2. What we will and won’t cover
■ Will –What is Identity Server and why use it.
■ Will – How to start integrating into your app.
■ Will – Extension points, customisation points, token types.
■ Will – Nasty bits, hard stuff, pain points.
■ Won’t – Detail or explain all OAuth2 flows.
■ Won’t – Show every possible integration scenario and customisation point
■ Take away
– Having a good idea on technical cost, difficulty and suitability for a given situation.
– How to begin and where to go from there.
3. Its not you, It’s me
■ Paul Glavich
■ @glav, glav@theglavs.com
■ ASP.Net MVP 12 years
■ Author 3 books, various articles, http://weblogs.asp.net/pglavich
■ International speaker (does NZ count?)
■ ASPInsider
■ CTO Saasu.com
4. What is Identity Server
■ Spec compliantOAuth2 Authorisation server (STS)
– (That means it’s big and complex)
■ OAuth2 flows and OpenID connect
■ Can integrate with external providers (google etc)
■ Open source, (Dominick Baier and Brock Allen)
– Identity Server 3 v2.5 (latest)
– Identity Server 4 (support for .Net core/vNext) – In progress
■ Series of Nuget packages,Owin based implementation
5. Free accessories
■ Identity Manager
– In beta
– Tool to admin users, claims etc.
– Similar to website admin tool
■ Identity Model
– Helper classes
– Client code
■ https://identityserver.github.io/
10. Logging
■ Supports a variety of pluggable log sources.
■ Get logging working first and worry about all the flows later.
■ Saves hours in debugging time.
■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe.
– Install requisite nuget package
12. Customising Assets
■ Stylesheets
■ HtmlViews/Templates
– Login/Logout form
– Consent form
– Permissions view
– Error form
■ Loaded via DefaultViewService (implements IViewService)
■ Customise loading via custom IViewService implementation
<Asset>
<img src=“funny-cat.gif” />
</Asset>
13. Configuring custom assets
■ Only the welcome page is not configurable (but is replaceable)
– Can disable
■ Setup loading of custom partial views
■ Demo
14. What about the data store?
■ EntityFramework 6 Nuget package
■ Fully customisable storage engine via custom interface implementation
– TokenHandleStore, ConsentStore, ClientStore, etc…
– TokenHandleService, ConsentService, ClientService
■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory).
– AuthorizationCodeStore,TokenHandleStore, RefreshTokenStore, ConsentStore
(mandatory for prod)
■ Demo with dapper
15. Embedded IdentityServer with OpenId
■ IdentityServer to manage the authentication of users and token/cookies.
■ [Authorise] – just works
[Authorize]
public ActionResult Index()
{
ViewBag.Title = "Secured Page";
return View();
}
■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action
– Requires nuget package IdentityModel.Owin.ResourceAuthorization.Mvc
■ Demo
16. It is not all unicorns and rainbows…
■ Integrating IdentityServer is far from simple.
– In reality, it will take some time
■ Errors are not always obvious
■ Look to the samples.There are many.
■ Get used to reading the issue register and following threads.
■ Testing, particularlyAuthorization Code and hybrid flow can be tricky
– Utilise this test harness/console app or write your own
17. Takeaways and items to remember
■ Get logging working first. It will save you hours of debugging.
■ Download all the samples, and familiarise yourself with your specific scenarios.
– Looking at alternate samples may only serve to confuse initially.
– Lots of different ways to get going.
■ When looking at documentation, ensure you are looking at the latest.
– Can easily be looking at older versions inadvertently. Much confusion.
■ Create a test harness, callback site, or something to assist testing and verifications
18. Links and resources
■ Identity Server: https://identityserver.github.io/
■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016
■ OAuth2: http://oauth.net/2/
■ Auth0: https://auth0.com/
■ WS02: http://wso2.com/
■ Me: glav@theglavs.com and @glav
Mention Auth0 is viable alternative – however may not be as customisable as you want or you want all assets to remain inhouse/in prem
Talk about saasu dev story – form WcfWebApi write own, to now with IdentityServer
Show resource owner password grant via POSTMAN
Also utilise refresh token via POSTMAN
Ensure show use of ‘Authorization: Basic …..’ header
Get access/refresh token, then just access token, use refresh token, also show Jwt vs ref tokens
Mention can go from simple CSS changes, to custom template loading in static template dir, to asset loading in custom dir, to complete implementation of view loading service to do anything