ Get logging working first. It will save you hours of debugging.■ Download all the samples, and familiarise yourself with your specific
scenarios.– Looking at alternate samples may only serve to confuse initially.– Lots of different ways to get going.
■ When looking at documentation, ensure you are looking at the latest.– Can easily be looking at older versions inadvertently. Much
confusion.■ Create a test harness, callback site, or something to assist testing and
verifications
![Page 18: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/18.jpg)
Links and resources
■ Identity Server: https://identityserver.github.io/■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016 ■ OAuth2: http://oauth.net/2/ ■ Auth0: https://auth0.com/■ WS02: http://wso2.com/
■ Me: [email protected] and @glav
![Page 19: OAuth2 and IdentityServer3](https://reader036.vdocuments.net/reader036/viewer/2022062302/587756571a28ab84388b754f/html5/thumbnails/19.jpg)
1-5 August
DDD Sydney thanks our sponsors