SlideShare a Scribd company logo

OAuth2 and IdentityServer3

Download as PPTX, PDF
P
Paul Glavich

The slides from my talk at DDDSydney 2016 around Integrating IdentityServer into your applications.

Software
1 of 19
OAUTH2 AND IDENTITYSERVER3 Integrating into your application
What we will and won’t cover ■ Will –What is Identity Server and why use it. ■ Will – How to start integrating into your app. ■ Will – Extension points, customisation points, token types. ■ Will – Nasty bits, hard stuff, pain points. ■ Won’t – Detail or explain all OAuth2 flows. ■ Won’t – Show every possible integration scenario and customisation point ■ Take away – Having a good idea on technical cost, difficulty and suitability for a given situation. – How to begin and where to go from there.
Its not you, It’s me ■ Paul Glavich ■ @glav, glav@theglavs.com ■ ASP.Net MVP 12 years ■ Author 3 books, various articles, http://weblogs.asp.net/pglavich ■ International speaker (does NZ count?) ■ ASPInsider ■ CTO Saasu.com
What is Identity Server ■ Spec compliantOAuth2 Authorisation server (STS) – (That means it’s big and complex) ■ OAuth2 flows and OpenID connect ■ Can integrate with external providers (google etc) ■ Open source, (Dominick Baier and Brock Allen) – Identity Server 3 v2.5 (latest) – Identity Server 4 (support for .Net core/vNext) – In progress ■ Series of Nuget packages,Owin based implementation
Free accessories ■ Identity Manager – In beta – Tool to admin users, claims etc. – Similar to website admin tool ■ Identity Model – Helper classes – Client code ■ https://identityserver.github.io/
Why bother? ■ Can develop your own right . . . . .?
Writing your own OAuth/Identity Server ■ It can be done….. ■ But often ends in tears.
Alternatives ■ Other alternatives – Auth0 ( https://auth0.com/ ) ■ Cloud based, good integration hooks, some cost – Azure/AD (https://azure.microsoft.com/en-us/services/active-directory/ ) ■ Cloud, multi-protocol, some cost – WS02 ( http://wso2.com/ ) ■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid versions.
Getting started ■ Install nuget package “IdentityServer3” ■ Configure startup ■ Demo: Simplest setup
Logging ■ Supports a variety of pluggable log sources. ■ Get logging working first and worry about all the flows later. ■ Saves hours in debugging time. ■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe. – Install requisite nuget package
High levelView IdSrv Endpoints AssetsExternal Integration Application Services Repository Stores * Can customise * Can customise * Can customise * Can configure * Not applicable to all OAuth flows
Customising Assets ■ Stylesheets ■ HtmlViews/Templates – Login/Logout form – Consent form – Permissions view – Error form ■ Loaded via DefaultViewService (implements IViewService) ■ Customise loading via custom IViewService implementation <Asset> <img src=“funny-cat.gif” /> </Asset>
Configuring custom assets ■ Only the welcome page is not configurable (but is replaceable) – Can disable ■ Setup loading of custom partial views ■ Demo
What about the data store? ■ EntityFramework 6 Nuget package ■ Fully customisable storage engine via custom interface implementation – TokenHandleStore, ConsentStore, ClientStore, etc… – TokenHandleService, ConsentService, ClientService ■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory). – AuthorizationCodeStore,TokenHandleStore, RefreshTokenStore, ConsentStore (mandatory for prod) ■ Demo with dapper
Embedded IdentityServer with OpenId ■ IdentityServer to manage the authentication of users and token/cookies. ■ [Authorise] – just works [Authorize] public ActionResult Index() { ViewBag.Title = "Secured Page"; return View(); } ■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action – Requires nuget package IdentityModel.Owin.ResourceAuthorization.Mvc ■ Demo
It is not all unicorns and rainbows… ■ Integrating IdentityServer is far from simple. – In reality, it will take some time ■ Errors are not always obvious ■ Look to the samples.There are many. ■ Get used to reading the issue register and following threads. ■ Testing, particularlyAuthorization Code and hybrid flow can be tricky – Utilise this test harness/console app or write your own
Takeaways and items to remember ■ Get logging working first. It will save you hours of debugging. ■ Download all the samples, and familiarise yourself with your specific scenarios. – Looking at alternate samples may only serve to confuse initially. – Lots of different ways to get going. ■ When looking at documentation, ensure you are looking at the latest. – Can easily be looking at older versions inadvertently. Much confusion. ■ Create a test harness, callback site, or something to assist testing and verifications
Links and resources ■ Identity Server: https://identityserver.github.io/ ■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016 ■ OAuth2: http://oauth.net/2/ ■ Auth0: https://auth0.com/ ■ WS02: http://wso2.com/ ■ Me: glav@theglavs.com and @glav
1-5 August DDD Sydney thanks our sponsors

