Wiring up episerver for sso with identity server 4

•Download as PPTX, PDF•

0 likes•769 views

A practical insight into setting up Episerver and IdentityServer 4 for OpenID. The same technology that enables federated login from external authentication providers like Microsoft, Google and Facebook.

Technology

WIRING UP EPISERVER FOR
SSO WITH IDENTITYSERVER
4
Eric Herlitz
@ericherlitz
herlitz.io

IDENTITYSERVER, STS – OR
IDENTITYWHATEVER
Auth server (STS)
Resource owner App / Web Resources
User repositories

THE SCENARIO
Login IdentityServerEpiserver
Protected
external
API
Resource owner Episerver
Already logged in
return token
WebsiteResource owner Website

TYPICAL PARTS OF
IDENTITYSERVER
Clients, registered applications that can request
tokens
User repositories, membership/identity/external
repositories
ApiResource, claims are included in TokenClient and
IntrospectClient requests
IdentityResource, claims are included in UserInfoClient
requests

ACCESS TOKENS -
BASICS
Access tokens come in two flavors - self-contained or
reference.

SELF-CONTAINED TOKEN (JWT)
Auth server (STS)
Resource owner App
User repositories
1
2
2 3
3
1. Action that needs permission /
login
2. Call the STS to validate the
credentials
3. Return JWT with claims

REFERENCE TOKEN (JWT
THROUGH INTROSPECT)
Auth server (STS)
Resource owner App
User repositories
1
2
2 3
3
1. Action that needs permission /
login
2. Call the STS to validate the
credentials
3. Return reference token
4. Introspect call with JWT in
return
4

WHERE DO
YOU GO
FROM HERE?
http://identityserver.io/
@ericherlitz, herlitz.io
All samples available at
https://github.com/Eric
Herlitz/Identityserver4-
Episerver-Demo

The document discusses OAuth2 and how it has helped address the "password anti-pattern" by enabling constrained delegation to apps. It describes the typical OAuth2 flow involving an authorization server, resource server, resource owner, and client. It warns that OAuth tokens should not be used for authentication, and discusses how Facebook's data breach occurred when an OAuth token was stolen and used to access private data under another user's identity. The document recommends doing OAuth2 securely by using ID tokens for user authentication rather than data access tokens, practicing data and privilege minimization, and using techniques like audience restrictions and PKCE.

OAuth Assisted Token Flow for Single Page Applications

Nordic APIs

In this talk, Daniel Lindau, Solution Architect at Curity, will show how OAuth can be integrated into Single Page Applications (SPAs) using the assisted token flow — a new OAuth message exchange pattern introduced at IETF 101. He will contrast it with implicit flow and show how framing, token storage, and other nuances are handled using this new alternative flow. He will highlight the use of the HTML postMessage interface for passing tokens (vis-a-vis redirects used by other flows). He will also demo how this protocol can be used with various JavaScript frameworks, like JQuery, in just a few lines of code. He will conclude by giving a state of the draft and its future.

Building an SSO platform in php (Zendcon 2010)

Ivo Jansch

WebBridgeLR

Emily Singley

The document discusses WebBridge, a service that allows libraries to display their holdings in databases and search results. It provides links from citations to full text. The document outlines how WebBridge works, requirements for implementation, benefits like displaying library holdings in Google Scholar, and limitations such as the time needed to customize coverage. Resources for learning more about WebBridge are also listed.

How to authenticate users in your apps using FI-WARE Account - Introduction

Javier Cerviño

Id fiware upm-dit

Joaquín Salvachúa

This document discusses securing access to applications and APIs using OAuth2 authentication via the FI-WARE Account service. It covers registering applications, authenticating users via username and password, and authorizing access to protected resources. The OAuth2 flows of authorization code, implicit, resource owner password credentials, and client credentials grants are described. Finally, it discusses using access tokens to access resources in FI-WARE generic enablers, third-party services, and cloud platforms.

Securing your APIs with OAuth, OpenID, and OpenID Connect

Manish Pandit

As products and companies move towards IoT model, users and machines alike need to interact with various APIs. Securing these APIs in a connected world can be a challenge faced by many. Fortunately, there are open standards addressing even the most complex of use cases - OAuth, OpenID and OpenID Connect happen to be widely adopted and have a growing support across many API and Identity Providers. In this session I'll talk about these standards, and walk through common use cases/flows from an API Provider as well as consumer's side. We will explore how these standards come together to not only secure the APIs, but also manage identity.

