Let’s imagine you have a web application built as a monolith and you want to introduce microservices. Or you may have several clients connected to your backend solution: mobile app, SPA, devices, etc. One of the first tasks that you have to solve is integrating authentication and authorization. In my opinion, one of the simplest ways is integrating SSO (Single-Sign-On system) into your application.
There is an open-source ready-to-use product IdentityServer4 which implements OpenID Connect and OAuth2.0 frameworks. The solution is built using .NET core 3.1 and is easy to modify according to your business rules. Also, it is an out-of-box solution ready to deploy. Therefore, you don’t have to develop and set up a custom authentication system.
Versions of IdentityServer
There are two versions of the IS application: free-to-use open-source IS4 and commercial IdentityServer5. According to documentation, IS5 is free for development and testing, but you should pay for using it on production. IS4 is declared as a legacy system, but it is free to use on production.
Even though all new features are developing in the commercial IS5, you may start to go live with free IS4. The IS4 system contains all staff required by Open Id connect and OAuth2.0 frameworks.
How to integrate the IS4
Downloading the IS4 solution from the GitHub
To integrate the IS4 into your system, you just need to download it from samples. I’d suggest you choose my extended solution but you still may choose one of the original ones.
My version contains the following:
- The IS4 solution without any storage. You are free to integrate your favorite one.
- Several samples of clients including OAuth 2.0 debugger
- Custom profile service where you can write your code related to issuing claims
Feel free to consider my repository as an instruction to integrate the IS4 from the original repository.
Setup your IS4
- Add your own Scope to restrict access to different APIs (like here). If your application has now domain segregation with different scopes, you may not use the custom scope or just use a single one. Here I use “core.api” as a key of the scope, but you may choose any other name.
- Add clients of the IS4 (like here). To proof the concept, I am adding a web-browser-debug client like this. The client allows me to see claims which are being encrypted in the JWT token. Also, don’t forget to mention your own scope in the clients’ allowed scopes property (like here).
- Optional Add external login providers like Google authentication if necessary. Here I have a sample code that integrates the Google. Also, the Facebook, GitHub, ActiveDirectory, etc, providers are available to be used.
- Optional In this Custom profile service you may change claims which will be used to prepare a JWT token for clients.
Setup your Web API application
Here I will give you an example using ASP.NET core Web API. I believe it is easy to find tutorials of integrating OAuth2.0 authentication services for other web frameworks for other programming languages.
- Add Bearer authentication with the IS4 URL address (like this).
- Optional Add scope authorization to restrict accesses (like this).
If you do step 2, and your Client without the scope does a web request, it will get a 403 error.
Setup debug client like OAuth 2.0 debugger
- Add the client like this.
- Go to URL below:
https://localhost:6001/connect/authorize?response_type=id_token&client_id=client&client_secret=secret&redirect_uri=https%3A%2F%2Foauthdebugger.com%2Fdebug&scope=openid%20email%20profile&nonce=wnpup8t4v2b