OAuth2 and IdentityServer3
-
Upload
paul-glavich -
Category
Software
-
view
840 -
download
2
Transcript of OAuth2 and IdentityServer3
OAUTH2 AND IDENTITYSERVER3
Integrating into your application
What we will and won’t cover
■ Will – What is Identity Server and why use it.■ Will – How to start integrating into your app.■ Will – Extension points, customisation points, token types.■ Will – Nasty bits, hard stuff, pain points.■ Won’t – Detail or explain all OAuth2 flows.■ Won’t – Show every possible integration scenario and customisation point■ Take away
– Having a good idea on technical cost, difficulty and suitability for a given situation.
– How to begin and where to go from there.
Its not you, It’s me
■ Paul Glavich■ @glav, [email protected]■ ASP.Net MVP 12 years■ Author 3 books, various articles, http://weblogs.asp.net/pglavich ■ International speaker (does NZ count?)■ ASPInsider■ CTO Saasu.com
What is Identity Server
■ Spec compliant OAuth2 Authorisation server (STS)– (That means it’s big and complex)
■ OAuth2 flows and OpenID connect■ Can integrate with external providers (google etc)■ Open source, (Dominick Baier and Brock Allen)
– Identity Server 3 v2.5 (latest)– Identity Server 4 (support for .Net core/vNext) – In progress
■ Series of Nuget packages, Owin based implementation
Free accessories
■ Identity Manager– In beta– Tool to admin users, claims etc.– Similar to website admin tool
■ Identity Model– Helper classes– Client code
■ https://identityserver.github.io/
Why bother?
■ Can develop your own right . . . . .?
Writing your own OAuth/Identity Server■ It can be done…..
■ But often ends in tears.
Alternatives
■ Other alternatives– Auth0 ( https://auth0.com/ )
■ Cloud based, good integration hooks, some cost– Azure/AD (
https://azure.microsoft.com/en-us/services/active-directory/ )■ Cloud, multi-protocol, some cost
– WS02 ( http://wso2.com/ )■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid
versions.
Getting started
■ Install nuget package “IdentityServer3”■ Configure startup
■ Demo: Simplest setup
Logging
■ Supports a variety of pluggable log sources.■ Get logging working first and worry about all the flows later.■ Saves hours in debugging time.■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe.
– Install requisite nuget package
High level ViewIdSrv Endpoints
AssetsExternal Integration Application
Services
Repository Stores
* Can customise
* Can customise
* Can customise* Can
configure
* Not applicable to all OAuth flows
Customising Assets
■ Stylesheets■ Html Views/Templates
– Login/Logout form– Consent form– Permissions view– Error form
■ Loaded via DefaultViewService (implements IViewService)■ Customise loading via custom IViewService implementation
<Asset> <img src=“funny-cat.gif” /></Asset>
Configuring custom assets
■ Only the welcome page is not configurable (but is replaceable)– Can disable
■ Setup loading of custom partial views
■ Demo
What about the data store?
■ EntityFramework 6 Nuget package■ Fully customisable storage engine via custom interface implementation
– TokenHandleStore, ConsentStore, ClientStore, etc…– TokenHandleService, ConsentService, ClientService
■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory).– AuthorizationCodeStore, TokenHandleStore, RefreshTokenStore,
ConsentStore (mandatory for prod)
■ Demo with dapper
Embedded IdentityServer with OpenId■ IdentityServer to manage the authentication of users and token/cookies.■ [Authorise] – just works
[Authorize]public ActionResult Index(){ ViewBag.Title = "Secured Page"; return View();}
■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action– Requires nuget package
IdentityModel.Owin.ResourceAuthorization.Mvc■ Demo
It is not all unicorns and rainbows…■ Integrating IdentityServer is far from simple.
– In reality, it will take some time■ Errors are not always obvious■ Look to the samples. There are many.■ Get used to reading the issue register and following threads.■ Testing, particularly Authorization Code and hybrid flow can be tricky
– Utilise this test harness/console app or write your own
Takeaways and items to remember■ Get logging working first. It will save you hours of debugging.■ Download all the samples, and familiarise yourself with your specific
scenarios.– Looking at alternate samples may only serve to confuse initially.– Lots of different ways to get going.
■ When looking at documentation, ensure you are looking at the latest.– Can easily be looking at older versions inadvertently. Much
confusion.■ Create a test harness, callback site, or something to assist testing and
verifications
Links and resources
■ Identity Server: https://identityserver.github.io/■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016 ■ OAuth2: http://oauth.net/2/ ■ Auth0: https://auth0.com/■ WS02: http://wso2.com/
■ Me: [email protected] and @glav
1-5 August
DDD Sydney thanks our sponsors