This document discusses integrating IdentityServer3, an open source OAuth2 and OpenID Connect authorization server, into applications. It will cover what IdentityServer is, how to get started integrating it, extension and customization points, and challenges. It recommends getting logging working first, using samples for guidance, ensuring the latest documentation is referenced, and creating test harnesses to assist with integration testing.

1. OAUTH2 AND
IDENTITYSERVER3
Integrating into your application

2. What we will and won’t cover
■ Will –What is Identity Server and why use it.
■ Will – How to start integrating into your app.
■ Will – Extension points, customisation points, token types.
■ Will – Nasty bits, hard stuff, pain points.
■ Won’t – Detail or explain all OAuth2 flows.
■ Won’t – Show every possible integration scenario and customisation point
■ Take away
– Having a good idea on technical cost, difficulty and suitability for a given situation.
– How to begin and where to go from there.

3. Its not you, It’s me
■ Paul Glavich
■ @glav, glav@theglavs.com
■ ASP.Net MVP 12 years
■ Author 3 books, various articles, http://weblogs.asp.net/pglavich
■ International speaker (does NZ count?)
■ ASPInsider
■ CTO Saasu.com

4. What is Identity Server
■ Spec compliantOAuth2 Authorisation server (STS)
– (That means it’s big and complex)
■ OAuth2 flows and OpenID connect
■ Can integrate with external providers (google etc)
■ Open source, (Dominick Baier and Brock Allen)
– Identity Server 3 v2.5 (latest)
– Identity Server 4 (support for .Net core/vNext) – In progress
■ Series of Nuget packages,Owin based implementation

5. Free accessories
■ Identity Manager
– In beta
– Tool to admin users, claims etc.
– Similar to website admin tool
■ Identity Model
– Helper classes
– Client code
■ https://identityserver.github.io/

6. Why bother?
■ Can develop your own right . . . . .?

7. Writing your own OAuth/Identity Server
■ It can be done…..
■ But often ends in tears.

8. Alternatives
■ Other alternatives
– Auth0 ( https://auth0.com/ )
■ Cloud based, good integration hooks, some cost
– Azure/AD (https://azure.microsoft.com/en-us/services/active-directory/ )
■ Cloud, multi-protocol, some cost
– WS02 ( http://wso2.com/ )
■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid versions.

9. Getting started
■ Install nuget package “IdentityServer3”
■ Configure startup
■ Demo: Simplest setup

10. Logging
■ Supports a variety of pluggable log sources.
■ Get logging working first and worry about all the flows later.
■ Saves hours in debugging time.
■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe.
– Install requisite nuget package

11. High levelView
IdSrv Endpoints
AssetsExternal
Integration
Application
Services
Repository
Stores
* Can customise
* Can customise
* Can customise
* Can configure
* Not applicable
to all OAuth flows

12. Customising Assets
■ Stylesheets
■ HtmlViews/Templates
– Login/Logout form
– Consent form
– Permissions view
– Error form
■ Loaded via DefaultViewService (implements IViewService)
■ Customise loading via custom IViewService implementation
<Asset>
<img src=“funny-cat.gif” />
</Asset>

13. Configuring custom assets
■ Only the welcome page is not configurable (but is replaceable)
– Can disable
■ Setup loading of custom partial views
■ Demo

14. What about the data store?
■ EntityFramework 6 Nuget package
■ Fully customisable storage engine via custom interface implementation
– TokenHandleStore, ConsentStore, ClientStore, etc…
– TokenHandleService, ConsentService, ClientService
■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory).
– AuthorizationCodeStore,TokenHandleStore, RefreshTokenStore, ConsentStore
(mandatory for prod)
■ Demo with dapper

15. Embedded IdentityServer with OpenId
■ IdentityServer to manage the authentication of users and token/cookies.
■ [Authorise] – just works
[Authorize]
public ActionResult Index()
{
ViewBag.Title = "Secured Page";
return View();
}
■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action
– Requires nuget package IdentityModel.Owin.ResourceAuthorization.Mvc
■ Demo

16. It is not all unicorns and rainbows…
■ Integrating IdentityServer is far from simple.
– In reality, it will take some time
■ Errors are not always obvious
■ Look to the samples.There are many.
■ Get used to reading the issue register and following threads.
■ Testing, particularlyAuthorization Code and hybrid flow can be tricky
– Utilise this test harness/console app or write your own

17. Takeaways and items to remember
■ Get logging working first. It will save you hours of debugging.
■ Download all the samples, and familiarise yourself with your specific scenarios.
– Looking at alternate samples may only serve to confuse initially.
– Lots of different ways to get going.
■ When looking at documentation, ensure you are looking at the latest.
– Can easily be looking at older versions inadvertently. Much confusion.
■ Create a test harness, callback site, or something to assist testing and verifications

18. Links and resources
■ Identity Server: https://identityserver.github.io/
■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016
■ OAuth2: http://oauth.net/2/
■ Auth0: https://auth0.com/
■ WS02: http://wso2.com/
■ Me: glav@theglavs.com and @glav

19. 1-5 August
DDD Sydney thanks our sponsors