ServiceStack with IdentityServer4 intergration - servicestack

I couldn't find answers about using both frameworks working together.
We are planning to build an identity provider service (like Google Account) which is used to authenticate a user and provide OpenId Connection protocol to a Rely Party app. We have existing projects built in ServiceStack which work all fine. However, ServiceStack seems not to be compatible with IdentityServer4 in regards to authenticating a user. ServiceStack has its own authentication mechanism and IdentityServer4 relies on Asp.NET Identity Model. If I sign in via ASP.NET Identity Model, ServiceStack APIs may not recognize the user has signed in. And vice versa.
Is there any suggestion about this is a dead end or some solution that may make them work together?

The mvcidentityserver Project Template contains a pre-configured ServiceStack + IdentityServer4 starting project template:
$ dotnet tool install -g x
$ x new mvcidentityserver ProjectName
See the Using IdentityServer4 Auth in ServiceStack docs for more info on ServiceStack + IdentityServer4 integration.
In addition there are a couple of options available from the ServiceStack community:
Using IdentityServer 4 with ServiceStack and Angular
servicestack-authentication-identityserver
JwtAuthProviderReaderPatchedForIdentityServer4.cs - description

Related

Does ServiceStack Integration With IdentityServer Require A Web Api Project?

I'm testing out ServiceStack to see how much faster the development is with this product rather than with Asp.Net Core's Web API or similar products.
I have successfully set up Service Stack with my own configuration of IdentityServer4 and everything runs fine.
My confusion is whether working with IdentityServer4 means I am required to now maintain a Web Api project along with ServiceStack? What's the reason the API is there?
I can see that I can make direct calls to the endpoints (requiring Authentication, roles, etc.) and that works in conjunction with IdentityServer4.
Would love some insight on why the Web Api project is needed and whether I can just completely get rid of it, as I was under the impression ServiceStack was a replacement for WCF/Web Api?
ServiceStack's mvcidentityserver project template that's used in the documentation of ServiceStack's integration with IdentityServer4 was an enhanced version of Identity Server's "OpenID Connect Hybrid Flow Authentication and API Access Tokens" example project that used to be maintained at https://github.com/IdentityServer/IdentityServer4.Samples/
The project template contains Auth integration examples with ServiceStack, MVC & Web API. The Web API examples were inherited from the existing IdentityServer's example project, which is optional and can be completely removed.

How to authenticate to a ServiceStack API which is part of a .Net 5 Identity MVC Website

I have a test project based on the .Net 5 ServiceStack mvcidentity sample. For web-based access, the authentication works as expected.
Accessing the API directly from another app for the hello sample works as no authentication is required. However, if I try to connect to one of the API Methods that requires Authentication, I receive an error message that no auth providers are defined.
Based on this sample, what is the correct way to access one of the authentication required methods from an application on another computer, where there would not be a user to login? I presume we would need to add a basic authentication or something similar in the authentication pipeline?
If you're using the mvcidenity project template you're using ASP .NET Core Identity for authentication (as opposed to ServiceStack Auth) which you'll need to use for any authorization, e.g. you can use a IAuthorizationFilter to implement HTTP Basic Auth.

Authenticate an ASP.NET MVC 5 app (targets .net 4.5) with an ASP.NET CORE 3 auth server that runs Identity Server 4

