-
Notifications
You must be signed in to change notification settings - Fork 599
Port the OAuth middleware from Katana #39
Comments
Identity Server 3 (made with love by guys from Thinktecture, not Thinktexture 😄) is a great product... but you can't compare it with the OAuth2 authorization server middleware shipped with Katana. While The downside of this approach is that IdSrv3 is less customizable and rather feels like an autonomous identity server than an opt-in middleware you can add in your pipeline and fully integrate in your existing application. Using IdSrv3, you can't, for instance, rely on ASP.NET MVC or Nancy to render the authorization/consent form. With Even if I'd love to see On a side note, I started working with @manfredsteyer on an OWIN/Katana OpenID connect server directly based on |
I would consider not porting OAuthAuthorizationServerMiddleware as a huge affront to all asp.net-devs, cause it has been introduced just some months ago. Makeing it legacy after that short period would really harm the confidence, all asp.net-devs have in the asp.net-team. |
+1 for PinpointTownes: It's a product and not a middleware. |
It is not a product - it is an open source project. It is also middleware - just at an higher abstraction level. |
@leastprivilege AFAIK, we never pretended it was not an open source project nor a middleware. And we never said that IdSrv was an awful commercial product aiming at promoting your company either. We're just saying that IdSrv is a high-level/turnkey solution - that you can integrate with the other products you're offering and thus be part of a broader ecosystem BTW - that cannot be compared with the low-level |
Well - then search for the word "product" and "not a middleware" on this page ;) But good - then we agree. We respect your work - and expect the same from you. I am sure that's the case. |
"product" doesn't necessarily mean "commercial" 😄 Don't worry, we respect your work. I'm even the first one saying on #owin that IdSrv is a great product. |
I would also like to see the OAuthAuthorizationServerMiddleware ported to vNext, since it's very powerful while abstracting away the details of the OAuth protocol. Since it does not bring much ballast it's also easily integrateable. I just finished building my companies central authorization provider based on the OAuthAuthorizationServerMiddleware, it would be pitty to see it only lasting a single version and also hurt my confidence on how future prove my investions in code relying on relatively newly introduced default components are. +1 for PinpointTownes |
OAuthAuthorizationServerMiddleware is a good starting point. |
Which external dependencies are you talking about? ...and Microsoft actually asked us to test drive the OAuth2 AS middleware before they released it. It was limited in its functionality and no further development was planned. That's why we decided to start IdSrv3. |
@leastprivilege ah ah, ILMerge FTW! 😄 (https://github.com/thinktecture/Thinktecture.IdentityServer.v3/blob/master/source/Core/packages.config) @ycrumeyrolle IMHO, having dependencies on multiple projects is not really an issue. The main problem I have with |
My main concern is Autofac and Thinktecture.IdentityModel. I am not confortable to use two differents IoC framework. So if I use IdSrv3, I am feeling forced to use it for any extension. And for Thinktecture.IdentityModel, even if it is the prefered default implementation, it should be possible to switch to another.(maybe it is already possible?) The OAuth middleware seems to give an higher level of abstraction, but I see that IdSrv3 is still evolving. |
@ycrumeyrolle -- when you use IdentityServer you are not using Autofac or WebAPI. Those libraries are an implementation detail. |
Side note about packaging. We used MS.A.Sec.OAuth for the base OAuth2 middleware. Do we put the OAuth bearer token middleware in there as well, or in a separate package? The only reason to separate them would be that the new package has a Newtonsoft.Json dependency. The old package didn't, but it was almost always used together with the JWT package which pulled in Newtonsoft.Json anyways. |
If you want to keep the AS middleware - I would put it into a separate package so it can have a life of its own. |
Cross referencing posts: http://katanaproject.codeplex.com/workitem/209 A small handful of us have implemented our own JwtFormat.Protect to get what should have been out-of-the-box support for JWTs in the OAuth2 middleware. I am definitely keeping my eye on IdSrv v3 (currently slated to release at the end of the year: Milestones) and will seriously consider switching once it's RTM. Having said that, as many have pointed out, they really are apples to oranges. I don't see how multiple options are a bad thing. |
+1 for keeping |
Just for the record: IdSvr is a great product and dominick is one of the best guys in the area of security. In Addition to that, the SelfHost-(minimal)-sample seems to be really cool and lightweight. But, as mentioned, I do believe that not porting the existing middleware-components would really be a bad decision. |
The Bearer token middleware has been ported. I recommend opening a separate bug specific to the OAuth server discussion. |
For anyone still looking for the original OAuth Authorization Server in ASP.NET 5, I have ported the code and the original sample here: The port includes backwards compatibility to allow ASP.NET 4.x resource servers to read the access tokens created by the authorization server. The nuget packages are here: |
Do not port the OAuth authorization server, @blowdart says we should use the Thinktexture server instead.
The text was updated successfully, but these errors were encountered: