SlideShare a Scribd company logo

OAuth2 and IdentityServer3

Download as PPTX, PDF
P
Paul Glavich

The slides from my talk at DDDSydney 2016 around Integrating IdentityServer into your applications.

Software
1 of 19
OAUTH2 AND IDENTITYSERVER3 Integrating into your application
What we will and won’t cover ■ Will –What is Identity Server and why use it. ■ Will – How to start integrating into your app. ■ Will – Extension points, customisation points, token types. ■ Will – Nasty bits, hard stuff, pain points. ■ Won’t – Detail or explain all OAuth2 flows. ■ Won’t – Show every possible integration scenario and customisation point ■ Take away – Having a good idea on technical cost, difficulty and suitability for a given situation. – How to begin and where to go from there.
Its not you, It’s me ■ Paul Glavich ■ @glav, glav@theglavs.com ■ ASP.Net MVP 12 years ■ Author 3 books, various articles, http://weblogs.asp.net/pglavich ■ International speaker (does NZ count?) ■ ASPInsider ■ CTO Saasu.com
What is Identity Server ■ Spec compliantOAuth2 Authorisation server (STS) – (That means it’s big and complex) ■ OAuth2 flows and OpenID connect ■ Can integrate with external providers (google etc) ■ Open source, (Dominick Baier and Brock Allen) – Identity Server 3 v2.5 (latest) – Identity Server 4 (support for .Net core/vNext) – In progress ■ Series of Nuget packages,Owin based implementation
Free accessories ■ Identity Manager – In beta – Tool to admin users, claims etc. – Similar to website admin tool ■ Identity Model – Helper classes – Client code ■ https://identityserver.github.io/
Why bother? ■ Can develop your own right . . . . .?
Writing your own OAuth/Identity Server ■ It can be done….. ■ But often ends in tears.
Alternatives ■ Other alternatives – Auth0 ( https://auth0.com/ ) ■ Cloud based, good integration hooks, some cost – Azure/AD (https://azure.microsoft.com/en-us/services/active-directory/ ) ■ Cloud, multi-protocol, some cost – WS02 ( http://wso2.com/ ) ■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid versions.
Getting started ■ Install nuget package “IdentityServer3” ■ Configure startup ■ Demo: Simplest setup
Logging ■ Supports a variety of pluggable log sources. ■ Get logging working first and worry about all the flows later. ■ Saves hours in debugging time. ■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe. – Install requisite nuget package
High levelView IdSrv Endpoints AssetsExternal Integration Application Services Repository Stores * Can customise * Can customise * Can customise * Can configure * Not applicable to all OAuth flows
Customising Assets ■ Stylesheets ■ HtmlViews/Templates – Login/Logout form – Consent form – Permissions view – Error form ■ Loaded via DefaultViewService (implements IViewService) ■ Customise loading via custom IViewService implementation <Asset> <img src=“funny-cat.gif” /> </Asset>
Configuring custom assets ■ Only the welcome page is not configurable (but is replaceable) – Can disable ■ Setup loading of custom partial views ■ Demo
What about the data store? ■ EntityFramework 6 Nuget package ■ Fully customisable storage engine via custom interface implementation – TokenHandleStore, ConsentStore, ClientStore, etc… – TokenHandleService, ConsentService, ClientService ■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory). – AuthorizationCodeStore,TokenHandleStore, RefreshTokenStore, ConsentStore (mandatory for prod) ■ Demo with dapper
Embedded IdentityServer with OpenId ■ IdentityServer to manage the authentication of users and token/cookies. ■ [Authorise] – just works [Authorize] public ActionResult Index() { ViewBag.Title = "Secured Page"; return View(); } ■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action – Requires nuget package IdentityModel.Owin.ResourceAuthorization.Mvc ■ Demo
It is not all unicorns and rainbows… ■ Integrating IdentityServer is far from simple. – In reality, it will take some time ■ Errors are not always obvious ■ Look to the samples.There are many. ■ Get used to reading the issue register and following threads. ■ Testing, particularlyAuthorization Code and hybrid flow can be tricky – Utilise this test harness/console app or write your own
Takeaways and items to remember ■ Get logging working first. It will save you hours of debugging. ■ Download all the samples, and familiarise yourself with your specific scenarios. – Looking at alternate samples may only serve to confuse initially. – Lots of different ways to get going. ■ When looking at documentation, ensure you are looking at the latest. – Can easily be looking at older versions inadvertently. Much confusion. ■ Create a test harness, callback site, or something to assist testing and verifications
Links and resources ■ Identity Server: https://identityserver.github.io/ ■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016 ■ OAuth2: http://oauth.net/2/ ■ Auth0: https://auth0.com/ ■ WS02: http://wso2.com/ ■ Me: glav@theglavs.com and @glav
1-5 August DDD Sydney thanks our sponsors