I'm currently building an auth server using Identity Server 4 with a spa (react) application that authenticates against it. I would now like to also take another application that is in current existence (this is ASP.NET MVC 5, targets .NET 4.5, currently uses ASP.NET Identity 2 management classes for managing users and signout/sign in using cookie authentication) and update it so that it can log in externally with this new auth server (so a user can log in using the existing authentication, but also use this auth server now - so that a user session could be shared between this existing app and this other spa app). The problem is as I understand it, that we need to use PKCE to authenticate with the auth server, but there doesn't appear to be a way to do this with the MVC 5 app - I can install the Microsoft.Owin.Security.OpenIdConnect package, but it doesn't allow for using PKCE since this is a newer thing (apparently if you target .net 4.6.1 there is a way to make that work with that version of the OpenIdConnect package). I can't change our target, it needs to stay .NET 4.5 (to upgrade to 4.6.1 or higher would cause all kinds of problems with the build and current packages, it would be a larger undertaking than my organization is willing to take on at this time). Is there a way that anyone knows of to make this work using an ASP.NET MVC 5 app that targets .NET 4.5 and an auth server that uses Identity Server 4? Would the only way be to use a GrantType.Implcit flow instead of requiring PKCE with a GrantType.Code, and would that even be advised now?
Thanks!
In this case you are dealing with 2 clients, spa app & ASP.NET MVC app, each client can have its own flow (grant type). We can use authorization code flow with PKCE, for the spa app. And Implicit flow for the ASP.NET MVC.
PKCE is suggested for interactive applications:
a front-channel step via the browser where all “interactive” things happen, e.g. login page, consent etc. This step results in an authorization code that represents the outcome of the front-channel operation.
a back-channel step where the authorization code from step 1 gets exchanged with the requested tokens. Confidential clients need to authenticate at this point.
The MVC app you described, is just doing authentication, then no worries it's fine to use implicit.
I have a post for implementing it here

ADFS + ThinkTecture IdentityServer v2 for Web API's

Within our organization, our applications are registered as RP’s to our organizational ADFS server, which is v2. Traditionally, apps in the org have been built as single, monolithic apps using WS-Federation (passive authentication). Web API’s, also hosted within each app, are secured simply by the fact that the same FedAuth cookie is being sent over the wire when making the ajax calls from the app’s client-side code in the browser.
We are moving towards building a set of backend Web API’s, which we want to secure so that these are callable by any client, not just a web browser and not just by the hosting application itself. As such, we want to move towards using JWT tokens for these Web API’s. We've also started using ThinkTecture's IdentityServer (v2) to help in this regard.
We have just a few questions which I'm hoping the community can help provide us with some answers/pointers:
How should we configure IdentityServer and apps so that the apps use
the existing organizational ADFS login page?
How can we configure/integrate ThinkTecture IdentityServer v2 with
the organizational ADFS so that our API's can be secured using JWT
tokens but without forcing the user to provide their credentials
again (once they have a SAML token via WS-Federation)?
Are there any features in IdentityServer v3 which are compelling
enough to upgrade from IdentityServer v2 to v3?
1 & 2 - You might want to check out how to establish Relying Parties. Here's a whole article from BrockAllen (the genius behind IdentityServer) that walks you through the ADFS/IdentityServer2 integration.
http://brockallen.com/2013/04/14/getting-json-web-tokens-jwts-from-adfs-via-thinktecture-identityservers-adfs-integration/
3 - As far as I know, IdentityServer3 (IS3) was written to support newer authorization frameworks OpenID for the modern stack better than IS2 (which doesn't support OpenID). Either is fine for use. I personally started with IS3, mainly because of the support and documentation involved. It also integrates very well with OWIN/Katana, so it can self host reasonably well with no hiccups during implementation and deployment. One advantage IS2 has over IS3 is that IS2 has an admin UI you can use configure and register sites, IS3 doesn't. More info about this along with the thought process behind IS3 can be found here:
http://leastprivilege.com/2015/01/25/identityserver3-1-0-0/

Service stack support for WIF

I need to connect servicestack to ADFS, as well as the usual social id providers. I know there are apps that could do this for me, authbridge, thinktecture, etc, but would really like to have everything within one app.
Is anybody working on adding a WIF authentication provider to servicestack?
ServiceStack hasn't added any specific support for WIF, but it looks like it maybe provided by a 3rd Party (Auth10) in their ServiceStack Auth NuGet package:
https://nuget.org/packages/Auth10.ServiceStack

Resources