Why IdentityServer
if you have number of applications, but you need to Centralized login logic and workflow for all of your applications (web, native, mobile, services). IdentityServer might be your solution. It also enable Single sign capability . IdentityServer4 is an officially certified implementation of OpenID Connect.
Creating IdentityServer4 project
Simplest way to create an identity server instance is to use dotnet template. dotnet template can be installed as below
dotnet new-i identityserver4.template
but in this IdentityServer4 post series, lets starts from scratch
Create an empty web project based on net core using command prompt
dotnet new web
This project is nothing much more than program cs file and a startup cs files & it will run on port 5443 for https and 5000 for http
IdentityServer4 nuget package can be added to this project using following commands
dotnet add package IdentityServer4 --version 4.1.1
go into startup.cs to configure identity server and services code in ConfigureServices
It has been configured to empty list of Clients, IdentityResources, ApiScopes, ApiResources and Users for now.
AddDeveloperSigningCredential() is added here(Dev mode only) because various things in the tokens that identity server delivers for us needs to be signed and this developer signing credential
provides that signing material.
Add identity server into the pipeline
Remember the identity server is a piece of middleware
we're now ready to go now at the moment we have no apis defined. we have no clients defined and we have no users
defined but we can still run this.
Application runs at the moment we have no controllers and
viewers here so it's simply printing out hello world.👋
if you run
dotnet run
Our identityserver will run 0n https://localhost:5001
Also open-id-connect discovery document can be found here
https://localhost:5001/.well-known/openid-configuration
{
"issuer": "https://localhost:5001",
"jwks_uri": "https://localhost:5001/.well-known/openid-configuration/jwks",
"authorization_endpoint": "https://localhost:5001/connect/authorize",
"token_endpoint": "https://localhost:5001/connect/token",
"userinfo_endpoint": "https://localhost:5001/connect/userinfo",
"end_session_endpoint": "https://localhost:5001/connect/endsession",
"check_session_iframe": "https://localhost:5001/connect/checksession",
"revocation_endpoint": "https://localhost:5001/connect/revocation",
"introspection_endpoint": "https://localhost:5001/connect/introspect",
"device_authorization_endpoint": "https://localhost:5001/connect/deviceauthorization",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"offline_access"
],
"claims_supported": [],
"grant_types_supported": [
"authorization_code",
"client_credentials",
"refresh_token",
"implicit",
"password",
"urn:ietf:params:oauth:grant-type:device_code"
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"subject_types_supported": [
"public"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"request_parameter_supported": true
}
If you look carefully at discover endpoint, There's some defaults values for grant types and
default response types but notice there are no
claims here yet and the only supported scope is offline access
In next post , we will see how our scopes, claims, resources ,clients are changed
Top comments (1)
Can you please share the other parts