OWIN Authentication Server for Multiple Applications

I am in the process of implementing a solution with an MVC client (lets call this CLIENT on localhost: 4077 /) using a WebAPI service (called the API on localhost: 4078 /)

I have implemented OWIN OAuth in the API, but wanted to know if OWIN could be implemented in a separate solution (lets call it AUTH on localhost: 4079 / token) to generate a token for CLIENT, then CLIENT passes this to the API (as a carrier authorization token )

The reason I am referring to this question is that there will probably be additional WebAPI services that the CLIENT will access, and I would like to use OWIN between the client and all the API services.

The problem is that I'm not sure if the token generated by the AUTH service can be used to authorize all requests to CLIENT and all API services.

Has anyone implemented something like this, and if you could provide an example, I am fairly new to OWIN and OAUTH, so any help would be greatly appreciated.

+3


source to share


1 answer


Disabling the authorization server from the resource server is extremely easy: it will work without any additional code if you are using IIS and if you have configured the same machine keys on both applications / servers.

Supporting multiple resource servers is a little more difficult to implement with an OWIN OAuth2 server if you need to choose which endpoints the access token can access. If you don't care, just configure all resource servers with the same machine keys and you can access all of your APIs with the same tokens.

To have more control over the endpoints that can be used with an access token, you should take a look at AspNet.Security.OpenIdConnect.Server

- the OAuth2 server fork that ships with OWIN / Katana - which supports this scenario: https://github.com/aspnet-contrib/AspNet .Security.OpenIdConnect.Server .

Relatively easy to set up:

Add a new middleware that issues tokens in your authorization server application (c Startup.cs

):

app.UseOpenIdConnectServer(new OpenIdConnectServerOptions
{
    Provider = new AuthorizationProvider()
});

      



Add new middleware validating access tokens on different API servers (in Startup.cs

):

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
    // AllowedAudiences MUST contain the absolute URL of your API.
    AllowedAudiences = new[] { "http://localhost:11111/" },

    // X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
    IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});

app.UseJwtBearerAuthentication(new JwtBearerAuthenticationOptions
{
    // AllowedAudiences MUST contain the absolute URL of your API.
    AllowedAudiences = new[] { "http://localhost:22222/" },

    // X509CertificateSecurityTokenProvider MUST be initialized with an issuer corresponding to the absolute URL of the authorization server.
    IssuerSecurityTokenProviders = new[] { new X509CertificateSecurityTokenProvider("http://localhost:50000/", certificate) }
});

      

Finally, add the new OpenID Connect client software to your client application (s Startup.cs

):

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    // Some essential parameters have been omitted for brevity.
    // See https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/Mvc.Client/Startup.cs for more information

    // Authority MUST correspond to the absolute URL of the authorization server.
    Authority = "http://localhost:50000/",

    // Resource represents the different endpoints the
    // access token should be issued for (values must be space-delimited).
    // In this case, the access token will be requested for both APIs.
    Resource = "http://localhost:11111/ http://localhost:22222/",
});

      

You can watch this sample for more information: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/blob/dev/samples/Mvc/

It does not use multiple resource servers, but is difficult to adapt using the various steps I mentioned. Feel free to ping me if you need help.

+5


source







All Articles