IdentityServer4 without UI using Asp Core Identity Scaffolded - asp.net-core

I really need your help. I am trying to implement IdentityServer4to generate tokens for authenticated users giving them access to the web application. However, I have set my IdentityServer Project in its own solution. Then I have a web application that runs. What I need to implement is:
1.Using Identity user signs in.
2. if successful redirect to identity server4 to generate token
3. Redirect back to application with genrated tok

You will have to add in IdentityServer configuration web application as a client with scopes. Please see here:
http://docs.identityserver.io/en/latest/topics/clients.html
https://github.com/IdentityServer/IdentityServer4/tree/main/samples/Quickstarts/2_InteractiveAspNetCore/src

Related

ASP.NET Core Identity, SSO with WSFederation

I need to make my new ASP.NET Core Blazor WASM application authenticate with our on-prem ADFS/WSFederation servers. Specifically, it needs to automatically log-in users that are already logged into our AD domain, without making them go to a login page. Basic single sign on behavior. (This is how ASP.NET worked by default with ADFS/WSFederation)
I can get SSO to work without using Identity, and I get get Identity to use a log-in screen that will allow you to choose a WSFederation server as an external log-in provider, but that still begins at a log-in screen.
Can ASP.NET Core Identity work in an SSO configuration (no login screens appear for domain users), or is Identity built on the assumption that Log-in screens will be used? If it can be done, how is that set up? If I can't use Identity, can I still use other middleware like Authorization?

Changing ASP.NET Identity service to use WS-Federation

I am working on a new ASP.NET Core Blazor application that I am basing on the BlazorHero clean architecture template.
The major modification that I need to make is the switch from its ASP.NET Core Identity based system to relying on WS-Federation SSO authentication.
My initial goal is to get the app to stop using the login screen. (Which is caused by the
App.razor in the Blazor Client sending unauthorized users to login) What do I need to modify for the app to go to the home page rather than the login screen?
My second goal is to get the user service to return the current user information from our Ws-Federation server. I can write the code that will populate the current user from Ws-Federation. How/where do I tell the Identity service what I want it to return for the current user?
My assumption is that I will need to re-write (at minimum) the IdentityService.cs, the UserService.cs and the RoleService.cs files.

How to edit login page in WebAssembly project with Individual User Accounts?

I have selected Individual User Accounts while creating Blazor application. I have no idea where I can modify the Login page that was created, the file with source dode is not available anywhere.
How to modify Login page in that scenario?
When choosing your configuration the created template gets delivered with IdentityServer and ASP.NET Core Identity. IdentityServer makes the Endpoint OpenID/OAuth compatible. This is needed for the Blazor WebAssembly app to streamline the process of getting a token, validating it etc. ASP.NET Core Identity is used to save and retrieve the users from the database, loging them in by setting a Cookie and checking the correctness of provided passwords, hashing them etc. This link answers how you can modify the default Razor Pages delivered when an app with ASP.NET Core Identity is created.
Where are the Login and Register pages in an AspNet Core scaffolded app?

Understanding asp.net core identity template login

In Visual Studio 2017, create a new ASP.NET Core Web Application (.NET Core) project, changing authentication to Individual User Accounts (so using ASP.NET Core Identity).
In the created project, there is an AccountController. In the [HttpGet] Login method, there is the following:
// Clear the existing external cookie to ensure a clean login process
await HttpContext.Authentication.SignOutAsync(_externalCookieScheme);
I'm just trying to understand the authentication process a bit better. So my questions are:
What does this code do?
Why is it included in this method?
If I do not include this in my own login method, under what circumstances will I encounter a problem, and what will the problem be?
In identity you can use external login like Microsoft, Google or Facebook and this method insures that you are not logged in with these services before authenticating user.
just if you use external login, include this line in your Login action otherwise you don't need it.

asp.net 5 and IdentityServer4

I am working on a prototype for a site re-architecture using ASP.NET 5 and I am debating using IdentityServer4 for my Authentication and Authorization. I have reviewed a lot of samples and articles about setting up IdentityServer3 and 4 and I am trying to wrap my head around if it can handle my client’s requirements in a proper way. Here are my requirements.
I have 3 sites that need authorization. Site 1 (abc.com) will require windows authentication and will be a combination of mvc and webapi calls using roles (or roles converted to claims) for authorization. Site 2 (def.com) is a trusted site that wants a login widget with a username/password/rememberme text box on their site that when submitted will authenticate the user and redirect them to site 3 (xyz.com). Site 3 will also have its own login page and will be a combination of mvc and webapi calls using claims. Site 2 and 3 will not be using windows authentication and the client does not want them redirecting to the identity server login screen, but rather having their own login screen and calling the identity server from code with the credentials to login.
Here are my questions regarding this scenario and IdentityServer4.
Can Idsvr4 handle one client using windows authentication and
another using username/password authentication?
If so, is there a
reason to have windows auth in idsvr4 or should it just use standard
windows auth within the webapp?
Can idsvr4 be setup to have the client collect the username/password/rememberme values and pass them through code to
get the proper jwt tokens for both mvc and webapi?
If so, can it
log them into both the mvc and webapi applications on another site?
If so, is this circumventing the real purpose of identityserver4
and therefor is a bad idea?
If it can handle this scenario and is a good idea, how would I setup the client, scopes and code to handle the login through code and redirect?
Examples are great and very welcome, but I am not even sure what verbiage to use to search for this scenario so even pointing me in the right direction would be of great help.
Not sure if this question is still active. But yes, i believe you can do all that.
1) You can setup which ldp is available for each client by setting IdentityProviderRestrictions on the client (docs)
1.1) - Not sure what you mean, i believe one of the points of having idsrv is to sentralize you authentication, and it makes it easier for future websites to integrate with the same service.
2) When logging in using a client (application), you also specify which apiResource the client has access to - and the application needs to add this to the requested scopes when signing in. So if your client is the mvc application, you just add the ApiResource in the AllowedScopes - and set the request_type to id_token code - this would then give the user a access_token that is passed with each request to the backend api. (docs)
2.1) - This would basically log the user in on both sites - using an access token that says that the user is authorized to use the backend api.
2.2) - In my opinion this flow is one of the things that makes idsrv great - and they even mention this as a great feature of idsrv themself. You just need 1 trip to the authserver to gain access to all systems.
as for pt. 3 - Take an extra look at the docs, try to setup a blank project following the quickstarts.
For logging in from your own login page, you need to use the grant type Resource Owner password - Altough they dont recommend doing this for security issues (transmitting passwords over the wire) - it is supported.