This video introduces the key terms and concepts of the IdentityServer framework, and how to get started with basic setup of a token service.
- [Instructor] To implement token authentication, we'll build a token service using an open source framework called IdentityServer. At the present time, IdentityServer4 is the latest recommended version for ASP.NET Core 1.1 applications. Let's review the key concepts and terms involved before we get into the code. The diagram shows the basic parts of our security system. A client is software that is requests tokens from IdentityServer.
It can be a web or native mobile application, for example. IdentityServer needs to know what clients are allowed to use it. By registering them in a store or a collection of entities. This collection can be persisted in memory or in a database. Next are the end users that interact with client applications. They also have to be registered with IdentityServer. Users are defined by identity data, like a unique identifier, username, and password credentials.
They can also have one or more associated claims. Resources are items that we want to protect, and they're divided into two categories, identity and API. Identity resources are information about an identity, like user claims. API resources represent protected functionality like web APIs. Resources also have to be registered in an identity server store. Along with the two resource types, there are two types of tokens that are generated.
When a user is authenticated by IdentityServer, information is returned with an identity token. When access is requested for an API resource, and access token is issued. The client forwards the access token to the API, which grants access to data or protected functionality. IdentityServer uses industry standard jot tokens. At its core, IdentityServer is middleware that implements two standard protocols.
OpenID Connect and OAuth 2. OpenID Connect is an authentication protocol, and an extension on top of OAuth 2. OAuth 2 is an open standard for authorization. It ensures that a user has permission to access a protected resource. Using OAuth 2, a client can request access tokens from a security token service. Those tokens are then used to communicate with APIs.
Through it's implementation of these two standards, IdentityServer is able to handle the security requirements of authentication and authorization. Now that we've gone over the concepts, let's get started with basic setup. We'll start by adding a new project to the solution. Go ahead and select the ASP.NET Core web application.
And we'll name this Tutorial.AspNetSecurity.TokenService. On this screen, select the empty option. Next, we'll be adding the IdentityServer4 NuGet package to our new project. Select manage NuGet packages and in the browse window, type in IdentityServer4.
And go ahead and install the package. We're now ready to start registering our dependencies. Open the start up class, and find the configure services method. We'll be registering IdentityServer by adding a call to add IdentityServer. Next, add a call to add temporary signing credential.
Add temporary signing credential creates temporary keys for signing tokens, and uses and in-memory certificate. This is only meant for development and demo purposes when you don't have certificate to use. In a production environment, IdentityServer needs a public/private key pair to sign and verify your jot tokens. Now we'll go to the configure method. And we can remove this boiler plate code that was added with our project template.
Let's go ahead and add IdentityServer to the pipeline. It's recommended to run IdentityServer in the console host instead of a web browser so we can see realtime logging output. We can do this by modifying the launch profile in Visual Studio. Go to project properties of the token service, and click on the Debug tab. Change the profile drop down to this project, and the launch drop down is also changed to Project.
Since we switched to self-hosting, we also need to change the application URL to port 5000. One thing to keep in mind is when we move to a production environment we need to make sure our token service runs over a secure HTTPS connection. We're not yet ready to launch our token service. We'll need to first configure identity server to support authentication.
- Securing your app with Identity Framework
- Setting up token authentication in an MVC application
- Integrating external authentication service providers
- Protecting against common attacks such as XSRF and SQL injection
- Protecting sensitive data
- Encryption basics
- Working with cookies
- Displaying error information