CODEWITHSUNDEEP
.net-coreidentityserver4
Sonika
Sonika

Reputation: 151

Protect multiple APIs with IdentityServer4

We are using IdentityServer4 to protect our APIs, actually we have multiple APIs and we want to protect these APIs with IdentityServer4(i.e via generating access tokens) but we have questions regarding validating the access tokens, Do we need to write following code in each API?

  public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        services.AddMvcCore()
            .AddAuthorization()
            .AddJsonFormatters();

        services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://localhost:5000";
                options.RequireHttpsMetadata = false;

                options.ApiName = "api1";
            });
    }

    public void Configure(IApplicationBuilder app)
    {
        app.UseAuthentication();

        app.UseMvc();
    }
}

Actually we are following this tutorial("http://docs.identityserver.io/en/release/quickstarts/1_client_credentials.html") and they mentioned we have to describe this in the corresponding API.

Upvotes: 3

Views: 1629

Answers (2)

m3n7alsnak3
m3n7alsnak3

Reputation: 3156

The short answer to your question is - yes you do.

The explanation - you have to tell each API what authentication to use, and which is the provider.

Depending on the platform (.NET Framework or Core) you should use either IdentityServer3.Contrib.AccessTokenValidation (up to date fork of the frozen branch) or IdentityServer4.AccessTokenValidation package.

From what I see - you already have the code for .NET Core approach, and it looks good.

The one for .NET Framework API's can be found here

Hope that this helps.

Upvotes: 1

Metehan Senol
Metehan Senol

Reputation: 669

You should create a seperate AuthServer app and write these code inside there.

Then you can validate jwt tokens which generated by your AuthServer using IdentityServer4.AccessTokenValidation package.

Your AuthServer should be like that;

public void ConfigureServices(IServiceCollection services)
{
    var idSrvBuilder = services.AddIdentityServer()
        .AddSigningCredential(new X509Certificate2(
            Path.Combine(Environment.ContentRootPath, "certs", "yourcert.pfx"), "yourcertpass",
            X509KeyStorageFlags.MachineKeySet))
        .AddResourceOwnerValidator<ResourceOwnerPasswordValidator>()
        .AddProfileService<ProfileService>()
        .AddInMemoryIdentityResources(Config.GetIdentityResources())
        .AddInMemoryApiResources(Config.GetApiResources())
        .AddInMemoryClients(Config.GetClients());
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseIdentityServer();
}

For IdentityServer configuration you can look at here: http://docs.identityserver.io/en/release/topics/startup.html

And in your other apis you can validate jwt tokens like following;

 public void ConfigureServices(IServiceCollection services)
 {
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.Authority = "http://YourAuthServerUrl";
                    options.RequireHttpsMetadata = false;
                    options.Audience = "api1";
                });
 }

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    builder.UseAuthentication();
}

Upvotes: 0

Related Questions