Remember:
- ASP.NET MVC 5 Web API ~ IdentityServer3, OWIN
- ASP.NET MVC 6 Web API ~ IdentityServer4
Database samples
Chinook is a good name choice for a database that intents to be an alternative to Northwind
Sample database for SQL Server, Oracle, MySQL, PostgreSQL, SQLite, DB2
See also Chinook Database Schema
https://archive.codeplex.com/?p=chinookdatabase
Code Samples
https://www.codeproject.com/Articles/1163131/IdentityServer-WebAPI-MVC-ASP-NET-Identity-Specflo
Security for ASP.NET MVC 5, WebForms and Web API 2.2
https://identityserver.github.io/Documentation/docsv2/overview/mvcGettingStarted.html
https://github.com/IdentityServer/IdentityServer3.Samples
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/MVC%20Authentication
Protecting Web API 2.2 with IdentityServer4
https://stackoverflow.com/questions/41024075/protecting-web-api-2-2-with-identityserver4
I have Web API 2.2 which uses .Net 4.5.2 framework which is being used by angular2 application and there is existing IdentityServer4 implementation. I want to protect my Web API using IdentityServer4. My question is can I protect Web API 2.2 using IdentityServer4? If yes then I have two follow up questions
- Should I use IdentityServer3.AccessTokenValidation nuget package or I will have to use IdentityServer4.AccessTokenValidation? (I tried using IdentityServer4.AccessTokenValidation package however its adding many dependencies related to ASP.Net Core)
- What should be value of Authority URL I will have to use?
I could find many examples where IdentityServer4 is being used to protect ASP.Net Core Web APIs. However couldn't find good example where Web API 2.2 protected using IdentityServer4. If possible please point me to good example of identityserver configuration that is required on Web API side.
To answer your questions:
1) Your WebApi 2.2 project is undoubtedly using OWIN/Katana from ASP.NET 4.x which means you should to use IdentityServer3.AccessTokenValidation. IdentityServer4.AccessTokenValidation is compatible with the new ASP.NET MVC Core pipeline.
2) You can get your authority by going to your identity providers discovery document at {IdentityUrl}/.well-known/openid-configuration. The authority should be the same one as the "issuer" value in the discovery document. You can also get the authority by looking at a JWT issued by your identity provider by looking at the "iss" claim.