I have a IdentityServer4 project that protects a Web API. I am using ASP.Net CORE identity with local SQL Server. The authorization works fine when using [Authorize] in API controllers. When I use [Authorize(Roles = "QLTester")], however, I always gets 403 forbidden. I have a feeling that I may not have the correct configuration in the identity database. But should I configure the users and roles so they can be picked up by the system correctly?
Here is the cross reference record from the AspNetUserRole table
and here is the Role defined in AspNetRoles table
What else do I need besides these? or maybe I am doing it completely wrong.
Related
I have several client applications I want to put under Identity Server Authentication for which I'm using Duende IdentityServer. So, my Identity Server Project consists of the following.
Code blocks to configure the Identity Server
An ASP.NET MVC UI for Login, Error etc.
I want to keep the Identity Server and the Login application in separate projects. Here's what I'm trying to implement.
Identity Server Project : To have the Code blocks to check for the token and validate if it's a valid token.
If the token is invalid redirect to the Login Page in Login Application.
After a valid user log in success come back to the Identity Server, generate the token and maintain the token same as how the usual Identity Server works.
And with every request response the token will be validated by the Identity Server.
But I'm not sure whether it's possible or how to implement it.
Is there a way to separate the Identity Server and the Login Application in separate projects?
We are also evaluating the feasibility of having separate applications for UIs and for the rest of IdentityServer. Unfortunately, our conclusion so far is that IdentityServer doesn't support this scenario naturally. For example, the existence of IIdentityServerInteractionService suggests that interaction is designed to be used within the same application via dependency injection and a diagram on the documentation also suggest there is a single application - see link below.
I wouldn't say it unfeasible but we found few resources backing or supporting this scenario. Let us know if you find gold...
https://identityserver4.readthedocs.io/en/latest/topics/signin.html#login-workflow
I have a requirement to create an admin UI where I need to list all users registered on IdentityServer to start assigning permissions and roles. This application internally uses PolicyServer, but as a superadmin user, I would need to see all users registered on IdentityServer. Here IdentityServer is responsible for authentication and the other application that uses PolicyServer is responsible for the authorization.
Which is the correct way to proceed:
1- This admin UI application should be connected to the same database that IdentityServer uses to get all the users?
2 Or should I need to extend IdentityServer on this way?:
http://docs.identityserver.io/en/latest/topics/add_apis.html
I followed this issue here:
IdentityServer/IdentityServer3#2607
but still, it is not clear for me how to proceed on the question above.
Well, the users database is usually provided by ASP.NET Identity, not so Identity Server.
I had the same issue and I went on to develop the admin Web app in the same host as Identity Server, thus using the database connection to get to the users (and the API resources, clients, etc.).
I argue that this is the simplest way to achieve what you want. And still allows you to provide a complete API on your Identity Server for external apps. I also did that (for scenarios where client apps are allowed to view/edit the user profile, for example). The API was built using plain ASP.NET Core MVC.
I'm working on setting up a new SSO application. I would like to use ASP.NET Identity as a database to store the users data. I have a ReactJs application hosted on Node.JS and a .Net Web Api2 application. I want to protect thsi Web Api 2 using Identity Server with users from its database. In further development I'm going to create a mobile application.
I'm able to create an asp.net identity database with some users and use Resource Owner credentials, but I have couple of questions if anyone could help:
Why is Resource Owner Credentials not recommended? My current workflow is to hit the api with client&user&password and obtain a token which I store in web layer and use in Web Api requests. Web Api validates the tokens and identify the user. I read on IS page that's not recommended then what's the recommended scenario to authenticate the user?
How can I create an authenticator for mobile? Should I create my own certificate issue, store it in database as a thumbprint and use access token for that?
Thanks
In short, Resource Owner requires the credentials to be passed through the application itself, also RO doesn't give you SSO. Here's a longer answer. The recommended scenario is to use hybrid flow with PKCE enabled.
Look up TOTP. I believe it is implemented in AspNetCore.Identity with some examples.
I'd like to use IdentityServer4 for authentication in my ASP.NET Core MVC web application, but the user registration process seems awkward. Most web sites that require user registration don't redirect you do a separate site (e.g. Facebook, Twitter, etc.) to sign up if you're using local user accounts.
One solution is to host IdentityServer4 in the same process as my MVC client, but that is discouraged.
Are there any good real world examples of local user registration with IdentityServer4?
IdentityServer is for authenticating existing users, not really creating new users.
In our use-case, we have 3 projects playing a part:
The identity server
A protected API
An identity provider (aspnet core identity) project
Users are created by a call to the API, which creates the appropriate structures in the identity provider.
Our identity server makes calls to the identity provider when validating requests for tokens.
Our API uses identity server to protect the resources, and our identity provider to retrieve information we may need about that user that aren't contained as claims (permissions, for example).
In this way our identity provider can be shared across projects (one user base with different roles), and the Identity Server is purely for authenticating users. All user management functions belong elsewhere.
EDIT:
#peyman We're not doing anything particular ground-breaking: just using the aspnet core identity framework (http://odetocode.com/blogs/scott/archive/2013/11/25/asp-net-core-identity.aspx).
The IUserStore and UserManager are the main drivers of this. When a user is created they are assigned a role, which for us is based on which application requested the creation of that user. Our implementation of IUserStore is what will ultimately be called by IdentityServer when verifying identity, and the data provided is used by IdentityServer to build up claims. Our resource API is relatively simply protected using Policies for claim based authorisation (https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims)
We are planning to integrate Identity Server3 in SPA page application using AngularJS with .Net Web API.
1) Need to create identity token and oAuth token for the application and store identity token in browser cookie. So taking Hybrid approach and need to map the identity to create oauth token, so both users and api are protected. Able to create oauth token, but struggling how to do authenticate using custom login page (not using identityserver3 login page) where userid and password validated from Angularjs page and create identity token and store it in browser cookie.
Any one have implemented custom login approach with identity token creating using identityserver3?
2) How to integrate identity Server3 with Active Directory as user data store?
Please provide comments.
Thanks
Regards
Ramkumar.C
For Active Directory(AD) user store, implement Identity Server as a Relying Party to your AD implementation. You can then simply integrate it within Identity Server as an external Identity Provider. Details on how to do this are in the official documentation: https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html.
I assume you'll be doing this over WS-Federation, so you'll need to use the Microsoft.Owin.Security.WsFederation package.
If you want to use just AD as your user store, you can disable local logins in the IdentityServerOptions, set AD as the only Identity Provider for your Client using the IdentityProviderRestrictions property or use the acr_values property of idp when using the Authorization endpoint.
Regarding custom log in page external to Identity Server, many people have asked about this on the Identity Server issue tracker. Some have made implementations, but FYI: the team behind Identity Server do not recommend this approach.