Mastering Modern Authentication and Authorization Techniques for SharePoint, ...

Eric Shupps

In the cloud-first era, application development for SharePoint, Office 365 and Azure AD requires strong working knowledge of modern authentication and authorization techniques across multiple platforms. in this deep-dive session, developers will learn how to create secure, cloud-ready applications using OAuth, ADAL, and Azure AD to communication with the Microsoft Graph, SharePoint and other cloud-connected services.

This document discusses identity federation and claims-based authentication. It explains that identity federation allows decoupling authentication from applications/services and enables single sign-on. Claims contain information about a subject issued by an identity provider. Security token services issue and sign tokens containing claims. Common token types are SAML, JWT, and SWT. Claims-based identity provides applications with any user information needed from the identity provider via claims in tokens.

I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop

Apigee | Google Cloud

Y U No OAuth, Using Common Patterns to Secure Your Web Applications

Jason Robert

Identity is one of the most critical components in all web applications. When not designed correctly, it can lead to security holes, code duplication, and maintenance nightmares. By leveraging technologies like OAuth 2.0, OpenID Connect, and JSON Web Tokens, you can build a robust security model that is scalable across all of your projects. In this session, we will take a dive into the most popular identity solutions that are available today and discuss how they can be utilized by your ASP.NET Core web applications.

CIS 2012 - Going Mobile with PingFederate and OAuth 2

scotttomilson

Scott Tomilson discusses integrating mobile applications with PingFederate using OAuth 2. He covers OAuth 2 terminology, common grant types for mobile including authorization code, implicit, and resource owner password credentials. The presentation includes demonstrations of obtaining authorization codes and access tokens on mobile devices. Topics like secure token handling, single sign-on approaches, and challenges of combining native apps with browsers are also covered.

Oauth Nightmares Abstract OAuth Nightmares

Nino Ho

https://www.hackmiami.com/hmc5-speakers-day-2 OAuth is one of the most popular authorization frameworks in use today. All major platforms such as Google, Facebook, Box etc support it and you are probably thinking of implementi ng OAuth for your product/platform.We are not debating the popularity of the protocol or the limitations that come with it. We are here to help you implement it securely. When you use OAuth, there are three pieces - The Platform , the Application (using the platform) and the User (of the application). We will go over the common flaws we have seen in applications built on a OAuth platform which can lead to complete account takeover, how they can be a security engineer's nightmare, and how to fix them. We will go over security controls that the platform can put in place to help mitigate security vulnerabilities. We will also cover how bad design decisions, if chained with otherwise lower risk vulnerabilities can result in gaping holes in your OAuth implementation. You will leave this session with a deep understanding of how OAuth implementation should be secured both for a platform and in an application and things to test for during a security evaluation of OAuth implementations.

Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...

Lviv Startup Club

Stateless Auth using OAuth2 & JWT

Gaurav Roy

The document discusses stateless authorization using OAuth2 and JSON Web Tokens (JWT). It begins with an introduction to authentication, authorization, and single sign-on (SSO). It then provides an in-depth explanation of OAuth2 actors, flows, and grant types. The Authorization Code Grant flow and Implicit Grant flow are explained in detail. Finally, it introduces JWT and why it is a suitable standard for representing OAuth2 access tokens since it meets the requirements and libraries are available.

Rest API Security - A quick understanding of Rest API Security

Mohammed Fazuluddin

This document discusses REST API security methods. It provides an overview of authentication and authorization and describes common security methods like cookie-based authentication, token-based authentication, OAuth, OpenID, and SAML. It then compares OAuth2, OpenID, and SAML and discusses best practices for securing REST APIs like protecting HTTP methods, validating URLs, using security headers, and encoding JSON input.

OAuth Linking-Social Networks

G Jayendra Kartheek

The document discusses the steps for implementing OAuth authentication with Facebook. It involves: 1. Sending an OAuth request to Facebook with the application ID. 2. Requesting required permissions/scopes to access the user's account. 3. Receiving an access token and access verifier from Facebook. 4. Storing the token in a database to reuse it for making API calls to get/post user status updates or other information.

