All geek questions in one place

Securing Web API 2.2 with IdentityServer4

I have a Web API 2.2 that uses the .Net 4.5.2 framework that is used by the angular2 application and there is an existing implementation of IdentityServer4. I want to protect my web API with IdentityServer4. My question is: can I protect Web API 2.2 with IdentityServer4? If so, then I have two subsequent questions.

  • Should I use the IdentityServer3.AccessTokenValidation nuget package or will I have to use IdentityServer4.AccessTokenValidation? (I tried using the IdentityServer4.AccessTokenValidation package, but it added a lot of dependencies related to the ASP.Net kernel).
  • What should be the value of the credentials url I should use?

I could find many examples where IdentityServer4 is used to protect the ASP.NET Core Web API. However, it was not possible to find a good example where Web API 2.2 is protected using IdentityServer4. If possible, give me a good example of the identity server configuration that is required on the web API side.

+7
source share
2 answers

To answer your questions:

1) Your WebApi 2.2 project, no doubt, uses OWIN / Katana from ASP.NET 4.x, which means that you must use IdentityServer3.AccessTokenValidation . IdentityServer4.AccessTokenValidation is compatible with the new ASP.NET MVC Core pipeline.

2) You can gain your authority by going to the identity provider discovery document in {IdentityUrl}/.well-known/openid-configuration . This body should be the same as the value of the "issuer" in the discovery document. You can also gain authorization by looking at the JWT issued by your identity provider by looking at the iss issuance.

+9
source

After 2017, IdentityServer3.AccessTokenValidation remains frozen, while Microsoft refactored its Owin and Identity libraries, so IdentityServer3.Contrib.AccessTokenValidation is the preferred fork for refactoring according to recent infrastructure changes.

0
source

Source: https://habr.com/ru/post/1260938/

More articles:


All Articles