Mixing IdentiyServer4 and WebAPI .net 4.5.2
Mixing IdentiyServer4 and WebAPI .net 4.5.2
I'm new to IdentityServer. I have followed the IdentityServer4 tutorial here
But this tutorial only shows how to secure a .net core API. I cannot find any tutorials using IdentityServer4 which also shows how to secure a .net 4.# WebAPI. I have found a post on StackOverflow here which suggests to use Microsoft Katana JWT middleware, but I have no idea how this would be implemented as I'm new to this.
Can anyone point me to a tutorial (or combination if needed) which will point me in the right direction. Thanks in advance.
UPDATE:
I am attempting to use IdentityServer3 for the API and IdentityServer4 for the Authorisation server.
I have created an IdentityServer4 authorisation server, this seems to be working fine.
I have created a WebAPI (using full .Net framework - in this case 4.7.1). I have followed the instructions on how to incorporate IdentityServer into the API from the IdentityServer3 documentation. So as expected, I now get a 401 Unauthoriased Access, when I try to navigate directly to the controller via a browser, so this is secure.
I have created a console client. I have configured this to point at the IdentityServer4 Auth Server and now get an access token back.
Only now when I SetBearerToken with this access token on the client, I still get a 401 Unauthorised. I have used both http and https for the authorisation server... I'm now scratching my head again!
The question is similar, but I want to secure a WebAPI, not Webforms and the client will be a mobile phone application, but that bit isn't important right now, I'm using a console app as a test client at the moment. I am struggling with the middleware required on the WebAPI side. I am looking right now at attempting to setup the API from a IdentityServer3 perspective (using the IS3 documentation), but keeping the server as IdentityServer4... I'll post back what I find.
– Craig
Aug 25 at 11:07
I think you can follow the IdentityServer4 documentation, but instead of using IdentityServer4 packages, you should use IdentityServer3 packages. As either version supports the same specification.
– Ruard van Elburg
Aug 25 at 12:43
1 Answer
1
Here is the complete example. As described in the brief guide you found yourself,
all you need (after adding all the necessary packages) is to add the following to you Startup.cs:
app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
Authority = "https://identity.identityserver.io",
RequiredScopes = new "api1", "api2"
);
Turned out that when used with ValidationMode = ValidationMode.ValidationEndpoint
option, IdentityServerBearerTokenAuthentication
from Identityserver 3 is not compatible with Identityserver 4. Switching to ValidationMode.Local solves the situation.
ValidationMode = ValidationMode.ValidationEndpoint
IdentityServerBearerTokenAuthentication
Thanks, but I already have this. Here is a copy of my startup in the API project:
public class Startup public void Configuration(IAppBuilder app) app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions Authority = "https://localhost:5001", ValidationMode = ValidationMode.ValidationEndpoint, RequiredScopes = new "MyApi" ); var config = new HttpConfiguration(); config.MapHttpAttributeRoutes(); config.Filters.Add(new AuthorizeAttribute()); app.UseWebApi(config);
– Craig
Aug 25 at 14:48
public class Startup public void Configuration(IAppBuilder app) app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions Authority = "https://localhost:5001", ValidationMode = ValidationMode.ValidationEndpoint, RequiredScopes = new "MyApi" ); var config = new HttpConfiguration(); config.MapHttpAttributeRoutes(); config.Filters.Add(new AuthorizeAttribute()); app.UseWebApi(config);
Sorry, that looks a little messy!
– Craig
Aug 25 at 14:56
By the way, why you use ValidationMode.ValidationEndpoint? Is that intentional? Have you checked your token with jwt.io? Does it really have MyApi scope inside?
– d_f
Aug 25 at 15:22
I guess, if you switch ValidationEndpoint to Local, it has a chance to work with IdSrv4. The difference is that in Local mode the middleware validates the token locally, according to spec, while in ValidationEndpoint mode it uses IdSrv for validation. That's too internal and might be version specific. Try to switch!
– d_f
Aug 25 at 17:14
HAAA!!! That's worked! Changing ValidationEndpoint to Local has worked! Thank you very much! I am so relieved :o) I will research if it OK to leave as Local when releasing to a Live environment... Thanks again!
– Craig
Aug 25 at 17:20
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Possible duplicate of IdentityServer4 + Legacy .Net WebForms Application
– Ruard van Elburg
Aug 25 at 10:25