Securing SharePoint Apps with OAuth

Kashif Imran

This document discusses securing SharePoint apps using OAuth authentication. It provides an overview of app authentication in SharePoint 2013, including the use of OAuth and app principals. The key points covered are: - SharePoint 2013 supports app authentication using OAuth or on-premise using security token service. - Apps are assigned a principal that is used to manage app permissions separately from user permissions. - The OAuth workflow involves apps obtaining access tokens from Azure Access Control Service to make calls to SharePoint on behalf of users. - App principals must be registered both with SharePoint and ACS, and include a client ID, client secret, and redirect URL.

Stateless Auth using OAUTH2 & JWT

Mobiliya

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...

Brian Campbell

This document provides an overview of OAuth 2.0 and how it can be used to securely authorize access to APIs from mobile applications. It begins with an introduction to OAuth and discusses how it addresses issues with directly sharing passwords between applications. The document then outlines the basic OAuth flow, including key concepts like access tokens, authorization codes, and refresh tokens. It provides code snippets demonstrating an example OAuth flow for both Android and iOS, showing the HTTP requests and responses at each step.

OAuth2 primer

Manish Pandit

SPS Belgium 2015 - High-trust Apps for On-Premises Development

Edin Kapic

This document summarizes the high-trust app model for on-premises SharePoint development. It discusses the differences between low-trust and high-trust app authentication, how high-trust apps use certificates instead of OAuth, and the prerequisites and mechanism for high-trust app authentication. It also covers some gotchas, using other authentication methods, technology stacks, extending the TokenHelper code, and provides examples of high-trust app projects and information sources.

Spsbe15 high-trust apps for on-premises development

BIWUG

Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...

Atlassian

The existence of an API allows developers to extend software so as to cater for unique use cases beyond the software's original scope. Administrators and end users of JIRA 5 can expect its REST API to enable the creation of integrated applications to solve their unique concerns. This presentation aims to describe ways in which the JIRA 5 REST API can be used to make a tangible impact for the end user. Several use cases will be discussed, ranging from running simple command line apps, through to creating web applications that integrate with the JIRA 5 REST API.

Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...

Atlassian

FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...

FIWARE

APIs_ An Introduction.pptx

AkashThorat25

This document provides an introduction to APIs, including an overview of REST, authentication, authorization, and OpenAPI specifications. It discusses how REST uses HTTP verbs like GET, POST, PUT, and DELETE to represent actions on resources. URLs represent endpoints and collections in a hierarchical structure. JSON is commonly used as the data format. Authentication uses access tokens obtained from API keys or credentials. Authorization verifies access to resources using scopes and user levels. OpenAPI documentation specifies how to interact with an API.

Claims-Based Identity in SharePoint 2010

Danny Jessee

UI5 Controls simplified - UI5con2024 presentation

Wouter Lemaire

Taking AI to the Next Level in Manufacturing.pdf

ssuserfac0301

Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as: 1. How quickly AI is being implemented in manufacturing. 2. Which barriers stand in the way of AI adoption. 3. How data quality and governance form the backbone of AI. 4. Organizational processes and structures that may inhibit effective AI adoption. 6. Ideas and approaches to help build your organization's AI strategy.

Similar to Wiring up episerver for sso with identity server 4

Single SignOn with Federation using Claims

Volkan Uzun

I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop

Apigee | Google Cloud

Y U No OAuth, Using Common Patterns to Secure Your Web Applications

Jason Robert

CIS 2012 - Going Mobile with PingFederate and OAuth 2

scotttomilson

Oauth Nightmares Abstract OAuth Nightmares

Nino Ho

Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...

Lviv Startup Club

Stateless Auth using OAuth2 & JWT

Gaurav Roy

Rest API Security - A quick understanding of Rest API Security

Mohammed Fazuluddin

OAuth Linking-Social Networks

G Jayendra Kartheek

Securing SharePoint Apps with OAuth

Kashif Imran

Stateless Auth using OAUTH2 & JWT

Mobiliya

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...

Brian Campbell

OAuth2 primer

Manish Pandit

SPS Belgium 2015 - High-trust Apps for On-Premises Development

Edin Kapic

Spsbe15 high-trust apps for on-premises development

BIWUG

Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...

