All geek questions in one place

How to integrate an existing ASP.NET MVC application with IdentityServer?

How to integrate an existing ASP.NET MVC application with a separate IdentityServer application?

I have an existing asp.net MVC site using id 2.0 for authentication.

Now I have a second application using asp.net Core 1.1, which serves an API that talks to a client (mobile) application.

I need to exchange authentication in all three applications.

From what I read, I need to add SSO, and IdentityServer is a great solution for this. I plan to install IdentityServer as the 4th application and connect it to the new .net API and the client application.

But I cannot find an example of how to use an existing Asp.net application to authenticate a new identity server.

+5
source share
2 answers

You will have 4 applications that you indicated.

  • IdentityServer4 application for identification and access control. This will be the single sign-on service and the STS (Security Token Service) service - credentials. For today, you will create this in the ASP.NET 1.1 kernel. To be an SSO, you will of course need a user database; using ASP.NET Identity works well and integrates perfectly with IdentityServer.

  • Your web API, which you say works with ASP.NET Core 1.1. This, in OAuth terms, is called an API Resource . You can subdivide this API into separately protected sections called API Scopes .

  • An existing MVC web application with your current user database in ASP.NET Identity. This will be the IdentityServer Authority Client (# 1 above). You can use an authorization code stream (more secure) or choose an implicit or hybrid stream. An example of setting up an ASP.NET MVC web application as an IdentityServer instance client can be found in their official documentation: http://docs.identityserver.io/en/latest/quickstarts/3_interactive_login.html#creating-an-mvc-client .

Essentially you

(a) register a client with IdentityServer, then

(b) add some startup code to the client application that tells it to use IdentityServer for authentication - something like this ...

app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions { AuthenticationScheme = "oidc", SignInScheme = "Cookies", Authority = "http://localhost:5000", RequireHttpsMetadata = false, ClientId = "mvc", SaveTokens = true });

At this point, you can use both the internal user database for logging in and the external IdentityServer, that is, you can log into the MVC web application in two different ways. IdentityServer can be considered an “external provider” for your MVC web application.

Are you going to transfer existing user names and passwords (and roles, etc.) to a new instance / database of IdentityServer? This answer should be yes to achieve single sign-on and common identifiers and access control in applications.

SSO is only possible if the user is logged in with the IdentityServer application. Although you probably won’t actually get SSO, since they use a browser on the desktop computer and a mobile application on the phone, they cannot actually share cookies or tokens between devices.

  1. Mobile client. This will be another client, such as the MVC web application, except for using Implicit Flow. Register the client again, and then encode the application.
+1
source

You create your authentication application using IdentityServer4 . Treat each of your applications as an identityServer4 client and API as ApiResources , so all of them will have unique clientid , callback uri , etc. You need to add IdentityServerAuthenticationOptions in the API and OpenIdConnectOptions in the mvc application.

For example, to start WebAPI startup.cs could be:

 public void Configure(IApplicationBuilder app, ILoggerFactory loggerFactory) { loggerFactory.AddConsole(Configuration.GetSection("Logging")); loggerFactory.AddDebug(); app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions { Authority = "http://localhost:5000", RequireHttpsMetadata = false, ApiName = "api1" }); app.UseMvc(); }

In any case, first you need to understand how IdentityServer works. And then you need to create an identityserver application that is accessible to your user context. You will achieve shared authentication in three applications by allowing the same api scope .

And this is the best place to run

+2
source

Source: https://habr.com/ru/post/1271284/

More articles:


All Articles