In an attempt to understand what I may use for OpenId Connect Server implementation, I have looked into what each of them is:
IdentityServer4:
an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2.
AspNet.Security.OpenIdConnect.Server:
is an advanced OAuth2/OpenID Connect server framework for both ASP.NET Core 1.x/2.x and OWIN/Katana 3.x/4.x, designed to offer a low-level, protocol-first approach.
OpenIddict:
OpenIddict aims at providing a simple and easy-to-use solution to implement an OpenID Connect server in any ASP.NET Core 1.x or 2.x application.
OpenIddict is based on AspNet.Security.OpenIdConnect.Server to control the OpenID Connect authentication flow and can be used with any membership stack, including ASP.NET Core Identity.
Also have checked that all of them use well the ASP.NET Core Identity as a membership system.
And so my current understanding is that IdentityServer4 and OpenIdConnect.Server are two alternative frameworks that solve the same problem. The main difference is the list of supported ASP.NET Core versions.
Regarding Openiddict - it is a kind of extension to simplify server creation based on AspNet.Security.OpenIdConnect.Server.
Have I missed something, or this is how things in general are?
EDIT (01/28/2021): as part of the 3.0 update, AspNet.Security.OpenIdConnect.Server and OpenIddict were merged to form a single/unified codebase under the OpenIddict umbrella, which should offer the best of both worlds: you still have the same experience as before, but can now opt in for the degraded mode, giving advanced users the same lower-level approach as AspNet.Security.OpenIdConnect.Server.
And so my current understanding is that IdentityServer4 and OpenIdConnect.Server are two alternative frameworks that solve the same problem. The main difference is the list of supported ASP.NET Core versions.
Actually, I believe the most important difference is that these two libs don't share the same objective. ASOS' only mission is to help you deal with the raw OAuth 2.0/OIDC protocol details: everything else is totally out of scope. Concretely, this means that concepts like users, applications or stores - that you can find in OpenIddict and IdentityServer - are completely inexistant in ASOS (which means you're free to bring your own implementation... and your own abstraction).
While IdentityServer will expose many abstractions and services allowing to configure specific features, ASOS - that was forked from Katana's OAuthAuthorizationServerMiddleware - has a centralized low-level events-based API (named OpenIdConnectServerProvider) that behaves exactly the same way as the ASP.NET Core security middleware developed by MSFT.
When working with ASOS, you have to deal with raw OpenID Connect requests and implement potentially sensitive things like client authentication (e.g using a database containing the client credentials) and that's why ASOS' core target is people who understand how the OAuth2/OIDC protocol work. OpenIddict and IdentityServer, on the other hand, will implement these things for you.
Regarding Openiddict - it is a kind of extension to simplify server creation based on AspNet.Security.OpenIdConnect.Server.
Initially, that's indeed how I was asked to design it. OpenIddict was created for non-experts who don't feel super comfortable with the protocol details of OAuth 2.0 and OpenID Connect.
While it will give you full flexibility to implement the user authentication part (e.g in your own authorization controller, using ASP.NET Core Identity or your own authentication method), it will handle the complex request validation process and make it transparent for your app, without drowning you with tons of configuration options.
Unlike ASOS (that tries to be as flexible and as close to the specifications as possible), OpenIddict generally comes with more restrictive validation routines that I personally consider as best practices. For instance, it will automatically reject authorization requests that contain response_type=token if the client is a confidential application, even if that's not prohibited by the OpenID Connect specification.
Related
I have been working on authentication methods for my blazor app for some time now. I am currently developing as a standalone protected WebApi + Blazor Server, but will ultimately migrate to standalone protected WebApi + Hosted Blazor WASM so I need to be mindful of both server and client side authentication. The WebAPI will also serve an external OData feed and API for end users that also needs to be protected using the central authentication mechanism.
I would like to be able to sign on with Microsoft (ie. Microsoft.Identity.Web / MSAL), but want to configure some fairly complex roles and behaviours at the database level
(ie. ASP.NET Core Identity). To hopefully help someone else understand the different documentation sets, following are links to MS docs for the 2 options.
Introduction to Identity on ASP.NET Core
Microsoft Identity Platform Documentation
Don’t know about anyone else, but I have found it very difficult to navigate through the different documentation sets and tutorials to firstly understand how they work and secondly determine if it is best for me.
My question is, does anyone have any documentation on how they have integrated Microsoft.Identity.Web with the individual user accounts available in ASP.NET Core Identity for Blazor Server and/or WASM apps?, .
The following link shows how to do it all within ASP.NET Core Identity.
