How do I use Identity Server with .NET Core 2.1?

Question

I am trying to get Identity Server working on an ASP.NET Core 2.1 project and I have followed the instructions here, however, I realize those are for ASP.NET Core 2.0.

The Startup in the MVC client looks like this:

services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
        options.SignInScheme = "Cookies";
        options.Authority = "http://localhost:5000";
        options.RequireHttpsMetadata = false;
        options.ClientId = "mvc";
        options.ClientSecret = "secret";
        options.ResponseType = "code id_token";
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.Scope.Add("api1");
        options.Scope.Add("offline_access");
    });

With ASP.NET Core 2.1 the identity component is accessed here: http://localhost/Identity/Account/Login. The code above is redirecting to: http://localhost/Account/Login. My first idea was to replace the following line:

options.Authority = "http://localhost:5000";

with:

options.Authority = "http://localhost:5000/Identity";

However, I then get an error saying:

IOException: IDX10804: Unable to retrieve document from: 'http://localhost:5000/Identity/.well-known/openid-configuration'.".

This is because the path needs to be: 'http://localhost:5000/.well-known/openid-configuration'.

Can I fix this with routing? I believe if I ensure all requests to: http://localhost:5000/Account/Login are mapped to http://localhost:5000/Identity/Account/Login, then it will fix the issue. Is this correct and what would the route look like? I cannot get the route to work with an Area (Identity).

Answer 1

Not sure whether it helps but I had trouble with the Net Core 2.1 Identity implementation (The Login/Logout pages do not always appear) and needed to add a default Identity as follows in Startup.cs

   // Identity Context
        services.AddDbContext<ApplicationDbContext>(options =>
        {
            options.UseSqlServer(Configuration["DefaultConnection"],
                                sqlOptions => sqlOptions.MigrationsAssembly(typeof(Startup).GetTypeInfo().
                                Assembly.GetName().Name));
        },
            ServiceLifetime.Scoped
        );

        // Configure default Identity implementation
        services.AddDefaultIdentity<ApplicationUser>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultUI()
            .AddDefaultTokenProviders()
            .AddEntityFrameworkStores<ApplicationDbContext>();

The previous version (Net Core 2.0) is currently end of life (https://blogs.msdn.microsoft.com/dotnet/2018/06/20/net-core-2-0-will-reach-end-of-life-on-september-1-2018/) so would not expect to find many GitHub repositories hosting applications that months on still only compile, build, and work using Net Core 2.0. IdentityServer is currently the only Open Source application providing a satisfactory best practice authentication/authorization framework for Single Sign On (SSO) using Open ID Connect and OAuth2 ;-)

Answer 2

When you are using OpenID Connect, you are not having a login form on the web application. You are delegating the login responsibility to the OpenID Connect provider. In your case, that is IdentityServer, which is running in a separate application.

As such, it is not your web application you need to configure here: The authority is the root URL of your IdentityServer, so "http://localhost:5000" should be correct there. What you need to configure instead is IdentityServer to make it redirect to the right endpoints if it receives authorization requests without the user being logged in.

You can do that in the Startup of your IdentityServer application, where you add the service:

services.AddIdentityServer(options =>
{
    options.UserInteraction.LoginUrl = "/Identity/Account/Login";
    options.UserInteraction.LogoutUrl = "/Identity/Account/Logout";
})