20

We have an internal application for internal users which I need to protect using OAuth2/OIDC and thinking of using IdentityServer4. The end users will not be authorizing any applications so there shouldn't be any consent page. I couldn't find any suitable samples, they either are MVC client samples with consent pages or console application clients for Resource Owner Password flows.

Only thing I got is that I need to implement IResourceOwnerPasswordValidator in IDSRV application. That part is I'm OK with. But I couldn't figure out how to setup IDSRV app and MVC app in their Startups.

What do I need to do to protect an .NET Core ASP.NET MVC app with IdentityServer4 using Resource Owner Password flow?

I'd appreciate any help.

Solution:

I've ended up using Hybrid flow with manuel user login instead of Resource Owner Password flow. Here's the working solution I've created:

https://github.com/deastr/IdentityServer4.HybridFlow.NoConsent

dstr
  • 8,362
  • 12
  • 66
  • 106

1 Answers1

26

In the Client definition add the following

RequireConsent = false,
GlennSills
  • 3,977
  • 26
  • 28
  • I've tried AllowedGrantTypes = GrantTypes.ResourceOwnerPassword and RequireConsent = false but instead of redirect I'm just getting unauthorized_client error. Changing grant type to Implicit works but then I get redirected to consent page even with RequireConsent = false.. – dstr Dec 02 '16 at 07:30
  • 1
    Have you tried turning on logging? In my experience with IdentityServer3, enabling logging is the easiest way to solve this sort of _getting started_ problem. You can make Identity Server log a very verbose trace of what is going on - it generally explains these problems for me. – GlennSills Dec 02 '16 at 13:25
  • 1
    Yes running IdentityServer4 host as console application displays all kind of logs, which helped alot. I've managed to do what I want using Hybrid flow and RequireConsent=false. Thank you. – dstr Dec 02 '16 at 14:22
  • @YahyaHussein I remember having the same reaction as you :-) – GlennSills Apr 13 '20 at 17:40