Integrate ASP.NET Core Identity with Microsoft account | BinaryIntellect Knowledge Base
If I was building an MVC web app, that’s what I would do. However, I really like the token handling capabilities of Microsoft.Identity.Web / MSAL (ie. ITokenAquisition etc.) for Blazor. It seems to be a real kludge to have to use the Razor pages for ASP.NET Core Identity and handling tokens securely becomes an issue – especially for Blazor WASM.
Chris Sainty has done some good work in porting some of the ASP.Net Razor pages to Blazor Components in the following link. However he does a lot of (very clever) manual processing of the token and I’m not sure I like the idea of storing the token in unprotected Local Storage of the blazor app. I haven’t gone into it in full detail yet, but I don’t think this method will be directly transferrable to Blazor WASM.
Authentication with client-side Blazor using WebAPI and ASP.NET Core Identity (chrissainty.com)
This SO post indicates that it is not possible to integrate Individual user accounts with Microsoft.Identity.Web.
c# - Microsoft Identity Plataform with asp.net Core Identity - Stack Overflow
I got a working solution going where I had both ASP.NET Core Identity and Microsoft.Identity.Web working side by side. However, I found this to be very difficult to implement and debug. Once you start mixing the various builder.Services.AddAuthetication(
) options (eg. .AddMicrosoftIdentityWebApp, . AddMicrosoftIdentityWebApi, .AddIdentityCore, .AddIdentity, .AddDefaultIdentity, .AddJWTBearer etc. etc.) I have found that you enter a world of pain and unpredictable behaviour. I basically had to go back to the source for each of them to work out what they were actually doing under the covers and work out how to blend them. I ended up going back to the raw OAuth / OpenId specifications and implementing everything manually – which is very unsatisfactory and I was unhappy with the risk I was taking in potentially introducing a security flaw – even though I got it to “work”.
EDIT: This SO post is similar to what I implemented. Microsoft Identity Local User Accounts and MSAL
I can’t believe how hard it has been to just get to this level of understanding, and still not have a solid working concept that does what I want it to do that is supported by documented acceptable techniques and not just my kludge at implementing everything manually.
Right now it appears to me that if I want to use as much out of the box / documented functionality as possible, I suspect that I should use ASP.NET Core Identity and work out how to integrate the ASP.net razor pages into my Web Api, Blazor Server and and Blazor WASM apps. However, this appears to be a backward step since Microsoft.Identity.Web / MSAL seems to be so much better suited to Blazor and seems to be the direction that MS is going.
If anyone can point me to some current examples of how this can be done, I would be very thankful.
I think I have found at least a partial answer to my question. The key problem I faced was how to capture the callback event from Microsoft.Identity.Web so that I can persist / retrieve info to/from the database during the authentication event. I was hung up on the ASP.NET Core Identity method of doing that.
I found the following SO post that provides information on how to respond to the OnTokenValidated event using Microsoft.Identity.Web. Microsoft.Identity.Web: OnTokenValidated event not triggered
Having access to this event means that I will be able to implement what I need to do at the database level and move on.
I have been trying for weeks to implement JWT authorisation in my .NET Core web app and have found myself following a lot of guides that I don't think are relevant to my use case. These guides talk a lot about scopes etc, and I don't think I need that level of complexity for my use case.
A lot of the guides talk about using things like OpenIddict or Identity Server to setup and configure something that the user can authorise against, but in these settings it seems like a seperate project is required to house the identity provider, and then my new asp net core application has to somehow hook into that for use. I'm also trying to get things like refresh tokens to work so the user doesn't have to log in over and over again.
The "client side" of my app will be Xamarin (for mobile) and Angular (for web).
In a single web application (a single .net core application) how can I use .NET Core Identity with JWT or OAuth? What is the minimum level of configuration required to achieve this?
ThisSimple JWT project
This is not asp.net core .This is just asp.net mvc project but this really simple and basic one. by watching this code, you will be clear how to implement JWT. Thanks
I am in need of a solution for using ADFS 3.0 identities in a ASP.NET Core 2 Web Api application. The Windows Enterprise Support team at my organization has informed me that they are only familiar with SAML or WS-Fed based relying parties within ADFS, and are not interested in allowing me to help them configure OAuth, which I could consume directly within the application. As far as I am aware, neither SAML nor WS-Fed are compatible with anything currently available targeting netcore or netstandard.
I've been looking at Identity Server 4, and it's so-called "Federation Gateway" functionality, but I can't find much in the way of documentation. Is this something that could be useful for my use case? I'm guessing that it's only set up to interface via OAuth or OpenID, but I could be wrong.
I've also looked at using Amazon Cognito as the middleman to issue JWTs based on the SAML response, but after I got a proof of concept working with this configuration, I realized the cost at $0.45/MAU is prohibitively high, as the application will have around 10-15k regular users.
