OpenIddict

The OpenID Connect server you'll be addicted to.

What's OpenIddict?

OpenIddict aims at providing a simple and easy-to-use solution to implement an OpenID Connect server in any ASP.NET Core application.

OpenIddict is based on AspNet.Security.OpenIdConnect.Server (codenamed ASOS) to control the OpenID Connect authentication flow and can be used with any membership stack, including ASP.NET Core Identity.

OpenIddict fully supports the code/implicit/hybrid flows and the client credentials/resource owner password grants. You can also create your own custom grant types.

Note: OpenIddict uses Entity Framework Core by default, but you can also provide your own store.

Why an OpenID Connect server?

Adding an OpenID Connect server to your application allows you to support token authentication. It also allows you to manage all your users using local password or an external identity provider (e.g. Facebook or Google) for all your applications in one central place, with the power to control who can access your API and the information that is exposed to each client.

---

Getting started

To use OpenIddict, you need to:

• Install the latest .NET Core tooling and update your packages to reference the ASP.NET Core RTM packages.

• Have an existing project or create a new one: when creating a new project using Visual Studio's default ASP.NET Core template, using individual user accounts authentication is strongly recommended. When updating an existing project, you must provide your own AccountController to handle the registration process and the authentication flow.

• Add the appropriate MyGet repositories to your NuGet sources. This can be done by adding a new NuGet.Config file at the root of your solution:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <add key="NuGet" value="https://api.nuget.org/v3/index.json" />
    <add key="aspnet-contrib" value="https://www.myget.org/F/aspnet-contrib/api/v3/index.json" />
  </packageSources>
</configuration>

• Update your project.json to reference AspNet.Security.OAuth.Validation and OpenIddict:

"dependencies": {
  "AspNet.Security.OAuth.Validation": "1.0.0-alpha2-final",
  "OpenIddict": "1.0.0-*"
}

• Configure the OpenIddict services in Startup.ConfigureServices:

public void ConfigureServices(IServiceCollection services) {
    services.AddMvc();

    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(Configuration["Data:DefaultConnection:ConnectionString"]));       

    // Register the Identity services.
	services.AddIdentity<ApplicationUser, IdentityRole>()
	    .AddEntityFrameworkStores<ApplicationDbContext>()
	    .AddDefaultTokenProviders();

	// Register the OpenIddict services, including the default Entity Framework stores.
	services.AddOpenIddict<ApplicationDbContext>()
        // Enable the token endpoint (required to use the password flow).
        .EnableTokenEndpoint("/connect/token")

        // Allow client applications to use the grant_type=password flow.
        .AllowPasswordFlow()

	    // During development, you can disable the HTTPS requirement.
	    .DisableHttpsRequirement()

        // Register a new ephemeral key, that is discarded when the application
        // shuts down. Tokens signed using this key are automatically invalidated.
        // This method should only be used during development.
        .AddEphemeralSigningKey();
}

Note: for more information about the different options and configurations available, check out Configuration and options in the project wiki.

• Add OpenIddict and the OAuth2 token validation middleware in your ASP.NET Core pipeline by calling app.UseOAuthValidation() and app.UseOpenIddict() after app.UseIdentity() and before app.UseMvc():

public void Configure(IApplicationBuilder app) {
    app.UseIdentity();

    app.UseOAuthValidation();

    app.UseOpenIddict();

    app.UseMvc();
}

Note: UseOpenIddict() must be registered after app.UseIdentity() and the external social providers.

• Update your Entity Framework context to inherit from OpenIddictDbContext:

public class ApplicationDbContext : OpenIddictDbContext<ApplicationUser> {
    public ApplicationDbContext(DbContextOptions options)
        : base(options) {
    }
}

Note: if you change the default entity primary key (e.g. to int or Guid instead of string), make sure to register your Entity Framework context using the overload accepting a TKey generic argument:

services.AddOpenIddict<ApplicationDbContext, long>()

• Create your own authorization controller:

To support the password or the client credentials flow, you must provide your own token endpoint action. To enable authorization code/implicit flows support, you'll similarly have to create your own authorization endpoint action and your own views/view models.

The Mvc.Server sample comes with an AuthorizationController that supports both the password flow and the authorization code flow and that you can easily reuse in your application.

• Enable the corresponding flows in the OpenIddict options:

public void ConfigureServices(IServiceCollection services) {
	// Register the OpenIddict services, including the default Entity Framework stores.
	services.AddOpenIddict<ApplicationDbContext>()
        // Enable the authorization and token endpoints (required to use the code flow).
        .EnableAuthorizationEndpoint("/connect/authorize")
        .EnableTokenEndpoint("/connect/token")

        // Allow client applications to use the code flow.
        .AllowAuthorizationCodeFlow()

	    // During development, you can disable the HTTPS requirement.
	    .DisableHttpsRequirement()

        // Register a new ephemeral key, that is discarded when the application
        // shuts down. Tokens signed using this key are automatically invalidated.
        // This method should only be used during development.
        .AddEphemeralSigningKey();
}

• Register your client application:

using (var context = new ApplicationDbContext(
    app.ApplicationServices.GetRequiredService<DbContextOptions<ApplicationDbContext>>())) {
    context.Database.EnsureCreated();

    if (!context.Applications.Any()) {
        context.Applications.Add(new OpenIddictApplication {
            // Assign a unique identifier to your client app:
            Id = "48BF1BC3-CE01-4787-BBF2-0426EAD21342",

            // Assign a display named used in the consent form page:
            DisplayName = "MVC Core client application",

            // Register the appropriate redirect_uri and post_logout_redirect_uri:
            RedirectUri = "http://localhost:53507/signin-oidc",
            LogoutRedirectUri = "http://localhost:53507/",

            // Generate a new derived key from the client secret:
            Secret = Crypto.HashPassword("secret_secret_secret"),

            // Note: use "public" for JS/mobile/desktop applications
            // and "confidential" for server-side applications.
            Type = OpenIddictConstants.ClientTypes.Confidential
        });

        context.SaveChanges();
    }
}

Resources

Looking for additional resources to help you get started? Don't miss these interesting blog posts:

• Setting up ASP.NET v5 (vNext) to use JWT tokens (using OpenIddict) by Sean Walsh
• Using OpenIddict to easily add token authentication to your .NET web apps by Josh Comley
• Authorizing your .NET Core MVC6 API requests with OpenIddict and Identity by Kerry Ritter
• Creating your own OpenID Connect server with ASOS by Kévin Chalet

Support

Need help or wanna share your thoughts? Don't hesitate to join us on Gitter or ask your question on StackOverflow:

• Gitter: https://gitter.im/openiddict/openiddict-core
• StackOverflow: https://stackoverflow.com/questions/tagged/openiddict

Contributors

OpenIddict is actively maintained by Kévin Chalet. Contributions are welcome and can be submitted using pull requests.

Special thanks to Christopher McCrum and Data Citadel for their incredible support.

License

This project is licensed under the Apache License. This means that you can use, modify and distribute it freely. See http://www.apache.org/licenses/LICENSE-2.0.html for more details.