I am new to Identity Server. I have a doubt. Can we use Identity Server as API? My idea is to give Identity Server the responsibility of Authentication too. So that I can pass the username and password entered by user from my Presentation layer to Identity Server. If the credentials are valid, Identity Server will return the user's details back to my MVC Controller.
Thanks!
Related
We have a third party company developing a mobile app and they want to call our API's. Our API is protected with Identity Server 4 which uses OpenID Connect and OAuth2. In order to access our API's would their app have to pop open a mobile browser so the user can log into our system? What if users already authenticated with the third party's identity provider? Seems like that would create a negative user experience to authenticate two different times while using the app.
My understanding is we would add their app as a client in Identity Server using the authorization code grant. Would we add their identity provider as an identity provider that our Identity Server can call?
Any help on this would be greatly appreciated. I've researched myself into a hole.
would their app have to pop open a mobile browser so the user can log into our system?
You are pretty much right on your assumptions that their app would have to somehow initiate oidc flow to allow the users of the mobile app to authenticate with the authority of your API (identity provider).
Seems like that would create a negative user experience to authenticate two different times while using the app.
It seems that this is what's holding you back. Firstly, that mobile app's identity provider is separate from your API's authority and it is important to understand that the "user" authenticated with the other identity provider means close to nothing to your API because the token has been issued by a different authority and it's not even a "user" from your user base.
My understanding is we would add their app as a client in Identity Server using the authorization code grant.
Yes, but check also Authorization Code grant with PKCE which adds extra security measures.
Would we add their identity provider as an identity provider that our Identity Server can call?
Yes, you will need to do that, but this is just a start of the things you would need to do to achieve what you are looking for. Because you already have Identity Server 4 in place, I assume your systems already have an established user base, therefore if you just redirect to the external identity provider, once a user authenticates there and the token is issued back - that kinda means nothing because you don't have any kind of mapping from the user of the third party system to the user of your system.
There is pretty much nothing out of the box in Identity Server 4 that will help you with this, but one way to tackle this is to implement some sort of account linking mechanism, where the users would first have to "link" their account in your system with the account in the third party system. With account linked, you would have means to issue claims related to your system.
Identity Server 4 absolutly has out of the box solutions for this. If they didn't, what would be the point calling themselve a OAuth 2.0 framework?
You do not need to initiated a oidc flow like stated. What does that even mean anyway? oidc is connection protocol, not a flow. Flows include hybrid, implicit, clientcredential, etc.
You could obtain an access token for your 3rd party app a number of ways all use the token endpoint built into identity server 4 specifically for creating access tokens The most common is using the ClientCredential flow, where you gain a bearer token by hitting the identity server 4 token endpoint passing the client_credentials grant type with the ClientId of the client they want to access, a shared secret supplied by you, and the api scope they are attempting to access.
Another option is you could create a user for this client on Identity Server 4, then gain an access token using the ResourceOwnerPassword flow by hitting the token endpoint passing the password grant type, clientId, username, and password, again along with the api scope they want to access.
For information on how to do all of the above check out his link. It will help you on your way.
http://docs.identityserver.io/en/latest/endpoints/token.html
I'm trying to authenticate users with the SAML protocol.
So far I have two applications in two different identity providers (Auth0 and OneLogin) to test. I also have my service provider.
What I'm trying to do is authenticate users without redirecting them to any Identity Provider login form.
Something like this:
The user tries to log in to my application (made in React)
My server provider receives the request made by the user and sends
the credentials (username and password) to an identity provider
using the SAML protocol.
The identity provider validates the credentials, if they are
correct, return a SAML assertion to my server provider; otherwise,
it will return an error.
Depends on the identity provider's response if the content is sent
to the user or not.
I know that it is not the intended use of SAML, but I want to know if there is a way to do it and how it will be possible.
Any help or advice will be well received, thank you.
That's not how SAML works and I'm not aware of any SAML identity providers that accept the user's name and password.
It is possible to include the user's name in the SAML authn request sent to the identity provider but there's no provision for including a password.
I think there are a number of security considerations if you were to prompt a user for their credentials for one web site (ie the identity provider) at a different web site (ie service provider).
Using SAML SSO, if the user isn't already authenticated at the identity provider, it will prompt the user to login.
I have two Web API one for each of my two applications. Need my users to be able to log into either. Do I need to add asp.identity to both API projects.i will use a third party identity provider to authenticate the users.
If you are using identity provider like Identity Server ,you can store users in database and use Asp.Net Identity in identity provider's application to manage users .
When you want to authenticate user in your client application , it will redirect user to identity provider application's login page to let user enter their credential , then the identity provider application will validate user's credential in database and issue ID token and access token if you want to access a protected resource .
You doesn't need to add asp.net identity to your client(web app/api) applications unless you want to map/save the users to your local user database . Adding Asp.Net Identity to identity provider application to help manage user is always a good choice .
I have a Web application where I am using MembershipReboot to implement authentication. Now I want to use Identity server 4 (with MVC core)to secure this application and an API. I found that We can customize IResourceownerpasswordvalidator and
IProfileservice classes to use existing database with identity server. I also see there is membershipreboot sample with identity server 3 but not with identity server 4.
Please suggest what method do I need to use for user authentication using identity server with existing database of membershipreboot.
I am only getting started with WSO2 Identity Server.
What do I need?
- getting verification from LDAP server that user (entry) is existing there through WSO2 Identity Server.
Is it possible? Can I do this by adding a new identity Provider in https://localhost:9444/carbon/?
Any ideas or help.
Sorry, if my question is dumb.
Identity server comes with an embedded LDAP server as its primary userstore. But you can change userstore configurations so that IS works with your LDAP too. You also can add your LDAP as a secondary userstore as well.
After that, if you go to User and Roles section in UI, you should see Users and Roles existing in your LDAP.