Recommended

OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 

Recommended

OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?SecuRing
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...PROIDEA
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Windows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceWindows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceTechWell
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APILinkedIn
 
Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiDesign Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiManageIQ
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechFernando Redondo Ramírez
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
IdentityServer 4
IdentityServer 4IdentityServer 4
IdentityServer 4Vinicius Quaiato
 
Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Paul Glavich
 

More Related Content

What's hot

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?SecuRing
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...PROIDEA
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Windows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceWindows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceTechWell
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APILinkedIn
 
Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiDesign Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiManageIQ
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 

What's hot (20)

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
Windows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceWindows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile Workforce
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an API
 
Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiDesign Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 

Viewers also liked

Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Paul Glavich
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthFilip Ekberg
 
Single Sign On con IdentityServer
Single Sign On con IdentityServerSingle Sign On con IdentityServer
Single Sign On con IdentityServerMauro Servienti
 
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, VilniusAuth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, VilniusTomas Urbonaitis
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...tdc-globalcode
 
ASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NETASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NETEduardo Pires
 
Oauth2 & OpenID Connect
Oauth2 & OpenID ConnectOauth2 & OpenID Connect
Oauth2 & OpenID ConnectPascal Flamand
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Solution Architecture Patterns for Digital Transformation
Solution Architecture Patterns for Digital TransformationSolution Architecture Patterns for Digital Transformation
Solution Architecture Patterns for Digital TransformationWSO2
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersWSO2
 
The 10 Best Copywriting Formulas for Social Media Headlines
The 10 Best Copywriting Formulas for Social Media HeadlinesThe 10 Best Copywriting Formulas for Social Media Headlines
The 10 Best Copywriting Formulas for Social Media HeadlinesBuffer
 

Viewers also liked (14)

IdentityServer 4
IdentityServer 4IdentityServer 4
IdentityServer 4
 
Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuth
 
Single Sign On con IdentityServer
Single Sign On con IdentityServerSingle Sign On con IdentityServer
Single Sign On con IdentityServer
 
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, VilniusAuth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
 
ASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NETASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NET
 
Oauth2 & OpenID Connect
Oauth2 & OpenID ConnectOauth2 & OpenID Connect
Oauth2 & OpenID Connect
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Solution Architecture Patterns for Digital Transformation
Solution Architecture Patterns for Digital TransformationSolution Architecture Patterns for Digital Transformation
Solution Architecture Patterns for Digital Transformation
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
The 10 Best Copywriting Formulas for Social Media Headlines
The 10 Best Copywriting Formulas for Social Media HeadlinesThe 10 Best Copywriting Formulas for Social Media Headlines
The 10 Best Copywriting Formulas for Social Media Headlines
 
Culture
CultureCulture
Culture
 

Similar to OAuth2 and IdentityServer3

The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Ganesh Kondal
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
The Importance Things of Full Stack Development
The Importance Things of Full Stack DevelopmentThe Importance Things of Full Stack Development
The Importance Things of Full Stack DevelopmentMike Taylor
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback frameworkThomas Papaspiros
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017Amazon Web Services
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSChris Riddell
 
Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Amazon Web Services
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptxnitinscribd
 
Deploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesDeploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesFIWARE
 
Coding for production
Coding for productionCoding for production
Coding for productionjehiah
 

Similar to OAuth2 and IdentityServer3 (20)

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
The Importance Things of Full Stack Development
The Importance Things of Full Stack DevelopmentThe Importance Things of Full Stack Development
The Importance Things of Full Stack Development
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback framework
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Deploy MediaWiki usgin Fiware Lab Facilities
Deploy MediaWiki usgin Fiware Lab FacilitiesDeploy MediaWiki usgin Fiware Lab Facilities
Deploy MediaWiki usgin Fiware Lab Facilities
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
Knolx session
Knolx sessionKnolx session
Knolx session
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWS
 
Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx
 
Deploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesDeploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab Facilities
 
Coding for production
Coding for productionCoding for production
Coding for production
 

Recently uploaded

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about usDynamic Netsoft
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendArshad QA
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 

Recently uploaded (20)

(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
DNT_Corporate presentation know about us
DNT_Corporate presentation know about usDNT_Corporate presentation know about us
DNT_Corporate presentation know about us
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Test Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and BackendTest Automation Strategy for Frontend and Backend
Test Automation Strategy for Frontend and Backend
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 