Recommended

OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 

Recommended

OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015OAuth with AngularJS and WebAPI - SoCal Code Camp 2015
OAuth with AngularJS and WebAPI - SoCal Code Camp 2015Stuart
 
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...
Securing your apps with OAuth2 and OpenID Connect - Roland Guijt - Codemotion...Codemotion
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordelguest2a1135
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?SecuRing
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...PROIDEA
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache ShiroClaire Hunsaker
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Windows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceWindows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceTechWell
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APILinkedIn
 
Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiDesign Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiManageIQ
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechFernando Redondo Ramírez
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 
IdentityServer 4
IdentityServer 4IdentityServer 4
IdentityServer 4Vinicius Quaiato
 
Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Paul Glavich
 

More Related Content

What's hot

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meetvinoth kumar
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservicesAlvaro Sanchez-Mariscal
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?SecuRing
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...PROIDEA
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Abhishek Koserwal
 
Windows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceWindows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceTechWell
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APILinkedIn
 
Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiDesign Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiManageIQ
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
 

What's hot (20)

Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
API Security - Null meet
API Security - Null meetAPI Security - Null meet
API Security - Null meet
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
Stateless authentication for microservices
Stateless authentication for microservicesStateless authentication for microservices
Stateless authentication for microservices
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuOAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
 
How secure are webinar platforms?
How secure are webinar platforms?How secure are webinar platforms?
How secure are webinar platforms?
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
 
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
4Developers 2018: Real-time capabilities in ASP.NET Core web applications (To...
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 
Intro to Apache Shiro
Intro to Apache ShiroIntro to Apache Shiro
Intro to Apache Shiro
 
Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)Draft: building secure applications with keycloak (oidc/jwt)
Draft: building secure applications with keycloak (oidc/jwt)
 
Windows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile WorkforceWindows Azure: Connecting the Dots for a Mobile Workforce
Windows Azure: Connecting the Dots for a Mobile Workforce
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
How LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an APIHow LinkedIn changed its security model in order to offer an API
How LinkedIn changed its security model in order to offer an API
 
Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto BellottiDesign Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
Design Summit - Security Roadmap - Keenan Brock, Alberto Bellotti
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
 
ng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applicationsng-owasp: OWASP Top 10 for AngularJS Applications
ng-owasp: OWASP Top 10 for AngularJS Applications
 

Viewers also liked

Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Paul Glavich
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthFilip Ekberg
 
Single Sign On con IdentityServer
Single Sign On con IdentityServerSingle Sign On con IdentityServer
Single Sign On con IdentityServerMauro Servienti
 
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, VilniusAuth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, VilniusTomas Urbonaitis
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?Oliver Pfaff
 
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...tdc-globalcode
 
ASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NETASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NETEduardo Pires
 
Oauth2 & OpenID Connect
Oauth2 & OpenID ConnectOauth2 & OpenID Connect
Oauth2 & OpenID ConnectPascal Flamand
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectSaran Doraiswamy
 
Solution Architecture Patterns for Digital Transformation
Solution Architecture Patterns for Digital TransformationSolution Architecture Patterns for Digital Transformation
Solution Architecture Patterns for Digital TransformationWSO2
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application DevelopersWSO2
 
The 10 Best Copywriting Formulas for Social Media Headlines
The 10 Best Copywriting Formulas for Social Media HeadlinesThe 10 Best Copywriting Formulas for Social Media Headlines
The 10 Best Copywriting Formulas for Social Media HeadlinesBuffer
 

Viewers also liked (14)

IdentityServer 4
IdentityServer 4IdentityServer 4
IdentityServer 4
 
Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.Devops - Bringing real benefits to the business.
Devops - Bringing real benefits to the business.
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuth
 
Single Sign On con IdentityServer
Single Sign On con IdentityServerSingle Sign On con IdentityServer
Single Sign On con IdentityServer
 
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, VilniusAuth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
Auth done right - OpenID Connect with IdentityServer @ DotNetCrowd, Vilnius
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
TDC2016SP - Unificando a autenticação e controlando acesso a API com Identity...
 
ASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NETASP.NET Identity - O Novo componente de Membership do ASP.NET
ASP.NET Identity - O Novo componente de Membership do ASP.NET
 
Oauth2 & OpenID Connect
Oauth2 & OpenID ConnectOauth2 & OpenID Connect
Oauth2 & OpenID Connect
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Solution Architecture Patterns for Digital Transformation
Solution Architecture Patterns for Digital TransformationSolution Architecture Patterns for Digital Transformation
Solution Architecture Patterns for Digital Transformation
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
The 10 Best Copywriting Formulas for Social Media Headlines
The 10 Best Copywriting Formulas for Social Media HeadlinesThe 10 Best Copywriting Formulas for Social Media Headlines
The 10 Best Copywriting Formulas for Social Media Headlines
 
Culture
CultureCulture
Culture
 

Similar to OAuth2 and IdentityServer3

The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Ganesh Kondal
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultGrzegorz Adamowicz
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
The Importance Things of Full Stack Development
The Importance Things of Full Stack DevelopmentThe Importance Things of Full Stack Development
The Importance Things of Full Stack DevelopmentMike Taylor
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback frameworkThomas Papaspiros
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017Amazon Web Services
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsYevgeniy Brikman
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Websec México, S.C.
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpFelipe Prado
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSChris Riddell
 
Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Amazon Web Services
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptxnitinscribd
 
Deploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesDeploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesFIWARE
 
Coding for production
Coding for productionCoding for production
Coding for productionjehiah
 

Similar to OAuth2 and IdentityServer3 (20)

Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6Tech io nodejs_20130531_v0.6
Tech io nodejs_20130531_v0.6
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
AWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp VaultAWS DevOps - Terraform, Docker, HashiCorp Vault
AWS DevOps - Terraform, Docker, HashiCorp Vault
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
The Importance Things of Full Stack Development
The Importance Things of Full Stack DevelopmentThe Importance Things of Full Stack Development
The Importance Things of Full Stack Development
 
Rapid app building with loopback framework
Rapid app building with loopback frameworkRapid app building with loopback framework
Rapid app building with loopback framework
 
DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017DevOps Tooling - Pop-up Loft TLV 2017
DevOps Tooling - Pop-up Loft TLV 2017
 
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutionsCloud adoption fails - 5 ways deployments go wrong and 5 solutions
Cloud adoption fails - 5 ways deployments go wrong and 5 solutions
 
Deploy MediaWiki usgin Fiware Lab Facilities
Deploy MediaWiki usgin Fiware Lab FacilitiesDeploy MediaWiki usgin Fiware Lab Facilities
Deploy MediaWiki usgin Fiware Lab Facilities
 
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
Echidna, sistema de respuesta a incidentes open source [GuadalajaraCON 2013]
 
DEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wpDEF CON 23 - BRENT - white hacking web apps wp
DEF CON 23 - BRENT - white hacking web apps wp
 
Knolx session
Knolx sessionKnolx session
Knolx session
 
AWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWSAWS Meet-up: Logging At Scale on AWS
AWS Meet-up: Logging At Scale on AWS
 
Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2Bootstrapping - Session 1 - Your First Week with Amazon EC2
Bootstrapping - Session 1 - Your First Week with Amazon EC2
 
004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx004 - Logging in the Cloud -- hide01.ir.pptx
004 - Logging in the Cloud -- hide01.ir.pptx
 
Deploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab FacilitiesDeploy Mediawiki Using FIWARE Lab Facilities
Deploy Mediawiki Using FIWARE Lab Facilities
 
Coding for production
Coding for productionCoding for production
Coding for production
 

Recently uploaded

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfVishalKumarJha10
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesVictorSzoltysek
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisamasabamasaba
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfayushiqss
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfryanfarris8
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyAnusha Are
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnAmarnathKambale
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024Mind IT Systems
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...kalichargn70th171
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 

Recently uploaded (20)

