0

I need quick help regarding Identity server.

There is a client requirement to not allow any public hosted application to directly talk to the database. In Identity server's case, the Identity server will be hosted publicly for token endpoint, and it queries the database for operational data (went for Db approach with reference tokens because IDsrv will be on NLB). Is there any workaround for this? or is this standard practice?

Thanks

zeppelin
  • 451
  • 1
  • 4
  • 24

1 Answers1

1

If you don't want IdentityServer to talk directly to the database, you will need to implement & register custom implementations of ICorsPolicyService, IAuthorizationCodeStore, IClientStore, IConsentStore, IRefreshTokenStore, IScopeStore, and ITokenHandleStore, that call off to some an external app that can talk to the database.

Normal operating procedure is to have IdentityServer talk directly to the database. I don't see much merit in separating the two.

FYI: You don't need to use reference tokens if you are using load balancing. Check out the deployment docs.

Scott Brady
  • 5,498
  • 24
  • 38
  • Okay thanks scott, that means JWTs will work fine for different nodes of IDsrv on NLB, just confirming. – zeppelin Jul 26 '17 at 18:12
  • 1
    Yes, as long as they all use the same token signing key. – Scott Brady Jul 26 '17 at 18:15
  • So there will be 2 certificates required for JWT (In-memory). one will be the SSL certificate (which will be an SAN certificate provided by client for production), and the other would be Signing Certificate (This, I created through IIS 'Create Self Signed certificate' feature), Can I use this same self signed cert for production as well? Is there a requirement that SSL & signing certificate should be same, or can I use Self signed for signing & client provided cert for IIS SSL binding? Thanks – zeppelin Jul 27 '17 at 10:13
  • 1
    Token signing cert should not be the same as the TLS cert. So yes, 2 certificates. Typically you would make dev and prod certs different, to prevent tokens from dev working in prod. – Scott Brady Jul 27 '17 at 10:49
  • If we are using Reference Tokens with DB approach on NLB, does it require to sync Signing Certificates? Do reference tokens use Signening certificates? Token is being returned on production on login call, but following WebApi's call fails and ajax call gets 401 UnAuthorized. This did not happen on localhost (one node) – zeppelin Aug 01 '17 at 11:35
  • Infact it is happening on localhost https as well on production server, Any direction you can point me to ? – zeppelin Aug 01 '17 at 16:37
  • I have enabled logging on Identity Server, but 401 error is not getting logged in the logfile, maybe it is thrown from webapi, do i have to enable logging there as well? – zeppelin Aug 01 '17 at 17:09
  • 1
    Yeah, check out: https://identityserver.github.io/Documentation/docsv2/consuming/diagnostics.html – Scott Brady Aug 01 '17 at 18:02
  • I am getting remote certificate is invalid according to validation procedure. Is this the signing certificate or the HTTPS SSL certificate. My application is running with Application Pool Identity with a specific AD user. Could this be the problem? Do I have to mmc it – zeppelin Aug 01 '17 at 21:09
  • It is already imported in Personal store of Computer account. Is there any other way as well? – zeppelin Aug 01 '17 at 21:23
  • I got it working on localhost https, Now on public url (nlb) the katana log shows remote name could not be resolved. This seems like a DNS issue, Can i do something with PublicOrigin field, can I give ip addresses there or in place of the Authority field, will the certificate authenticate the ip address as it is issued to Domain name and not the IP. Or is this plainly NLB issue? WebApi & IDSrv are both deployed under the same domain name as child applications. Thanks for the help Scott. – zeppelin Aug 02 '17 at 06:47
  • The same identity server URL is accessible via the browser – zeppelin Aug 02 '17 at 08:06