Discussion for API authentication and Identity Server

[blowdart]

Some of you may have noticed that the Identity Server integration is now in the master branch along with a sample on how it all hangs together.

This issue is meant to centralize feedback as much as possible, so let's first discuss what this feature is aimed at and its limits

• The feature will appear as an authorization option for API and SPA templates where you require Individual Authentication with a local database.
• This will not appear as an option for MVC or Razor Pages applications, those will continue as is for now.
• It is meant as a simple starting point, supporting APIs and first party clients.
• It uses conventions to register the clients and apis without the need for configuring Identity Server beyond the helper methods in ConfigureServices()

            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlite(Configuration.GetConnectionString("DefaultConnection")));

            services.AddDefaultIdentity<ApplicationUser>()
                .AddEntityFrameworkStores<ApplicationDbContext>();

            services.AddIdentityServer()
                .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

            services.AddAuthentication()
                .AddIdentityServerJwt();

• It still uses ASPNET Identity for the user database, and thus requires EF.
• It will not support any advanced usage of Identity Server, like federation, WS-Fed, client certificates etc. although nothing will stop you migrating to those should you require them, you just have to abandon the helper functions and go full throttle with Identity Server's configuration system.
• We'll be examining service to service authentication at some point.

So, have at it.

[LindaLawton]

We'll be examining service to service authentication at some point.

Please do

[Praveen-Rai]

@blowdart Please update the Repository and Sample links, as we know that the repository has been merged to aspnet/AspNetCore

Sample : https://github.com/aspnet/AspNetCore/tree/master/src/Identity/samples/ApiAuthSample
Source : https://github.com/aspnet/AspNetCore/tree/master/src/Identity

[gingters]

I wanted to have a look at the sample, checked out the current master of this repo, but the ApiAuthSample project does not compile (using the 3.0.100-preview-009812 of the dotNet core SDK).
First of all, the compiler can't find the .AddDefaultIdentity<TUserModel>() extension, and if I change that to .AddIdentity<ApplicationUser, IdentityRole>() it still won't compile as the compiler says

Build FAILED.

C:\Program Files\dotnet\sdk\3.0.100-preview-009812\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.Sdk.targets(125,5): error NETSDK1007: Cannot find project info for 'D:\Dev\sg\AspNetCore\src\Identity\src\Identity\Microsoft.AspNetCore.Identity.csproj'. This can indicate a missing project reference. [D:\Dev\sg\AspNetCore\src\Identity\samples\ApiAuthSample\ApiAuthSample.csproj]
    0 Warning(s)
    1 Error(s)

Which is strange, as the Microsoft.AspNetCore.Identity project is available at this path, and restores and builds just fine.

Any hints on what I need to do to get the sample running?

[blowdart]

@javiercn ?

[gingters]

I updated to the latest state of master branch yesterday, and the sample project still does not compile. The error changed to not being able to find the project info for Microsoft.AspNetCore.Antiforgery.csproj now:

Build FAILED.

C:\Program Files\dotnet\sdk\3.0.100-preview-009812\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.Sdk.targets(125,5): error NETSDK1007: Cannot find project info for 'C:\Dev\sg\AspNetCore\src\Antiforgery\src\Microsoft.AspNetCore.Antiforgery.csproj'. This can indicate a missing project reference. [C:\Dev\sg\AspNetCore\src\Identity\ApiAuthorization.IdentityServer\samples\ApiAuthSample\ApiAuthSample.csproj]
    0 Warning(s)
    1 Error(s)

The ASP.NET repo by itself compiles without errors, when I run the restore.cmd or build.cmd in the root directory.
I then went into the \src\Identity\ApiAuthorization.IdentityServer\samples\ApiAuthSample directory, ran dotnet restore and dotnet build, and then I run into this problem.

Thing is, I should hand in a magazine article about that in 3 days, and I'd love to see that running before I hand in some stuff that maybe won't work for the readers :) Any ideas?

[javiercn]

@gingters I've been able to build and run the app without problems. There was a small issue due to us not updating the sample after some MVC change, but that's it.

#6805

I recommend you run .\build.cmd /t:Restore from the repo root and then dotnet build from the project folder and that should get you on your way.

[gingters]

I updated the repo again, followed your steps, and I still have the issue that the build can't find the project info for the Microsoft.AspNetCore.Antiforgery project and errors out. Another clean checkout ran into the very same issue.
Did you try it on a clean checkout too, or in an already working copy, where you maybe have some old artifacts around?

[brockallen]

It's working for me on the rel/2.2 branch. Clean checkout, run the build.cmd, then I run startvs.cmd identity.sln to open the solution.

[gingters]

Then there must be some undocumented dependencies, or something else I can't find out. 🤔

Also on the rel/2.2 branch, the build of the sample project fails with the same error.
When I open the Identity.sln, VS shows me about 280 build errors, all related to project information for referenced projects that somehow can't be found.

I have the .NET Core SDK 3.0.100-preview-009812 installed, VS 2017, 2017 Preview and 2019 Preview. I used the eng\scripts\InstallVisualStudio.ps1 script to install all required workloads of VS 2017 for that.

[Ibro]

It seems the sample has been moved to this location - ApiAuthSample

[andresrsanchez]

Hi!

One question, why everything related to SPA in https://github.com/aspnet/AspNetCore/blob/master/src/Identity/ApiAuthorization.IdentityServer/src/Options/ClientBuilder.cs is using Implicit Grant Type?

Since December of last year I think it's not recommended https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12#section-3.1.2

Thanks for all!

[blowdart]

The opinions of the OAuth folks are still in draft, and are the subject of some contention. While arguable same site cookies might provide the same protections we have problems with the implementation being different on Safari, because apple reads the spec a different way. Furthermore by sticking to JWT and the implicit flows we're opening up support for other applications by embedding Identity Server. It will be revisited again, but for now we're staying where we are.

[leastprivilege]

I think this is more about „implicit vs code + pkce“. Iirc we already discussed to move to code in a later preview.

[reiniellematt]

The links included in the issue above are invalid (404 pages).

[Rick-Anderson]

The links included in the issue above are invalid (404 pages).

sample
Source

[Pete-PlaytimeSolutions]

I have a project, configured using IdentityServerSPA, where everything works fine on a local dev machine, but there seems to be issues when validating tokens, when deployed to a Linux based App service on aspnet core 3.1.

It looks like when hosted on Linux, the internal IdentityServerJwtBearerOptionsConfiguration.ResolveAuthorityAndKeysAsync method, sets the Authority and ValidIssuer to the internal docker IP as the host (127.0.0.1), obtained using the IdentityServer4.Extensions.GetIdentityServerIssuerUri, instead of the actual host name of the App Service

Is there a solution or work around for this?

[javiercn]

@Pete-PlaytimeSolutions thanks for contacting us. This is a general discussion issue not meant for specific problems.

I would check if you are forwarding the headers to the host appropriately or check how to configure that.

If you still have issues afterwards, please file a separate issue (if you haven’t done so) so that we can follow up there.

We won’t be updating this thread further for this topic.

[ghost]

Thank you for contacting us. Due to a lack of activity on this discussion issue we're closing it in an effort to keep our backlog clean. If you believe there is a concern related to the ASP.NET Core framework, which hasn't been addressed yet, please file a new issue.

This issue will be locked after 30 more days of inactivity. If you still wish to discuss this subject after then, please create a new issue!