-1

I'm responsible for implementing a solution for allowing a mobile app to connect to a web API. I found IdentityServer3 and have started working with it. I'm still very new to this and am having trouble understanding a few things:

  1. How to you allow a user to sign-in to the server? What is the process? I found the following article, which discusses the endpoints for performing authorization and various parameters that can be used, but not really sure how to authenticate users. My goal is to have the identityserver3 do the authentication, return a token, and allow a mobile application client use that token to access a web API.

https://identityserver.github.io/Documentation/docsv2/endpoints/authorization.html

GET /connect/authorize?client_id=client1&scope=openid email api1&response_type=id_token token&redirect_uri=https://myapp/callback&state=abc&nonce=xyz
  1. I've noticed that there are a few examples of how to actually setup the identity server. I've gone through the walk-through for each one, and am having trouble understanding various OAuth 2.0 ideas:

a.) Should I allow my users to use the Resource Owner flow if they are a mobile app? b.) Should I allow my users to use other flows if all I want them to be able to do is login with a username and password?

  1. How do I accomplish 2.a?

Thanks.

EDIT:

I've scoured stack overflow, Identity Server 3 and I wasn't sure how OAuth 2.0 flows are supposed to work...truthfully, I've researched textbooks and was originally just going to do the above without IdentityServer3 at all, but after more research, I found that the correct approach to securing a web api is using Open ID Connect to properly perform Authentication, as OAuth 2.0 only performs Authorization, which is why I chose IdentityServer3 in the first place. I don't completely understand OAuth 2.0 and Identity Server 3 (and am still new to SO, so please bear with me) so if my question is missing information or it looks like I was just lazy, feel free to post it in the comments and I'll provide you with some of my work in this regard.

cr1pto
  • 539
  • 3
  • 13

1 Answers1

1

1.

To use Identity Server as your Identity Provider (IP), first you need to host that as a service. Once hosted, you have to register your mobile app as a client on this service. When the user accesses your web API, he will be redirected to IP to authenticate. Once the user is authenticated, the IP will issue an Identity Token representing the user. This token will be posted to your web API to prove the authentication. In nutshell this what should happen.

There are multiple steps involved when you have to authenticate a user for your web API. Here is video on how to use Identity Server with an MVC client. Except for the MVC client the rest of the process is same.

2

a:

The Authorization code flow would be a good choice and Implicit flow is the best choice for mobile application (depending on the requirements).

Authorization Code Flow (from OAuth 2.0 spec):

The authorization code is obtained by using an ** authorization server (Identity server)** as an intermediary between the client (mobile app) and resource owner (user of your app). Instead of requesting authorization directly from the resource owner, the client directs the resource owner to an authorization server via its user-agent (browser), which in turn directs the resource owner back to the client with the authorization code.

Before directing the resource owner back to the client with the authorization code, the authorization server authenticates the resource owner (by presenting a login screen) and obtains authorization. Because the resource owner only authenticates with the authorization server, the resource owner’s credentials are never shared with the client.

The authorization code provides a few important security benefits, such as the ability to authenticate the client, as well as the transmission of the access token directly to the client without passing it through the resource owner’s user-agent and potentially exposing it to others, including the resource owner.

Most of these steps are implemented by Identity Server, all you need to figure out is how host, how to register a client and how to authenticate the user. Even a simple login screen is provide by Identity server.

Please let me know if you have any questions.

Thank you, Soma.

Soma Yarlagadda
  • 2,875
  • 3
  • 15
  • 37
  • Aside from registering a user with the identity server as a valid client, what is the signin endpoint to receive a token from the server? I have it running and hosted in IIS already, but I don't know how to actually get tokens from the server like from fiddler, for example. Thanks for answering this so quickly! – cr1pto May 06 '16 at 00:48
  • 1
    @Soma, you said that "The Authorization code flow would be a good choice for mobile application." but i know that the flow is suitable for server side applications like mvc because this flow requires client secret to obtain tokens from `Token Endpoint`. For mobile and web browser clients, `Implicit Flow` is recommended. you can look at https://gist.github.com/jawadatgithub/638c11f08ecc0d76b05c – adem caglin May 06 '16 at 10:44
  • 1
    I appreciate the feedback @ademcaglin, but can you guys advise how to reach the endpoint for authorization? I know the authorization endpoint is /identity/connect/authorize, but how do I get tokens from the server? I want users to be able to pass their user name and password to the server and receive a token back. Is this possible? I want this to be done in something like fiddler. – cr1pto May 06 '16 at 15:37
  • @ademcaglin, you are right Implict Flow is the best option as you have to deal with client secret in Code flow. But, Code flow can be a good option as the client secret is not readily visible/ available like in JavaScript applications. I mentioned code flow as that validates the client (in his case the mobile app) too. But and up vote for you for mentioning what I missed. Thank you, Soma. – Soma Yarlagadda May 06 '16 at 15:42
  • @Richard_D, if Identity Server is already hosted, your client is registered and logic is in place to authenticate a user, all you have to do is redirect a user to the login page in identity server. [Link](https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients) to client samples on how to use/ post requests to Identity Server for tokens. Please choose the client close to your requirements and follow the path. Thank you. – Soma Yarlagadda May 06 '16 at 15:57
  • I'm having trouble finding the login page in the first place...what is the default URL? I noticed that users are redirected to /identity/signin?{identityserverid? not sure what this is}. How would a mobile user login? Would I have to redirect them to the login page? Again, where is that if it's hosted already? Thanks Soma. – cr1pto May 06 '16 at 16:41
  • @FedericoDipuma gave a really great answer to my question here: http://stackoverflow.com/questions/36383294/asp-net-oauth-authorization-difference-between-using-clientid-and-secret-and-u/36385278#36385278 and here: http://stackoverflow.com/questions/37076449/how-to-perform-sign-in-with-identityserver3 Thanks again for all of your help everyone. – cr1pto May 06 '16 at 17:11
  • You are right FedericoDipuma's answer has much more detail. I glad you found what you looking for. Please let me know if you still have any questions. Thank you. – Soma Yarlagadda May 06 '16 at 17:19