All geek questions in one place

Asp.net 5 and IdentityServer4

I am working on a prototype re-site architecture using ASP.NET 5, and I am discussing using IdentityServer4 for my authentication and authorization. I have looked through many examples and articles about setting up IdentityServer3 and 4, and I'm trying to wrap my head if it handles the requirements of my clients correctly. Here are my requirements.

I have 3 sites that require authorization. Site 1 (abc.com) will require Windows authentication and will consist of mvc and webapi calls using roles (or roles converted to claims) for authorization. Site 2 (def.com) is a reliable site that wants to have a login widget with a username / password / remember text field on its site, which, when sent, will authenticate the user and redirect him to site 3 (xyz.com). Site 3 will also have its own login page and will be a combination of mvc and webapi calls using claims. Sites 2 and 3 will not use Windows authentication, and the client does not want them to be redirected to the login screen of the ID system, but have their own login screen and call the identity server from the code with the credentials for login.

Here are my questions regarding this scenario and IdentityServer4.

  • Can Idsvr4 handle one client using Windows authentication and another using username / password authentication?
    • If so, is there any reason to have windows auth in idsvr4 or just use the standard windows auth in webapp?

  • Can I configure idsvr4 so that the client collects username / password / remember values ​​and passes them through the code to get the correct jwt icons for mvc and webapi?

    • If so, can this register them in mvc and webapi applications on another site?

    • If so, does this bypass the real purpose of the identity server4 and therefore is there a bad idea?

  • If he can handle this scenario and is a good idea, how do I configure the client, areas and code to handle login through code and redirects?

The examples are great and very welcome, but I'm not even sure that using the phrase to search for this scenario, so even pointing me in the right direction would be very useful.

+5
source share
1 answer

Not sure if this question is still active. But yes, I think you can do all this.

1) You can configure which ldp is available for each client by setting IdentityProviderRestrictions on the client ( docs )

1.1). Not sure what you mean, I believe one of the idsrv availability points is to set up your authentication, and this makes it easy to integrate future websites with the same service.

2) When you log into the system using the client (application), you also indicate which apiResource the client has access to, and the application should add this to the requested areas at login. Therefore, if your client is an mvc application, you simply add ApiResource to AllowedScopes - and set request_type to id_token code - then this will give user a access_token , which is transmitted with each request to the backend api. ( docs )

2.1). This will basically register the user on both sites - using an access token that says that the user has the right to use backend-api.

2.2). In my opinion, this stream is one of the factors that make idsrv great - and they even mention it as a great feature of idsrv itself. To get access to all systems you just need 1 trip to authserver.

as for pt. 3 - Take a look at the documents, try installing an empty project after a quick start.

To enter the system from your own login page, you need to use the Resource Owner password grant type - if they do not recommend doing this for security problems (passwords through a wire) - it is supported.

+1
source

Source: https://habr.com/ru/post/1247230/

More articles:


All Articles