4

Consider the following scenario. You have an application that implements an api with asp.net webapi.

You are setting up a new Identity Server 4 to use with your infrastructure. You need your api to work with the Identity server.

If it was IdentityServer 3, you would use IdentityServer3.AccessTokenValidation.

If your api was on .net core you would use IdentityServer4.AccessTokenValidation

But given that your api uses old style asp.net webapi, not even owin, and your Identity Server is .net core based, do you have an option of making them work together?

Andrew Savinykh
  • 25,351
  • 17
  • 103
  • 158

1 Answers1

6

Yes this works fine. IdentityServer3 and IdentityServer4 are just implementations that conform to the same protocol. Same applies for those TokenValidation middlewares.

You can have a AspNetCore API that uses IdentityServer4.AccessTokenValidation to validate tokens that come from an IdentityServer3 WebApi project. Conversely, you can have a Asp.Net 4.x WebApi that uses IdentityServer3.AccessTokenValidation to validate tokens that come from an IdentityServer4 AspNetCore project. In practice, it's possible to use any most OpenIDConnect providers against any API you may build in any language/framework, as long as the provider implements the OpenIDConnect as per spec.

Lutando
  • 4,909
  • 23
  • 42
  • Thank you. Are you saying that it's "in theory should" or that you tried that and it's working? A little bit more of practical details would help. Such as which library use where, how to make sure that reference tokens (as opposed to self-contained tokens) can get validated on the incompatible version of Identity Server, etc. Spec does not cover a lot of implementation details in particular how access/refresh tokens are encoded - those are implementation specific. – Andrew Savinykh Feb 02 '17 at 08:26
  • 1
    If your client application uses ASP.NET Core, use IdentityServer4.AccessTokenValidation. If your client application uses ASP.NET 4.x use IdentityServer3.AccessTokenValidation. Both talk to IdentityServer 3 or 4 in the same way. There are no incompatibilities. There's a repo that tests this: https://github.com/IdentityServer/CrossVersionIntegrationTests – Scott Brady Feb 02 '17 at 08:54
  • @ScottBrady, that's very helpful, thanks a lot! I'll try that. – Andrew Savinykh Feb 02 '17 at 09:32
  • @ScottBrady There is an [IDS3 integration package for asp.net core](https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation.Integration.AspNetCore) but there is no IDS4 integration package for old .net framework, do you happen know why? – Andrew Savinykh Feb 02 '17 at 23:27
  • My guess would be that this package is needed because otherwise (using the normal `IdentityServer4.AccessTokenValidation`) does not work because of some incompatibility, and this package takes care of it, is this wrong? – Andrew Savinykh Feb 02 '17 at 23:32