OAuth2 and IdentityServer3

  • 2. What we will and won’t cover ■ Will –What is Identity Server and why use it. ■ Will – How to start integrating into your app. ■ Will – Extension points, customisation points, token types. ■ Will – Nasty bits, hard stuff, pain points. ■ Won’t – Detail or explain all OAuth2 flows. ■ Won’t – Show every possible integration scenario and customisation point ■ Take away – Having a good idea on technical cost, difficulty and suitability for a given situation. – How to begin and where to go from there.
  • 3. Its not you, It’s me ■ Paul Glavich ■ @glav, glav@theglavs.com ■ ASP.Net MVP 12 years ■ Author 3 books, various articles, http://weblogs.asp.net/pglavich ■ International speaker (does NZ count?) ■ ASPInsider ■ CTO Saasu.com
  • 4. What is Identity Server ■ Spec compliantOAuth2 Authorisation server (STS) – (That means it’s big and complex) ■ OAuth2 flows and OpenID connect ■ Can integrate with external providers (google etc) ■ Open source, (Dominick Baier and Brock Allen) – Identity Server 3 v2.5 (latest) – Identity Server 4 (support for .Net core/vNext) – In progress ■ Series of Nuget packages,Owin based implementation
  • 5. Free accessories ■ Identity Manager – In beta – Tool to admin users, claims etc. – Similar to website admin tool ■ Identity Model – Helper classes – Client code ■ https://identityserver.github.io/
  • 6. Why bother? ■ Can develop your own right . . . . .?
  • 7. Writing your own OAuth/Identity Server ■ It can be done….. ■ But often ends in tears.
  • 8. Alternatives ■ Other alternatives – Auth0 ( https://auth0.com/ ) ■ Cloud based, good integration hooks, some cost – Azure/AD (https://azure.microsoft.com/en-us/services/active-directory/ ) ■ Cloud, multi-protocol, some cost – WS02 ( http://wso2.com/ ) ■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid versions.
  • 9. Getting started ■ Install nuget package “IdentityServer3” ■ Configure startup ■ Demo: Simplest setup
  • 10. Logging ■ Supports a variety of pluggable log sources. ■ Get logging working first and worry about all the flows later. ■ Saves hours in debugging time. ■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe. – Install requisite nuget package
  • 11. High levelView IdSrv Endpoints AssetsExternal Integration Application Services Repository Stores * Can customise * Can customise * Can customise * Can configure * Not applicable to all OAuth flows
  • 12. Customising Assets ■ Stylesheets ■ HtmlViews/Templates – Login/Logout form – Consent form – Permissions view – Error form ■ Loaded via DefaultViewService (implements IViewService) ■ Customise loading via custom IViewService implementation <Asset> <img src=“funny-cat.gif” /> </Asset>
  • 13. Configuring custom assets ■ Only the welcome page is not configurable (but is replaceable) – Can disable ■ Setup loading of custom partial views ■ Demo
  • 14. What about the data store? ■ EntityFramework 6 Nuget package ■ Fully customisable storage engine via custom interface implementation – TokenHandleStore, ConsentStore, ClientStore, etc… – TokenHandleService, ConsentService, ClientService ■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory). – AuthorizationCodeStore,TokenHandleStore, RefreshTokenStore, ConsentStore (mandatory for prod) ■ Demo with dapper
  • 15. Embedded IdentityServer with OpenId ■ IdentityServer to manage the authentication of users and token/cookies. ■ [Authorise] – just works [Authorize] public ActionResult Index() { ViewBag.Title = "Secured Page"; return View(); } ■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action – Requires nuget package IdentityModel.Owin.ResourceAuthorization.Mvc ■ Demo
  • 16. It is not all unicorns and rainbows… ■ Integrating IdentityServer is far from simple. – In reality, it will take some time ■ Errors are not always obvious ■ Look to the samples.There are many. ■ Get used to reading the issue register and following threads. ■ Testing, particularlyAuthorization Code and hybrid flow can be tricky – Utilise this test harness/console app or write your own
  • 17. Takeaways and items to remember ■ Get logging working first. It will save you hours of debugging. ■ Download all the samples, and familiarise yourself with your specific scenarios. – Looking at alternate samples may only serve to confuse initially. – Lots of different ways to get going. ■ When looking at documentation, ensure you are looking at the latest. – Can easily be looking at older versions inadvertently. Much confusion. ■ Create a test harness, callback site, or something to assist testing and verifications
  • 18. Links and resources ■ Identity Server: https://identityserver.github.io/ ■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016 ■ OAuth2: http://oauth.net/2/ ■ Auth0: https://auth0.com/ ■ WS02: http://wso2.com/ ■ Me: glav@theglavs.com and @glav
  • 19. 1-5 August DDD Sydney thanks our sponsors

Editor's Notes

  1. Mention Auth0 is viable alternative – however may not be as customisable as you want or you want all assets to remain inhouse/in prem Talk about saasu dev story – form WcfWebApi write own, to now with IdentityServer
  2. Show resource owner password grant via POSTMAN Also utilise refresh token via POSTMAN Ensure show use of ‘Authorization: Basic …..’ header Get access/refresh token, then just access token, use refresh token, also show Jwt vs ref tokens
  3. Mention can go from simple CSS changes, to custom template loading in static template dir, to asset loading in custom dir, to complete implementation of view loading service to do anything