12

I have Web API 2.2 which uses .Net 4.5.2 framework which is being used by angular2 application and there is existing IdentityServer4 implementation. I want to protect my Web API using IdentityServer4. My question is can I protect Web API 2.2 using IdentityServer4? If yes then I have two follow up questions

  1. Should I use IdentityServer3.AccessTokenValidation nuget package or I will have to use IdentityServer4.AccessTokenValidation? (I tried using IdentityServer4.AccessTokenValidation package however its adding many dependencies related to ASP.Net Core)
  2. What should be value of Authority URL I will have to use?

I could find many examples where IdentityServer4 is being used to protect ASP.Net Core Web APIs. However couldn't find good example where Web API 2.2 protected using IdentityServer4. If possible please point me to good example of identityserver configuration that is required on Web API side.

Sanket
  • 19,295
  • 10
  • 71
  • 82
Pankaj Kapare
  • 7,486
  • 5
  • 40
  • 56
  • Are you using ASP.NET 4.5? If so, I would think it would be safer to stick with IdentityServer3. IdentityServer4 is a rewrite to include the modularity of ASP.NET Core (including but not limited to Dependency Injection) – DOMZE Dec 07 '16 at 17:56
  • Pankaj, did you ever get this working? I'm facing the same project and I'm curious. Any helpful tips would be greatly appreciated! – Post Impatica Sep 12 '17 at 16:12
  • I am looking for same sort of solution. were you able to deploy successfully ? can you share some good reference link ? Thanks. – Kishan Gajjar Jul 12 '18 at 12:47

2 Answers2

9

To answer your questions:

1) Your WebApi 2.2 project is undoubtedly using OWIN/Katana from ASP.NET 4.x which means you should to use IdentityServer3.AccessTokenValidation. IdentityServer4.AccessTokenValidation is compatible with the new ASP.NET MVC Core pipeline.

2) You can get your authority by going to your identity providers discovery document at {IdentityUrl}/.well-known/openid-configuration. The authority should be the same one as the "issuer" value in the discovery document. You can also get the authority by looking at a JWT issued by your identity provider by looking at the "iss" claim.

Lutando
  • 4,909
  • 23
  • 42
  • Will IdentityServer3.AccessTokenValidation library able to validate tokens from IdentityServer4? – Pankaj Kapare Dec 07 '16 at 18:49
  • Yes, both IDS3 and IDS4 are authorization servers that serve JWT tokens which conforms to OAuth 2.0/OpenIDConnect standards. Inasmuch as any client that implements an OAuth flow can interact with an OAuth authorization server, a jwt token issued by an oauth authorization server can be validated using standardized means. In short: IDS3 and IDS4 are different implementations of the same set of standards. – Lutando Dec 07 '16 at 19:41
5

After 2017 IdentityServer3.AccessTokenValidation stays frozen while Microsoft refactored their Owin and Identity libs, so the preferred solution for ASP.NET 4.6+ becomes IdentityServer3.Contrib.AccessTokenValidation -- a fork, refactored according to the recent framework changes.

d_f
  • 4,599
  • 2
  • 23
  • 34