326
CHAPTER 8 | Make secure .NET Microservices and Web Applications
Issue security tokens from an ASP.NET Core service
If you prefer to issue security tokens for local ASP.NET Core Identity users rather than using an
external
identity provider, you can take advantage of some good third-party libraries.
IdentityServer4
and
OpenIddict
are OpenID Connect providers that integrate easily with ASP.NET Core
Identity to let you issue security tokens from an ASP.NET Core service. The
IdentityServer4
documentation
has in-depth instructions for using the library. However, the basic steps to using
IdentityServer4 to issue tokens are as follows.
1.
You configure IdentityServer4 in
Program.cs
by making a
call to
builder.Services.AddIdentityServer.
2.
You call app.UseIdentityServer in
Program.cs
to add IdentityServer4 to the application’s HTTP
request processing pipeline. This lets the library serve requests to OpenID Connect and OAuth2
endpoints like /connect/token.
3.
You configure identity server by setting the following data:
–
The
credentials
to use for signing.
–
The
Identity and API resources
that users might request access to:
•
API resources represent protected data or functionality that
a user can access
with an access token. An example of an API resource would be a web API (or set
of APIs) that requires authorization.
•
Identity resources represent information (claims) that are given to a client to
identify a user. The claims might include the user name,
email address, and so
on.
–
The
clients
that will be connecting in order to request tokens.
–
The storage mechanism for user information, such as
ASP.NET Core Identity
or an
alternative.
When you specify clients and resources for IdentityServer4 to use, you can pass an
IEnumerable
collection of the appropriate type to methods that take in-memory client or resource stores. Or for
more complex
scenarios, you can provide client or resource provider types via Dependency Injection.
A sample configuration for IdentityServer4 to use in-memory resources and clients provided by a
custom IClientStore type might look like the following example:
// Program.cs
builder.
Services
.
AddSingleton
();
builder.
Services
.
AddIdentityServer
()
.
AddSigningCredential
(
"CN=sts"
)
.
AddInMemoryApiResources
(MyApiResourceProvider.
GetAllResources
())
.
AddAspNetIdentity
();
//...
327
CHAPTER 8 | Make secure .NET Microservices and Web Applications
Dostları ilə paylaş: