23

I've been studying ASP.NET 5 for some time now and there is something I'm yet confused. To implement authentication in Web API 2 what I used to do was basically use the OWIN OAuth Authentication Server Middleware. It was simple to use, I could configure just what I needed and there wasn't a bunch of stuff I needed to put on the app without need for it.

Now, at first I didn't find this in ASP.NET 5 and I thought it was a matter of time to wait the middleware to show up. But yesterday, reading on the issues on the Security repo I found out that apparently there is no intention to port this middleware to the new version of the framework.

Instead, it seems people are encouraged to use Identity Server 3. I took a look on the project and although it is nice and has many usages I really prefer to configure just the minimum I need sometimes. Also, another drawback is that Identity Server 3 needs the full CLR, so if I need to use it in order to provide authentication on my application I would need to stop using Core CLR, which for me is a huge disadvantage since Core CLR is a lot more lightweight.

So, if I don't want to use the Identity Server 3 on ASP.NET 5, how can I implement authentication for Web API if the OAuth Authentication Server middleware is gone? Has anyone been through that and found a way to deal with it?

How to deal with authentication on ASP.NET 5 Web API without using Identity Server 3?

user1620696
  • 10,825
  • 13
  • 60
  • 81
  • you don't necessarily have to use the Identity Server3 and instead build your own Authentication server which would return token on authentication – Mahesh Kava May 10 '15 at 09:14
  • So I would need to implement one OAuth authentication server myself? – user1620696 May 10 '15 at 16:59
  • Identity server 4 targets core now: http://leastprivilege.com/2016/01/11/announcing-identityserver-for-asp-net-5-and-net-core/ – Matt Roberts Mar 23 '16 at 17:09

2 Answers2

11

Indeed, there'll be no OAuthAuthorizationServerMiddleware in ASP.NET 5.

If you're looking for the same low-level approach, you should take a look at AspNet.Security.OpenIdConnect.Server: it's an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3 but that targets OpenID Connect, as you already figured out ( OAuth Authorization Service in ASP.NET Core).

https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server

OpenID Connect is itself based on OAuth2 and is basically a superset offering standardized authentication features. Don't worry: you can, of course, use ANY OAuth2 client with ANY OpenID Connect server, including AspNet.Security.OpenIdConnect.Server.

Don't miss the MVC 6 sample: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/dev/samples/Mvc

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    Audience = "http://localhost:54540/",
    Authority = "http://localhost:54540/"
});

app.UseOpenIdConnectServer(options =>
{
    options.Provider = new AuthorizationProvider();
});

Good luck, and don't hesitate to ping me if you need help.

Community
  • 1
  • 1
Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • Hi, I have the same setup and it works on my dev machine. I have tried publishing it to server (test environment) and there I get an error "InvalidOperationException: IDX10803: Unable to obtain configuration from: 'http://localhost:5000/.well-known/openid-configuration'". I have installed HttpPlatformHandler and set my application pool to "No managed code". My site is bound to port 8890. Navigating to "localhost:8890" throws the error in Chrome and IE. When I run web.cmd from approot folder and navigate to "localhost:5000" it works but only in Chrome. IE gives the same error. Any help, plz? – partyelite Mar 31 '16 at 06:19
0

I ran into the exact same issue when trying to use the OWIN OAuth Authorization Server middleware in ASP.NET 5, so I decided to port the code myself. You can find the source at this GitHub repo https://github.com/XacronDevelopment/oauth-aspnet or just use the NuGet packages OAuth.AspNet.AuthServer and OAuth.AspNet.Tokens. Check out the source code to see how things are wired up; the samples in the source are the same samples Microsoft created here http://bit.ly/1MOGDEJ except with ASP.NET 5 examples added.

Xacron
  • 341
  • 4
  • 11
  • 1
    Katana's authorization server had many unsolved bugs, still listed on the Codeplex tracker. I took a brief look at your fork and it seems that you've fixed none of them. If you're still looking for the "original authorization server", take a look at `AspNet.Security.OpenIdConnect.Server`, it offers the same experience but fixes all the known bugs Katana's server had. – Kévin Chalet Sep 30 '15 at 18:07