Welcome to my blog!

SSO and Identity Server 4

July 26, 2021 22:00

SSO and Identity Server 4 (edit)

Introduction to Identity on ASP.NET Core | Microsoft Docs

AspNetCore.Docs/aspnetcore/security/authentication/identity/sample at main · dotnet/AspNetCore.Docs (github.com)

+ OAuth is for Authorization, not authentication.

+ If you want to Authenticate, use OpenIdConnect (OIDC)

IdentityServer4: Building a Simple Token Server and Protecting Your ASP.NET Core APIs with JWT (vmsdurano.com) (HAY HAY HAY) (SOURCE CODE)

c# - IdentityServer4 Role Based Authorization for Web API with ASP.NET Core Identity - Stack Overflow (HAY)

c# - .NET Core Identity Server 4 Authentication VS Identity Authentication - Stack Overflow (HAY)

IdentityServer4 Integration with ASP.NET Core - Code Maze (code-maze.com)

Working with Identity Server 4 - Simple Talk (red-gate.com) (HAY HAY HAY) (SOURCE CODE)

ASP.NET Core Identity Series – OAuth 2.0, OpenID Connect & IdentityServer – chsakell's Blog

chsakell/aspnet-core-identity: ASP.NET Core Identity Series (github.com) (SOURCE CODE)

IdentityServer Single Sign-on Products & Services (IdentityServer.com)

Duende Software (IdentityServer4.io)

OAuth 2.0 & OpenID Connect to the rescue

Fortunately OAuth protocol introduced and along with OpenID Connect provided a wide range of options for properly securing applications in the cloud. In the world of .NET applications this was quickly connected with an open source framework named IdentityServer which allows you to integrate all the protocol implementations in your apps. IdentityServer made Token-based authentication, Single-Sign-On, centralized and restricted API access a matter of a few lines of code. What this post is all about is to learn the basic concepts of OAuth 2.0 & OpenID Connect so that when using IdentityServer in your .NET Core applications you are totally aware of what’s happening behind the scenes. The post is a continuation of the ASP.NET Core Identity Series where the main goal is to understand ASP.NET Core Identity in depth. More specifically here’s what’s we gonna cover:

  • Explain what OAuth 2.0 is and what problems it solves
  • Learn about OAuth 2.0 basic concepts such as Roles, Tokens and Grants
  • Introduce OpenID Connect and explain its relation with OAuth 2.0
  • Learn about OpenID Connect Flows
  • Understand how to choose the correct authorization/authentication flow for securing your apps
  • Learn how to integrate IdentityServer to your ASP.NET Core application

OpenID Connect

When describing OAuth 2.0 we said that its purpose is to issue access tokens in order to provide limited access to protected resources, in other words OAuth 2.0 provides authorization but it doesn’t provide authentication. The actual user is never authenticate directly with the client application itself. Access tokens provide a level of pseudo-authentication with no identity implication at all. This pseudo-authentication doesn’t provide information about when, where or how the authentication occurred. This is where OpenID Connect enters and fills the authentication gap or limitations in OAuth 2.0.
OpenID Connect is a simple identity layer on top of the OAuth 2.0 protocol. It enables clients to verify the identity of the End-User based on the authentication performed by an authorization server. It obtains basic profile information about the End-User in an interoperable and REST-like manner (introduction of new REST endpoints). It uses Claims to communicate information about the End-User and extends OAuth in a way that cloud based applications can:

  • Get identity information
  • Retrieve details about the authentication event
  • Allow federated Single Sign On

External provider authentication & registration strategy

React JS

React JWT Authentication (without Redux) example - BezKoder

Code: bezkoder/react-jwt-auth: React JWT Authentication & Authorization example - React.js Login and Registration example (github.com)

React Refresh Token with JWT and Axios Interceptors - BezKoder

Code: bezkoder/react-jwt-refresh-token: Buid React JWT Refresh Token example with Axios Interceptors - Refresh Token in React.js, Axios silent refresh JWT token example (github.com)

React Hooks: JWT Authentication (without Redux) example - BezKoder

bezkoder/react-hooks-jwt-auth: React Hooks JWT Auth using React Router, Axios, Bootstrap: Token based Authentication & Authorization (github.com)

In-depth Introduction to JWT-JSON Web Token - BezKoder

React Hooks File Upload example with Axios & Progress Bar - BezKoder

React Hooks CRUD example with Axios and Web API - BezKoder

React.js CRUD example to consume Web API - BezKoder

Cookie Authentication

External Login Providers in ASP.NET Core - The Blinking Caret


Recent posts