introduction to identityserversddconf.com/brands/sdd/library/introduction_to_identityserver.pdf ·...
TRANSCRIPT
IntroductiontoIdentityServer
TheopensourceOIDCframeworkfor.NET
BrockAllenhttp://brockallen.com
Slides and code: http://1drv.ms/1PLU4DV
@IdentityServer
DominickBaierhttp://leastprivilege.com
Outline
• MotivateIdentityServer• Hosting,configuring,andrunningIdentityServer
WhatisIdentityServer?
• Frameworkforbuildingapplicationsecurity• Singlesign-on• ProtectingWebAPIs
Withoutsinglesign-on
App2
App3
App1AuthenticationRegistration
Etc…
AuthenticationRegistration
Etc…
AuthenticationRegistration
Etc…
username/password
TokenService
Singlesign-onwithatokenservice
App2
App3
App1
AuthenticationRegistration
Etc…
APISecurity
API2
API3API1credentials
credentials
credentials
APISecuritywithatokenservice
API2
API3
API1
TokenServicecredentials
WhatisIdentityServer?
• Free,OSSframeworkforbuildingtokenservice• OpenIDConnectandOAuth2
• Designedforflexibilityandcustomization• Morecontrolthanoff-the-shelf/SaaSproducts
• Canbeusedstand-aloneorcaninteropwithotherproviders• Helpsabstractexternalinfrastructure
•è Becomesyourapplications'identityplatform
Architecture
• Designedasmiddleware• Requiresdevelopertobuildhost
• Configurationdrivestokenservice• Requiresdevelopertoprovideconfiguration
• Manyextensibilitypoints• Somerequired(coreobjectmodelandconfigurationdata)• Someoptional(tooverridedefaultbehavior)
Platforms
• IdentityServer3(released:Jan,2015)• OWIN/Katana• .NET4.5,ASP.NET5(full.NETframeworkonly),Mono
• IdentityServer4(released:sametimeasASP.NET5)• ASP.NET5• .NETCore,full.NETframework
Coreobjectmodel
ConfiguringIdentityServer
• Configurationdrivesbehavior• Signingcertificateneeded• Factorycontainsconfigurationaroundobjectmodelpublic void Configuration(IAppBuilder app){
var factory = new IdentityServerServiceFactory();// more factory config here...
var cert = X509.LocalMachine.My.SubjectDistinguishedName.Find("CN=sts").First();
var options = new IdentityServerOptions {SiteName = "My Token Service",Factory = factory,SigningCertificate = cert
};app.UseIdentityServer(options);
}
Configuringusers
• Userdatanormallystoredindatabase• IUserService extensibilitypointusedtoloaduserdatafromdatabase
• Inmemoryconfigurationusefulforprototyping/development
var factory = new IdentityServerServiceFactory();
var users = new List<InMemoryUser> {new InMemoryUser {
Subject = "123",Username = "alice", Password = "password",
}};factory.UseInMemoryUsers(users);
Configuringscopes
• Identityscopesmodelaccesstouserinformation• Constantsforstandardidentityscopesalreadydefined
• ResourcescopesmodelaccesstowebAPIs
var factory = new IdentityServerServiceFactory();
var scopes = new Scope[] {StandardScopes.OpenId, // user's unique idStandardScopes.Email, // user's emailnew Scope { // custom web api
Name = "api1",DisplayName = "My API",Type = ScopeType.Resource
}};factory.UseInMemoryScopes(scopes);
Configuringclients
• Manydifferentconfigurationvaluesdependingonflow• ForMVCclient,implicitflowcommonlyused
var factory = new IdentityServerServiceFactory();
var clients = new Client[] {new Client {
ClientId = "mvc",ClientName = "MVC App",Flow = Flows.Implicit,RedirectUris = new List<string> { "https://server.com/YourMvcClient" },AllowedScopes = new List<string> { "openid", "email", "api1" }
}};factory.UseInMemoryClients(clients);
Configuringclientapplication
• OpenIDConnectmiddlewareusedtoobtaintokens• Handlesprotocoldetails• Issuescookiewithcookieauthenticationmiddleware• Accesstokenreturnedandshouldbestored(usuallyincookieclaims)
• UseaccesstokenasAuthorizationHTTPheader• Using"Bearer"scheme
