CODEWITHSUNDEEP
authenticationoauth-2.0owinopenid-connectidentityserver3
Vladimir Lapacek
Vladimir Lapacek

Reputation: 35

OpenId Connect authentication for UI and service access

We are building an application that is using IdentityServer3 OpenID Connect authentication to protect it's RESTful APIs.

For UI access we are using Implicit Flow client registered at IS3. Our Startup class sets up the OIDC Owin Security module connecting to IS3. All works great.

The next requirement for this application is that our REST API shall be accessible not only by web UI, but also from other services. The Client Credential Flow seems to be what meets the requirements. The point is that it is not practical to have services contacting our REST API via redirects to the IS3 login page and filling in username / password there. The Client Credential flow client gets the token directly at the IS3 server and then goes do its thing to our REST API.

The Startup class looks like this:

internal class Startup
{
    public void Configuration(IAppBuilder app)
    {
        // The Bearer token authentication is used for service to service
        // REST API access (also for testing purposes)
        app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = ConfigurationManager.AppSettings["IdmUrl"],
            NameClaimType = "client_id",
            RoleClaimType = "client_role"
            // ...
        });

        // OIDC authentication is used for UI access
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            Authority = ConfigurationManager.AppSettings["IdmUrl"],
            // ...
        }
    }
}

It works nicely for both cases, human accessing it through browser and thus using the Implicit flow as well as service using Client Credential flow. However, if the token that the service is using in the Client Credential flow expires, the request gets redirected to the IS3 server again. We would like it to return 401 error so that the client knows that it needs to get a fresh token again.

Can you think of a way to combine the two flows so that they play nicely together?

Upvotes: 2

Views: 757

Answers (1)

Scott Brady
Scott Brady

Reputation: 5598

To allow for 401 unauthorized's but also for 302 redirects with UI's you'll need to implement a solution like the one here (from one of the Identity Server authors).

This tweaks the app.UseCookieAuthentication() settings by adding in detection for AJAX in this case, and redirects to a login page only when an AJAX request is detected. You should be able to adapt this for your needs.

Upvotes: 1

Related Questions