%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 

OAuth2 and IdentityServer3

  • 2. What we will and won’t cover ■ Will –What is Identity Server and why use it. ■ Will – How to start integrating into your app. ■ Will – Extension points, customisation points, token types. ■ Will – Nasty bits, hard stuff, pain points. ■ Won’t – Detail or explain all OAuth2 flows. ■ Won’t – Show every possible integration scenario and customisation point ■ Take away – Having a good idea on technical cost, difficulty and suitability for a given situation. – How to begin and where to go from there.
  • 3. Its not you, It’s me ■ Paul Glavich ■ @glav, glav@theglavs.com ■ ASP.Net MVP 12 years ■ Author 3 books, various articles, http://weblogs.asp.net/pglavich ■ International speaker (does NZ count?) ■ ASPInsider ■ CTO Saasu.com
  • 4. What is Identity Server ■ Spec compliantOAuth2 Authorisation server (STS) – (That means it’s big and complex) ■ OAuth2 flows and OpenID connect ■ Can integrate with external providers (google etc) ■ Open source, (Dominick Baier and Brock Allen) – Identity Server 3 v2.5 (latest) – Identity Server 4 (support for .Net core/vNext) – In progress ■ Series of Nuget packages,Owin based implementation
  • 5. Free accessories ■ Identity Manager – In beta – Tool to admin users, claims etc. – Similar to website admin tool ■ Identity Model – Helper classes – Client code ■ https://identityserver.github.io/
  • 6. Why bother? ■ Can develop your own right . . . . .?
  • 7. Writing your own OAuth/Identity Server ■ It can be done….. ■ But often ends in tears.
  • 8. Alternatives ■ Other alternatives – Auth0 ( https://auth0.com/ ) ■ Cloud based, good integration hooks, some cost – Azure/AD (https://azure.microsoft.com/en-us/services/active-directory/ ) ■ Cloud, multi-protocol, some cost – WS02 ( http://wso2.com/ ) ■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid versions.
  • 9. Getting started ■ Install nuget package “IdentityServer3” ■ Configure startup ■ Demo: Simplest setup
  • 10. Logging ■ Supports a variety of pluggable log sources. ■ Get logging working first and worry about all the flows later. ■ Saves hours in debugging time. ■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe. – Install requisite nuget package
  • 11. High levelView IdSrv Endpoints AssetsExternal Integration Application Services Repository Stores * Can customise * Can customise * Can customise * Can configure * Not applicable to all OAuth flows
  • 12. Customising Assets ■ Stylesheets ■ HtmlViews/Templates – Login/Logout form – Consent form – Permissions view – Error form ■ Loaded via DefaultViewService (implements IViewService) ■ Customise loading via custom IViewService implementation <Asset> <img src=“funny-cat.gif” /> </Asset>
  • 13. Configuring custom assets ■ Only the welcome page is not configurable (but is replaceable) – Can disable ■ Setup loading of custom partial views ■ Demo
  • 14. What about the data store? ■ EntityFramework 6 Nuget package ■ Fully customisable storage engine via custom interface implementation – TokenHandleStore, ConsentStore, ClientStore, etc… – TokenHandleService, ConsentService, ClientService ■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory). – AuthorizationCodeStore,TokenHandleStore, RefreshTokenStore, ConsentStore (mandatory for prod) ■ Demo with dapper
  • 15. Embedded IdentityServer with OpenId ■ IdentityServer to manage the authentication of users and token/cookies. ■ [Authorise] – just works [Authorize] public ActionResult Index() { ViewBag.Title = "Secured Page"; return View(); } ■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action – Requires nuget package IdentityModel.Owin.ResourceAuthorization.Mvc ■ Demo
  • 16. It is not all unicorns and rainbows… ■ Integrating IdentityServer is far from simple. – In reality, it will take some time ■ Errors are not always obvious ■ Look to the samples.There are many. ■ Get used to reading the issue register and following threads. ■ Testing, particularlyAuthorization Code and hybrid flow can be tricky – Utilise this test harness/console app or write your own
  • 17. Takeaways and items to remember ■ Get logging working first. It will save you hours of debugging. ■ Download all the samples, and familiarise yourself with your specific scenarios. – Looking at alternate samples may only serve to confuse initially. – Lots of different ways to get going. ■ When looking at documentation, ensure you are looking at the latest. – Can easily be looking at older versions inadvertently. Much confusion. ■ Create a test harness, callback site, or something to assist testing and verifications
  • 18. Links and resources ■ Identity Server: https://identityserver.github.io/ ■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016 ■ OAuth2: http://oauth.net/2/ ■ Auth0: https://auth0.com/ ■ WS02: http://wso2.com/ ■ Me: glav@theglavs.com and @glav
  • 19. 1-5 August DDD Sydney thanks our sponsors

Editor's Notes

  1. Mention Auth0 is viable alternative – however may not be as customisable as you want or you want all assets to remain inhouse/in prem Talk about saasu dev story – form WcfWebApi write own, to now with IdentityServer
  2. Show resource owner password grant via POSTMAN Also utilise refresh token via POSTMAN Ensure show use of ‘Authorization: Basic …..’ header Get access/refresh token, then just access token, use refresh token, also show Jwt vs ref tokens
  3. Mention can go from simple CSS changes, to custom template loading in static template dir, to asset loading in custom dir, to complete implementation of view loading service to do anything