IdentityServer4 from the scratch - Part 1

dev365

Dev365

Posted on January 26, 2021

IdentityServer4 from the scratch - Part 1

Why IdentityServer

if you have number of applications, but you need to Centralized login logic and workflow for all of your applications (web, native, mobile, services). IdentityServer might be your solution. It also enable Single sign capability . IdentityServer4 is an officially certified implementation of OpenID Connect.

Creating IdentityServer4 project

Simplest way to create an identity server instance is to use dotnet template. dotnet template can be installed as below

dotnet new-i identityserver4.template

but in this IdentityServer4 post series, lets starts from scratch

Create an empty web project based on net core using command prompt

dotnet new web 
Enter fullscreen mode Exit fullscreen mode

Alt Text

This project is nothing much more than program cs file and a startup cs files & it will run on port 5443 for https and 5000 for http

IdentityServer4 nuget package can be added to this project using following commands

dotnet add package IdentityServer4 --version 4.1.1  
Enter fullscreen mode Exit fullscreen mode

Alt Text

go into startup.cs to configure identity server and services code in ConfigureServices
It has been configured to empty list of Clients, IdentityResources, ApiScopes, ApiResources and Users for now.

AddDeveloperSigningCredential() is added here(Dev mode only) because various things in the tokens that identity server delivers for us needs to be signed and this developer signing credential
provides that signing material.

Add identity server into the pipeline
Remember the identity server is a piece of middleware

we're now ready to go now at the moment we have no apis defined. we have no clients defined and we have no users
defined but we can still run this.
Application runs at the moment we have no controllers and
viewers here so it's simply printing out hello world.đź‘‹

if you run

dotnet run

Our identityserver will run 0n https://localhost:5001

Also open-id-connect discovery document can be found here

https://localhost:5001/.well-known/openid-configuration

{
  "issuer": "https://localhost:5001",
  "jwks_uri": "https://localhost:5001/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost:5001/connect/authorize",
  "token_endpoint": "https://localhost:5001/connect/token",
  "userinfo_endpoint": "https://localhost:5001/connect/userinfo",
  "end_session_endpoint": "https://localhost:5001/connect/endsession",
  "check_session_iframe": "https://localhost:5001/connect/checksession",
  "revocation_endpoint": "https://localhost:5001/connect/revocation",
  "introspection_endpoint": "https://localhost:5001/connect/introspect",
  "device_authorization_endpoint": "https://localhost:5001/connect/deviceauthorization",
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "scopes_supported": [
    "offline_access"
  ],
  "claims_supported": [],
  "grant_types_supported": [
    "authorization_code",
    "client_credentials",
    "refresh_token",
    "implicit",
    "password",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "form_post",
    "query",
    "fragment"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "request_parameter_supported": true
}
Enter fullscreen mode Exit fullscreen mode

If you look carefully at discover endpoint, There's some defaults values for grant types and
default response types but notice there are no
claims here yet and the only supported scope is offline access

In next post , we will see how our scopes, claims, resources ,clients are changed

đź’– đź’Ş đź™… đźš©
dev365
Dev365

Posted on January 26, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related