If Identity Server isn't the solution, are there any other similar "Federation Gateway" type solutions available as preferably open source/free software? Even if the solution wasn't .NET-based, I'd be interested in looking at it. I'm toying with the idea of building something like this in Java or Ruby as a last resort.
As of version 2.0, IDS4 can be a WS-Fed relying party. This would allow it to act as a middleman between ADFS and OIDC/OAuth RPs.
This vid from the IDS4 guys covers the available options: https://vimeo.com/254635632
It's also worth noting that you can run ADFS 2016 servers in a 2008R2 or higher domain and that natively supports OpenID Connect but given what you've said about your internal "support" team, deploying IDS4 may be a better option, although probably more work.
Just for completeness, the issue with WS-Fed was cyptographic support in .NET Core. This is now resolved so WS-Fed is supported.
SAML support is available via Sustainsys or Rock Solid Knowledge.
You can implement SAML 2.0 federation with AD FS 3.0 in ASP.NET Core 2.1 using the ITfoxtec Identity Saml2 package. NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/
Project https://itfoxtec.com/IdentitySaml2 and code samples https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test
Windows Identity Foundation (WIF) is around for a while, may be 5 to 7 years or more!, now Microsoft made WIF part of .net framework (4.5) itself. As we know WIF is a middleware for building identity aware applications.
As the trend on the web technology is changing, we have now need to incorporate multiple other identity providers (Google, Facebook etc.), in our application.
Now the industry got other Middleware technologies like OWIN, ASP.NET Identity etc.,
My Question,
Is still the WIF relevant and do we need to consider using it for new projects?
Or
Do we need to implement OWIN as alternative middleware? (As I understand Microsoft is betting on OWIN / KATANA moving forward).
Please share your thoughts.
For new projects I highly recommend considering Katana and ASP.NET 5 OWIN middleware.
WIF remains supported as part of the .NET framework, however we stopped adding new features long ago - all the innovation has been poured in Katana and OWIN middleware in general. Also, we like to think that the OWIN middleware is significantly easier to use :) Again, if your project has legacy aspects that impose the use of WIF, you can go ahead knowing we'll support you: but if you have any chance of choosing, the OWIN middleware is the best path moving forward.
Totally agree with #vibronet but to answer the question - yes - still relevant.
There's a ton of WIF out there - I support lots of customers who still use it.
OWIN is easier to use but the nice thing about WIF is that everything is in the web.config so the details are more explicit and easier to change. However, that comes at the cost of a fairly steep learning curve.
Refer: OWIN : Differences with WIF and WIF : Wrappers around protocols.
As per the links:
"You can think of OWIN as MVC and WIF as Forms. Forms are still supported but all the new whizzy features and all the code samples relate to MVC.
It's important to note the neither OWIN nor WIF are protocols - they are the wrappers around the protocols. The protocols underneath both are identical."
Also consider we have moved some of the functionality of WIF into an open source project we refer to as Wilson. You can check it out here: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
I am creating a distributed application which will use ASP.NET Web API to support a Single-Page web Application (SPA) and other potential native mobile app platforms. My current architecture uses Thinktecture Identity Server as a STS which will provide authorization tokens for my clients to use to access the WebAPI. In the backend I will have persistence and business logic which will be exposed by a WCF service in a separate app domain from my WebAPI. The WebAPI will call the service layer to access data and perform actions on the domain.
My question is around authorization. I will be using Claims Based Authorization and can augment the list of claims from domain data held about the user from my WCF exposed business layer. But where should I carry out the authorization? With .NET 4.5, ASP.NET now has an extensible model to enable me to separate out authorization logic from my controllers into a separate authorization module - using the ClaimsAuthorizationManager. Also, Thinktecture.IdentityModel does a really good job of providing all the plumbing to do this within my WebAPI application. However, I cannot help thinking that the authorization logic should be sitting in my business layer, behind the WCF service, and that the client-facing WebAPI should not be tasked with enforcing this. Should I require other client facing hosted apps to consume my WCF based business layer, then they would also need to implement security code. On the downside, it does mean that an unauthorized request gets quite far into the application before being rejected.
Question: should I use the Claims based authorization capabilities in ASP.NET or should I wrap authorization around my business layer behind the WCF service?
When possible, you should always try to use the authorization tools the framework you use gives you. In Microsoft's case, it's claims-based authorization. The benefit is that you're isolating your authorization logic in a layer of its own rather than within your business logic.
Claims-based authorization is one of many approaches to authorization. Another would be to use XACML. I recently gave a talk on XACML for developers (albeit Java developers). You can read more about it here. I also wrote an article on .NET and XACML which you can check out here.