Atlassian

Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...

Atlassian

FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...

FIWARE

APIs_ An Introduction.pptx

AkashThorat25

Claims-Based Identity in SharePoint 2010

Danny Jessee

Similar to Wiring up episerver for sso with identity server 4 (20)

Single SignOn with Federation using Claims

I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop

Y U No OAuth, Using Common Patterns to Secure Your Web Applications

CIS 2012 - Going Mobile with PingFederate and OAuth 2

Oauth Nightmares Abstract OAuth Nightmares

Леонід Кузьмін “Сам собі паблішер. Від сайту ігрової студії до універсального...

Stateless Auth using OAuth2 & JWT

Rest API Security - A quick understanding of Rest API Security

OAuth Linking-Social Networks

Securing SharePoint Apps with OAuth

Stateless Auth using OAUTH2 & JWT

OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...

OAuth2 primer

SPS Belgium 2015 - High-trust Apps for On-Premises Development

Spsbe15 high-trust apps for on-premises development

Extend Your Use of JIRA by Solving Your Unique Concerns: An Exposé of the New...

FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...

APIs_ An Introduction.pptx

Claims-Based Identity in SharePoint 2010

Recently uploaded

UI5 Controls simplified - UI5con2024 presentation

Wouter Lemaire

Taking AI to the Next Level in Manufacturing.pdf

ssuserfac0301

GraphRAG for Life Science to increase LLM accuracy

Tomaz Bratanic

Fueling AI with Great Data with Airbyte Webinar

Zilliz

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

Building Production Ready Search Pipelines with Spark and Milvus

Zilliz

Generating privacy-protected synthetic data using Secludy and Milvus

Zilliz

During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.

Introduction of Cybersecurity with OSS at Code Europe 2024

Hiroshi SHIBATA

I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems. The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS. Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application. I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Chart Kalyan

Mariano G Tinti - Decoding SpaceX

Mariano Tinti

HCL Notes and Domino License Cost Reduction in the World of DLAU

panagenda

Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/ The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this! We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model. Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward. These topics will be covered - Reducing license cost by finding and fixing misconfigurations and superfluous accounts - How do CCB and CCX licenses really work? - Understanding the DLAU tool and how to best utilize it - Tips for common problem areas, like team mailboxes, functional/test users, etc - Practical examples and best practices to implement right away

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Choosing The Best AWS Service For Your Website + API.pptx

Brandon Minnick, MBA

Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API? Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose? Which one is cheapest? Which one is fastest? Which one will scale to meet our needs? Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

SitimaJohn

Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.

OpenID AuthZEN Interop Read Out - Authorization

David Brossard

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

shyamraj55

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Wask

https://www.wask.co/ebooks/digital-marketing-trends-in-2024 Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on integration of Salesforce with Bonterra Impact Management. Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

Project Management Semester Long Project - Acuity

jpupo2018

Acuity is an innovative learning app designed to transform the way you engage with knowledge. Powered by AI technology, Acuity takes complex topics and distills them into concise, interactive summaries that are easy to read & understand. Whether you're exploring the depths of quantum mechanics or seeking insight into historical events, Acuity provides the key information you need without the burden of lengthy texts.

Recently uploaded (20)

UI5 Controls simplified - UI5con2024 presentation

Taking AI to the Next Level in Manufacturing.pdf

GraphRAG for Life Science to increase LLM accuracy

Fueling AI with Great Data with Airbyte Webinar

National Security Agency - NSA mobile device best practices

Building Production Ready Search Pipelines with Spark and Milvus

Generating privacy-protected synthetic data using Secludy and Milvus

Introduction of Cybersecurity with OSS at Code Europe 2024

How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf

Mariano G Tinti - Decoding SpaceX

HCL Notes and Domino License Cost Reduction in the World of DLAU

20240607 QFM018 Elixir Reading List May 2024

Choosing The Best AWS Service For Your Website + API.pptx

Ocean lotus Threat actors project by John Sitima 2024 (1).pptx

OpenID AuthZEN Interop Read Out - Authorization

Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack

Digital Marketing Trends in 2024 | Guide for Staying Ahead

Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...

