Shulou(Shulou.com)06/03 Report--

This article introduces how to achieve Token token identity authentication by IdentityServer4 in WebAPI. The content is very detailed. Interested friends can use it for reference. I hope it will be helpful to you.

To develop WebApi services that provide data, the most important thing is the security of the data. Then it will be a question for us to think about how to ensure the data security of the API services provided. How should we ensure the security of our interfaces in ASP.NET WebApi?

ASP.NET Core uses the most popular and powerful identity authorization and access control solution, IdentityServer4 (Authentication and Authorization), which is dedicated to helping companies using .net technology to establish identity and access control solutions for modern applications, including single sign-on, identity management, authorization and API security.

What is IdentityServer4

IdentityServer4 is a free open source OpenID Connect and OAuth 2.0 authentication and authorization framework, suitable for the ASP.NET Core platform. IdentityServer4 is created and maintained by Dominick Baier and Brock Allen. You can quickly integrate token-based authentication, single sign-on and API access control in your applications. Support for many protocol implementations and extensible points. IdentityServer4 is officially certified by the OpenID Foundation, so it complies with the specification and is interoperable. It is run by Microsoft as part of the .NET Foundation project and in accordance with its code of conduct.

IdentityServer4 is the OpenID Connect and OAuth 2.0 framework for ASP.NET Core.

Deploying IdentityServer4 to your application has the following characteristics:

1), user authentication service

Independent authentication service based on OpenID Connect implements centralized authentication for multiple platforms (web, native, mobile, services)

2), API access authorization

Issue api access tokens for various types of clients, such as server to server, web applications, spa, and native/mobile programs

3), joint identity authentication

Support for external identity providers such as Azure Active Directory, Google, Facebook, etc.

4) the realization of customization

Many aspects of IdentityServer4 can be customized to meet your needs, because it is a framework, not a SaaS service, so you can write code to adapt the implementation to different scenarios

5) familiar open source solutions

Using the licensed Apache2 open source agreement, which allows commercial products to be built on top of it, but also as a project supported by the .NET Foundation (https://dotnetfoundation.org/projects?type=project&ps=10&pn=6)

6) provide free business support

Officials can provide some free commercial support to users.

OpenId Connect is used for authentication (authentication) and OAuth3.0 for authorization (authorization).

IdentityServer4 is such a framework. IdentityServer4 is an authentication and authorization middleware tailored for ASP.NET CORE that implements OpenId Connect and OAuth3.0 protocols.

For example, explain authentication and authorization:

If you want to board the plane, you need to show your ID card and ticket, the ID card is to prove that you Zhang San is really your Zhang San, this is authentication; and the ticket is to prove that you Zhang San really bought a ticket to board the plane, this is authorization.

ASP.NET Core WebAPI implements Token token authentication based on IdentityServer4

Third, ASP.NET Core WebAPI explains the principle of Token token authentication based on IdentityServer4.

IdentityServer4 is a framework, and IdentityServer4 is an authentication and authorization middleware tailored for ASP.NET CORE that implements OpenId Connect and OAuth3.0 protocols.

There are four OAuth3.0 modes:

1. Authorization code mode (authorization code) (the authorization mode that supports the authentic oauth3 of refresh token-)

2. Simplified mode (implicit) (refresh token- is not supported for web browser application design)

3. Cryptographic mode (resource owner password credentials) (supports refresh token design for separate single-page applications)

4. Client mode (client credentials) (refresh token- is not supported (designed for pure background api service consumers))

This mode can obtain token directly based on client's id and key. Without user participation, this mode is more suitable for consuming api back-end services, such as pulling a group of user information, which does not support refresh token, which is mainly unnecessary.

Next we use the client mode to implement an IdentityServer4 authorization.

1. The client directly requests token from the authorization server with its own information.

2. Return token after the authorization server verifies the information.

In fact, IdentityServer4 also provides us to implement our own custom authorization model!

ASP.NET Core WebAPI implements Token token Authentication based on IdentityServer4

4. ASP.NET Core implements Token token authentication based on IdentityServer4 [client mode].

Suitable for scenario: Web API communicates with Web API

The client credential mode is the simplest authorization mode, because the authorization process only occurs between Client and Identity Server.

The applicable scenario of this model is the communication between server and server. For example, for an e-commerce site, the order and logistics systems are split into two services that are deployed separately. The order system needs to visit the logistics system to track the logistics information, and the logistics system needs to access the express order number information of the order system to refresh the logistics information regularly. The authorization of services between the two systems can be realized through this mode.

Client mode (client credentials)

5. ASP.NET Core implements Token token authentication based on IdentityServer4 [password mode].

Suitable for scenario: Web application communicates with Web API!

Resource Owner is actually User, so it can be literally translated into username and password mode. The password mode has one more participant than the client credential mode, which is User. Request an access token from User through Identity Server's username and password.

Password mode (resource owner password credentials)

VI. Thinking and summary

1), thinking

May I ask how the client authorization mode of ids4 can get refresh_token? Client authorization does not support refresh_token!

Refresh tokens are supported for the following flows: authorization code, hybrid and resource owner password credential flow. The clients needs to be explicitly authorized to request refresh tokens by setting AllowOfflineAccess to true.

It seems that refreshing tokens is not supported. When the token is about to expire, you can get a new one yourself.

Solution:

1. It is recommended to set the expiration time of token to a long point or need to make an agreement with the caller, and you need to retrieve the new token on a regular basis.

2. The ResourceOwnerPassword password mode in Identityserver4 supports refresh_token.

2), summary

Cryptographic mode (resource owner password credentials) (supports refresh token design for front and rear separate single-page applications)

Client mode (client credentials) (does not support refresh token- (designed for pure background api service consumers))

You can also use multiple mixed modes together. For more information, see IdentityServer4.Models.GrantTypes.

On WebAPI IdentityServer4 how to achieve Token token authentication is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.