0

We are creating 8 native applications(IOS, Android, may be windows). All these native applications have back-end api built using ASP.NET Web Api . Now I am trying to build Single Sign On using IdentityServer3 (https://github.com/IdentityServer/IdentityServer3). My users data is saved in ASP.NET Identity 2. I just need to validate username/password(no external authentication). Now my confusion is

  1. How many scopes/claims do I need or I need no scopes/claims? The web api just need to know the user-id, user-roles and user-claims saved in ASP.NET Identity tables.
  2. What scopes should my clients(native apps) request from SSO server?
  3. Should they include id_token or access_token in Authorization header during sending a request to my back-end ASP.NET web-api?

  4. Now my back-end ASP.NET web-api should include which scopes? I mean what should I put here,

    app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
            {
                Authority = "https://localhost:44333/core",
                RequiredScopes = new[] { XXXXXX }
            });

  5. Is https required for SSO server? and what is SigningCertificate? how is it related with https certificate?

Simon Halsey
  • 5,459
  • 1
  • 21
  • 32
Imran Qadir Baksh - Baloch
  • 32,612
  • 68
  • 179
  • 322

1 Answers1

2
  1. It depends on how you are going to partition your API space and what information your API need to know about the user.
  2. Your clients should request the scopes they need to call the api and get the job done. E.g. Say you have partitioned your API into two parts[read, write]. Then assume your client is only going to read data from the API, then you can register your client in Identity server to have only read scope. then you should request only read scope from Identity Server for this client.
  3. Only Access_Token should be included in authorization header
  4. This should be for validating the incoming token. It checks if incoming token contain the given scopes. You can skip the declaration here and use attributes in your API controller methods as well.
  5. Https is a must for Identity Server. Signing Certificate can be different from Https certificate. Signing Certificate is used for token signing while Https is for Transport security
rawel
  • 2,923
  • 21
  • 33
  • 1
    To add to the above answer, SSO issues tokens in the form of JWT. These are signed by the SSO server using the signing cert & clients can validate a token was issued by an SSO they trust by validating the token using the public key of the signing cert – Simon Halsey Aug 14 '15 at 23:01