In the current setup of an Asp.Net Core 2.1 web app and web api, I'm using IdentityServer4 as identity provider and I'm using IdentityServer4.AccessTokenValidation for protecting the web api (https://github.com/merijndejonge/OidcTemplate).
I'm using the following configuration in the api:
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = domainSettings.Auth.Url;
options.RequireHttpsMetadata = false;
options.ApiName = domainSettings.Api.Id;
options.ApiSecret = domainSettings.Api.Secret;
});
While I'm perfectly happy with using IdentityServer4 as identity provider, I'm wondering if and how I can drop the dependency on IdentityServer in the web api, and use only functionality from Asp.Net Core itself. After all, I'm using OIDC, which should enable me to use different implementations at the identity provider and the web api side.
Can someone explain me how I have to change my web api setup, such that I connect with the IdentityServer identity provider without introducing a dependency on IdentityServer in my web api?
Related
I have an application stack with a React SPA frontend and an Asp.net core web-api backend. Both resources had been successfully registered in AzureAD each with its own app and the authentication and authorization processes are working fine. However, would it be possible to use the same registration for both the front and backend in AD?
When using the AD Application ID from the backend in React:
auth: {
clientId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
authority: "https://login.microsoftonline.com/<tenantId>",
redirectUri: "http://localhost:3000"
}
I get the following error:
ServerError: invalid_request: AADSTS90009: Application 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'(api://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
I am using the MSAL library for the frontend.
Both the applications (front end and back end) need to be registered for sure in Azure AD.
As you are using client id of backend which is api to be secured , the Error is occurring.
Update client-id, tenant-id, redirect URI of front end application not backend api in configuration file based on application registration in Azure AD.
Then make sure to expose an API and grant admin consent to the API with required permissions.
Yes, this is possible. Your provider configuration looks correct, so check to make you app registration is setup properly. You will need the following things:
An SPA platform configuration with a redirect URI of http://localhost:3000
Add a scope (under 'Expose an API') and make sure your Application ID URI is created
Use the new scope in your MSAL authentication template
I have an asp.net web api and angularjs(1.4.x) app and planning to use Azure AD for authentication and single sign on feature. Most of the examples are using ADAL, which is deprecated as per Microsoft. Can anyone share some examples of what changes need to be done in Web api and AngularJS app?
Migrate ADAL.js to MSAL.js for Azure AD Authentication for AngularJS+ASP.NET Core application.
You could try #azure/msal-angularjs for AngularJS SPA
When migrating ADAL.js to MSAL.js, you need to use #azure/msal-angular that is based on Microsoft identity platform v2.0.
Below is the example using MSAL Angular and call a .NET Core web API.
Example : https://github.com/Azure-Samples/ms-identity-javascript-angular-tutorial/tree/main/3-Authorization-II/1-call-api
Reference Guide Based on SO Thread: https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-compare-msal-js-and-adal-js
https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-migration
I have created 2 projects a Blazor WebAssembly and Blazor Server API using .NET 5. I am able to login successfully to both applications independently using Azure AD with single sign on. Both apps are currently deployed on prem.
Now I want to secure the Server API but am having trouble configuring the Blazor Webassembly to authenticate with the server api using httpClient. I am getting confused with what to set the scope to in web assembly as most examples use Graph or Identity Server. Anyone have a working example or can lead me in the right direction? Thanks
public class ServerAuthorizationMessageHandler : AuthorizationMessageHandler
{
public ServerAuthorizationMessageHandler(IAccessTokenProvider provider, IConfiguration configuration,
NavigationManager navigationManager)
: base(provider, navigationManager)
{
var serverUrl = configuration["AppSettings:ServerUrl"];
ConfigureHandler(
authorizedUrls: new[] { serverUrl },
scopes: new[] { "api://lkjlkj/ReadAccess" }
);
}
}
Program.cs
builder.Services.AddHttpClient("Server", client => client.BaseAddress = new Uri(serverUrl))
.AddHttpMessageHandler<ServerAuthorizationMessageHandler>();
builder.Services.AddMsalAuthentication(options =>
{
builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
options.ProviderOptions.DefaultAccessTokenScopes.Add("???????");
Doh! Visual Studio 2019 has a Blazor template built in with this exact scenario!!
