Reputation: 163
IdentityServer 4 or OpenIddict?
Which one of these would be the easiest to setup server-to-server JWT on? I already have an existing JWT token do I need to setup an entire server just to pass through the token?
I have a requirement use-case to create a client for a web API hosted on another server but cannot figure out how to pass the credentials in .NET Core to the other server, I just need to be able to construct a GET and a POST using C# into a remote server API and build some charting to display the results of the GET.
Upvotes: 4
Views: 5660
Answers (3)
Reputation: 1161
If you're gong to be using .Net 6, you need to consider the pricing model of Identity Server 5.
As Identity Server 4 which is free, does not support .Net 6.
The license for Identity Server 5 is only free for non commerical projects and commercial projects if you make under 1 million dollars revenue. And it seems in the license if you make under that, you can only use it freely for 1 year.
This is a big advantage for OpenIddict as it's free.
Upvotes: 2
Reputation: 12786
If you already have a token then you don't need IdentityServer4 or OpenIddict. IdentityServer4 and OpenIddict issues tokens upon request, but you seem to already have issued them yourself locally.
I sent my token from Site A to Site B using a form that does a POST over HTTPS.
<form action="https://other-server.example.com/Account/" method="post" id="form">
<input name="token" type="hidden" value="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...">
</form>
You can also automatically submit the form using JavaScript.
<script>
document.getElementById('form').submit();
</script>
Upvotes: -2
Reputation: 12786
You can set a cookie then redirect to a subdomain. The benefit of this method is that it prevents XSRF/session fixation attacks as pointed out by Pinpiont. The disadvantage is that both sites have to reside on the some domain.
[RequireHttps]
public IActionResult Redirect()
{
var token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
const string domain = "subdomain.example.com";
Response.Cookies.Append("token", token, new CookieOptions {
Domain = domain,
Expires = DateTime.Now.AddHours(1),
HttpOnly = true,
Path = new PathString("/Account"),
Secure = true,
});
return Redirect($"https://{domain}/Account");
}
Upvotes: 1
Related Questions
- What would it be an alternative for identity server 4?
- identity server 4 as a API and web project
- .NET Core Identity Server 4 Authentication VS Identity Authentication
- ASP.NET Identity Bearer Token vs JWT Pros and Cons
- IdentityServer4 vs AspNet.Security.OpenIdConnect.Server vs OpenIddict
- OpenIdDict in ASP.NET 4.5 or alternative frameworks?
- Using IdentityServer 4 and ASP.NET Web Application (.NET Framework)
- Issuing JWT token myself versus using IdentityServer4(OIDC) for Web API
- Identity Server 4 and web api for user management
- ASP.NET Core 2.0 API, Angular SPA: OpenIddict Vs JWT Middleware