ConfiguringOpenIDConnectmiddlewarepublic void Configuration(IAppBuilder app){
app.UseCookieAuthentication(new CookieAuthenticationOptions{
AuthenticationType = "cookies",});
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions{
AuthenticationType = "oidc",SignInAsAuthenticationType = "cookies",UseTokenLifetime = false,Authority = "https://localhost:44333/",ClientId = "mvc",RedirectUri = "https://localhost:44300/",ResponseType = "id_token token",Scope = "openid email api1",Notifications = new OpenIdConnectAuthenticationNotifications {...}
});}
UsingaccesstokentocallwebAPI[Authorize]public async Task<IActionResult> CallApi(){
var client = new HttpClient();
var access_token = User.FindFirst("access_token").Value;client.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", access_token);
var result = await client.GetAsync("http://localhost:21177/test");if (result.IsSuccessStatusCode){
var json = await result.Content.ReadAsStringAsync();return Content(json, "application/json");
}else{
return Content("Error: " + result.StatusCode);}
}
ProtectingWebAPI
• JwtBearerTokenmiddlewarevalidatesaccesstokens• AccesstokencontentsturnedintoClaimsPrincipal onUser
public void Configuration(IAppBuilder app){
JwtSecurityTokenHandler.InboundClaimTypeMap.Clear();
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions {
Authority = "https://localhost:44333/",RequiredScopes = new string[] { "api1" }
});
var config = new HttpConfiguration();// ...app.UseWebApi(config);
}
Beyondin-memoryconfiguration…
• IdentityServerdesignedforextensibility• IdentityServerdefinesseveralinterfacestomodelfunctionality
• Commoncustomizations• Stores• Userservice• Branding/UI• Logging/auditing
Clientandscopestores
• Storesprovidesread-onlyaccesstoconfiguration• In-memoryimplementationusefulfordevelopment/testing• EFimplementationsupported• Othercommunityprovidedimplementations
public interface IClientStore{
Task<Client> FindClientByIdAsync(string clientId);}
public interface IScopeStore{
Task<IEnumerable<Scope>> FindScopesAsync(IEnumerable<string> scopeNames);Task<IEnumerable<Scope>> GetScopesAsync(bool publicOnly = true);
}
Userservice
• Userservicemodelsusers• Containsauthenticationlogic• Providesclaimsforusers• Supportsuserdeactivation
• Supportedimplementations• In-memory• MembershipReboot• ASP.NETIdentity
public interface IUserService{
Task PreAuthenticateAsync(PreAuthenticationContext context);Task AuthenticateLocalAsync(LocalAuthenticationContext context);Task AuthenticateExternalAsync(ExternalAuthenticationContext context);Task PostAuthenticateAsync(PostAuthenticationContext context); Task SignOutAsync(SignOutContext context);Task GetProfileDataAsync(ProfileDataRequestContext context);Task IsActiveAsync(IsActiveContext context);
}
Otheruserservicefeatures
• Externalidentityproviders• Socialorotherexternalproviders• CustomizableHRD
• Userworkflow• Priortologinusermustperformregistration• AtloginusermustacceptEULAorprovide2FA• Userimpersonation
Otherextensibilityandcustomization
• Visualassets• BrandingofHTML,CSS,etc.
• Tokenserviceconfiguration• Claimscontainedintokensareconfigurable• Configurableexpiration• Accesstokentype(JWTvs.referencetokens)• Tokenandconsentrevocability• Customvalidation• Delegationscenarios
• Loggingandevents
Resources
• Sourcecode,samples,andissuetracker• https://github.com/IdentityServer
• Documentation• https://identityserver.github.io/Documentation
• Gitter• https://gitter.im/IdentityServer/IdentityServer3• https://gitter.im/IdentityServer/IdentityServer4
Summary
• IdentityServerprovidesanOIDCandOAuth2framework• Designedforextensibilityandcustomization