CODEWITHSUNDEEP
identityserver4
drowhunter
drowhunter

Reputation: 379

Protect a single api resource with multiple IDServers

So I have a .Net Core web api, lets call it "CMS" and its currently protected by an IdentityServer4 server as an api resource. I have configured the ID4 server to have the IDP Claim of MyIDP.

For business reasons, I need to give a client their own IdentityServer but they would also like to have their users access the same api "CMS" .

Is this possible? In the StartUp.cs of my CMS api it currently looks like this

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = "http://www.idserver1.com";   
                    options.RequireHttpsMetadata = true; 
                    options.ApiName = "cmsapi"; 
                });

so to add protection for another id server I assume i could just duplicate the AddAuthentication but change the scheme name from Bearer to something else but that seems wrong?

The reason I think this should be possible because I have been able to add multiple external providers to my Web Application in this manner . But this is for s sign in flow and not for an api.

If this is possible how do I go about this?

Upvotes: 1

Views: 440

Answers (2)

drowhunter
drowhunter

Reputation: 379

i think i may have figured out the solution, based off another problem that was happening to me over here

Using Client Credentials flow on identityserver4 and custom AuthorizationHandler User.Identity.isAuthenticated = false

turns out you can use multiple authenticationschemes to protect an api and choose which things to protect with what using the authenticationSchemes property of the Authorize Attribute.

so you would just need a way to map the incoming bearer token to the correct authentication scheme

Upvotes: 0

Vidmantas Blazevicius
Vidmantas Blazevicius

Reputation: 4802

This can be achieved quite simply. Suppose you want to issue a separate subdomain for each of your clients: auth0.yourdomain.com, auth1.yourdomain.com and you want an api resource to respect the token from either of those identity providers.

Assuming that the signing key is the same, you can configure a shared issuer uri on the identity server side in Startup.cs->ConfigureServices(...):

        var builder = services.AddIdentityServer(options => {
                              options.IssuerUri = "auth.yourdomain.com";
                              })
                 ...

And then on the api side you can respect the single issuer uri without having to duplicate authentication schemes:

services.AddAuthentication("Bearer")
    .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = "auth.yourdomain.com";   
                    options.RequireHttpsMetadata = true; 
                    options.ApiName = "cmsapi"; 
                });

One thing I can't remember is if the request scheme (http/https) is inferred for the issuer uri or not so you might need to specify that as well (https:\\auth.yourdomain.com). Other than that, this sort of implementation should be quite seamless as far as your clients are concerned.

Upvotes: 2

Related Questions