OAuth2 and IdentityServer3

OAUTH2 AND IDENTITYSERVER3

Integrating into your application

What we will and won’t cover

■ Will – What is Identity Server and why use it.■ Will – How to start integrating into your app.■ Will – Extension points, customisation points, token types.■ Will – Nasty bits, hard stuff, pain points.■ Won’t – Detail or explain all OAuth2 flows.■ Won’t – Show every possible integration scenario and customisation point■ Take away

– Having a good idea on technical cost, difficulty and suitability for a given situation.

– How to begin and where to go from there.

Its not you, It’s me

■ Paul Glavich■ @glav, [email protected]■ ASP.Net MVP 12 years■ Author 3 books, various articles, http://weblogs.asp.net/pglavich ■ International speaker (does NZ count?)■ ASPInsider■ CTO Saasu.com

What is Identity Server

■ Spec compliant OAuth2 Authorisation server (STS)– (That means it’s big and complex)

■ OAuth2 flows and OpenID connect■ Can integrate with external providers (google etc)■ Open source, (Dominick Baier and Brock Allen)

– Identity Server 3 v2.5 (latest)– Identity Server 4 (support for .Net core/vNext) – In progress

■ Series of Nuget packages, Owin based implementation

Free accessories

■ Identity Manager– In beta– Tool to admin users, claims etc.– Similar to website admin tool

■ Identity Model– Helper classes– Client code

■ https://identityserver.github.io/

Why bother?

■ Can develop your own right . . . . .?

Writing your own OAuth/Identity Server■ It can be done…..

■ But often ends in tears.

Alternatives

■ Other alternatives– Auth0 ( https://auth0.com/ )

■ Cloud based, good integration hooks, some cost– Azure/AD (

https://azure.microsoft.com/en-us/services/active-directory/ )■ Cloud, multi-protocol, some cost

– WS02 ( http://wso2.com/ )■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid

versions.

Getting started

■ Install nuget package “IdentityServer3”■ Configure startup

■ Demo: Simplest setup

Logging

■ Supports a variety of pluggable log sources.■ Get logging working first and worry about all the flows later.■ Saves hours in debugging time.■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe.

– Install requisite nuget package

High level ViewIdSrv Endpoints

AssetsExternal Integration Application

Services

Repository Stores

* Can customise

* Can customise

* Can customise* Can

configure

* Not applicable to all OAuth flows

Customising Assets

■ Stylesheets■ Html Views/Templates

– Login/Logout form– Consent form– Permissions view– Error form

■ Loaded via DefaultViewService (implements IViewService)■ Customise loading via custom IViewService implementation

<Asset> <img src=“funny-cat.gif” /></Asset>

Configuring custom assets

■ Only the welcome page is not configurable (but is replaceable)– Can disable

■ Setup loading of custom partial views

■ Demo

What about the data store?

■ EntityFramework 6 Nuget package■ Fully customisable storage engine via custom interface implementation

– TokenHandleStore, ConsentStore, ClientStore, etc…– TokenHandleService, ConsentService, ClientService

■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory).– AuthorizationCodeStore, TokenHandleStore, RefreshTokenStore,

ConsentStore (mandatory for prod)

■ Demo with dapper

Embedded IdentityServer with OpenId■ IdentityServer to manage the authentication of users and token/cookies.■ [Authorise] – just works

[Authorize]public ActionResult Index(){ ViewBag.Title = "Secured Page"; return View();}

■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action– Requires nuget package

IdentityModel.Owin.ResourceAuthorization.Mvc■ Demo

It is not all unicorns and rainbows…■ Integrating IdentityServer is far from simple.

– In reality, it will take some time■ Errors are not always obvious■ Look to the samples. There are many.■ Get used to reading the issue register and following threads.■ Testing, particularly Authorization Code and hybrid flow can be tricky

– Utilise this test harness/console app or write your own

Takeaways and items to remember■ Get logging working first. It will save you hours of debugging.■ Download all the samples, and familiarise yourself with your specific

scenarios.– Looking at alternate samples may only serve to confuse initially.– Lots of different ways to get going.

■ When looking at documentation, ensure you are looking at the latest.– Can easily be looking at older versions inadvertently. Much

confusion.■ Create a test harness, callback site, or something to assist testing and

verifications

Links and resources

■ Identity Server: https://identityserver.github.io/■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016 ■ OAuth2: http://oauth.net/2/ ■ Auth0: https://auth0.com/■ WS02: http://wso2.com/

■ Me: [email protected] and @glav

1-5 August

DDD Sydney thanks our sponsors