Select Blazor Web Assembly and select the option to host in ASP .NET core
My customer insists that IdentityServer4 should not be hosted entirely in DMZ for security reasons, especially considering that it has direct access to the database server.
From IdentityServer4 documentation and some other posts, it seems it should be possible to host MVC login pages in DMZ and leave IdentityServer4 API behind a firewall. If I understand correctly, I can achieve this using LoginUrl, LogoutUrl, ConsentUrl, ErrorUrl, DeviceVerificationUrl settings.
However, I'm not sure about the OpenID API. My SPA applications will need not only the login pages but also access to OpenID endpoints (connect/authorize, connect/userinfo, connect/checksession .well-known/openid-configuration).
How do I expose those IdentityServer4 endpoints in DMZ securely?
Currently I have no idea how those OpenID endpoints are created by IdentityServer4. In my app startup code, I just call AddIdentityServer and UseIdentityServer, and it does it's magic, registering the endpoints with my MVC app and then processing all the auth logic somewhere deep inside IdentityServer4.
Obviously, if I want to separate IdentityServer4 backend, I should call AddIdentityServer and UseIdentityServer in my backend API web service code, right? I can't use these method calls in my front-end website in DMZ because then IdentityServer4 will attempt to connect to the database for OpenID data, but the database is behind the firewall and unavailable directly from the DMZ.
I have the following typical code for IdentityServer4 initialization:
services.AddIdentityServer(
options =>
{
...
})
.AddConfigurationStore(options =>
{
options.ConfigureDbContext = b => b.UseSqlServer(Configuration.GetConnectionString("IdsvConnection"));
...
})
// this adds the operational data from DB (codes, tokens, consents)
.AddOperationalStore(options =>
{
options.ConfigureDbContext = b => b.UseSqlServer(Configuration.GetConnectionString("IdsvConnection"));
...
})
.AddAspNetIdentity<ApplicationUser>();
But if I leave this code in front-end, IdentityServer4 will not work. Is there some way to configure some other kind of operational and configuration store database access through backend API?
My current IdentityServer4 infrastructure looks like this:
SPA APP,
mobile apps
|
|
MVC app
with login pages
and IdentityServer4 OpenID endpoint
|
|
SQL server
with IdentityServer4 config
and operational stores
but I need it like this:
SPA APP,
mobile apps
|
|
--- DMZ ---
MVC app
with login pages
and IdentityServer4 OpenID endpoint
|
|
--- firewall ---
API web service
|
|
SQL server
with IdentityServer4 config
and operational stores
A common requirement actually and not about coding. It is about ensuring that if DMZ is compromised the other layers are not. Standard solution is to use a reverse proxy in front of the Authorization Server (IdentityServer in your case). It ensures that UIs can still reach OAuth endpoints - but that if the DMZ infra is compromised the attacker cannot get their hands on the actual Authorixation Server and its database connections.
we developed applications with custom STS as identity provider. Now we planning to use thinktecture identity server (Idsrv) as primary and ADFS as secondary to replace our custom STS. I enabled WS-Federation protocol in Idsrv and added Idsrv and ADFS as identity providers. we developed web application that trusts Idsrv. I also used HRD url to show the list of identity providers whenever user access the web application. It works fine for both identity providers.
Flows :
Idsrv provider web app-->HRD-->Idsrv-->HRD--->Web app
ADFS web app-->HRD-->ADFS-->HRD--->Web app
I also specify the home realm in web application to use the identity provider as default without showing HRD. It works good.
I want to develop a wcf service that trusts Idsrv. I want to utilise the wcf service from wpf client. Based on the user's domain, I need to specify the identity provider as default.
How can I specify the identity provider in wpf client?
my requirement is same as
https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/198
The HRD concept does not exist in WCF / SOAP. You would need to go to the idp first and then exchange that token with a token from IdSrv.
Unfortunately, we haven't implemented those endpoint in idsrv. There is a PR on github with an implementation, maybe you wanna give that a try.