Artificial Intelligence for XMLDevelopment

Project Management Semester Long Project - Acuity

Wiring up episerver for sso with identity server 4

1. WIRING UP EPISERVER FOR SSO WITH IDENTITYSERVER 4 Eric Herlitz @ericherlitz herlitz.io

2. IDENTITYSERVER, STS – OR IDENTITYWHATEVER Auth server (STS) Resource owner App / Web Resources User repositories

3. DEMO SSO for Episerver

4. THE SCENARIO Login IdentityServerEpiserver Protected external API Resource owner Episerver Already logged in return token WebsiteResource owner Website

5. TYPICAL PARTS OF IDENTITYSERVER Clients, registered applications that can request tokens User repositories, membership/identity/external repositories ApiResource, claims are included in TokenClient and IntrospectClient requests IdentityResource, claims are included in UserInfoClient requests

6. DEMO The code

7. ACCESS TOKENS - BASICS Access tokens come in two flavors - self-contained or reference.

8. SELF-CONTAINED TOKEN (JWT) Auth server (STS) Resource owner App User repositories 1 2 2 3 3 1. Action that needs permission / login 2. Call the STS to validate the credentials 3. Return JWT with claims

9. REFERENCE TOKEN (JWT THROUGH INTROSPECT) Auth server (STS) Resource owner App User repositories 1 2 2 3 3 1. Action that needs permission / login 2. Call the STS to validate the credentials 3. Return reference token 4. Introspect call with JWT in return 4

10. DEMO Tokens

11. WHERE DO YOU GO FROM HERE? http://identityserver.io/ @ericherlitz, herlitz.io All samples available at https://github.com/Eric Herlitz/Identityserver4- Episerver-Demo

Editor's Notes

Whos using IdentityServer of any version today?And IdentityServer4? So this is going to be a very brief walkthrough of the involved technologies, the basic goal is to give you an idea of what this is. The solution I'm showing is already available for download at my github repository.
Alright, so this is the typical diagram you'll see on this. Seems easy enough right but what does it mean. First of all the user repositories can be pretty much anything when using IdentityServer. It can be ADFS, ASP.NET Identity or Membership or any other member provider that allow integrations. What is the goal with all of this? Now what we are trying to do is to centralize sign in or authentication having authentication as a service with federation gateway possibilities to connect external identity providers. Does that make sence? Next up is a demo where we will show SSO between Episerver, a .net core web site and a web api.
So what we just witnessed was a resource owner logging on to Episerver through IdentityServer, we got a token and used that to be authenticated and also used the same token to authenticate an external web api. The same login session was used to authenticate another web application that also could communicate with the secured api.
Clients, registered applications that can request tokens User repositories, membership/identity/external repositories as already mentioned ApiResource, so when performing a TokenClient request the claims is returned in accordance with the settings of the ApiResource IdentityResource, claims are included in UserInfoClient requests. When you need more information from a user. Applications, the resources using the above. I.e. the implementations we do
Why use reference tokens? They are small and fast Resources can individually cache them A JWT token would be a self-contained access token - it’s a protected data structure with claims and an expiration. Once an API has learned about the key material, it can validate self-contained tokens without needing to communicate with the issuer. This makes JWTs hard to revoke. They will stay valid until they expire. When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token. http://docs.identityserver.io/en/release/topics/reference_tokens.html
A JWT token would be a self-contained access token - it’s a protected data structure with claims and an expiration. Once an API has learned about the key material, it can validate self-contained tokens without needing to communicate with the issuer. This makes JWTs hard to revoke. They will stay valid until they expire.
When using reference tokens - IdentityServer will store the contents of the token in a data store and will only issue a unique identifier for this token back to the client. The API receiving this reference must then open a back-channel communication to IdentityServer to validate the token. IdentityServer provides an implementation of the OAuth 2.0 introspection specification which allows APIs to dereference the tokens.
This is a very lightweight application for demonstration purposes I threw together. There are a few useful functions and we don't want to open a browser to login so we will login directly through the TokenClient.

Wiring up episerver for sso with identity server 4

Recommended

Recommended

More Related Content

Similar to Wiring up episerver for sso with identity server 4

Similar to Wiring up episerver for sso with identity server 4 (20)

Recently uploaded

Recently uploaded (20)

Wiring up episerver for sso with identity server 4

Editor's Notes