4

I am building an API driven application that will have a native login with username and password, and will also need to grant 3rd party access via OAuth/OpenID Connect in the near future.

A pattern I have used in the past is this (below) and just added an Auth Controller to my application.

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.TokenValidationParameters = new TokenValidationParameters
                    {

And used the Auth controller to manually build a jwt token and return it to the javascript client 

var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(ConfigurationFacade.GetValue<string>("SigningKey")));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var token = new JwtSecurityToken(...

which is then just passed in every request with "Bearer " in the headers... I liked this as it was pretty simple, and I had full control over it. I just added the checks in Startup.cs to handle validation, but this wasn't 'proper' OAuth or anything.

options.TokenValidationParameters = new TokenValidationParameters
                    {
                        ValidateIssuer = true,
                        ValidateAudience = true,
                        ValidateLifetime = true,
                        ValidateIssuerSigningKey = true,
                        ValidIssuer = $"https://{Configuration.GetValue<string>("AppServiceNameOutput")}",
                        ValidAudience = $"https://{Configuration.GetValue<string>("AppServiceNameOutput")}",
                        IssuerSigningKey = new SymmetricSecurityKey(
                            Encoding.UTF8.GetBytes(Configuration.GetValue<string>("SigningKey"))),
                    };

I've recently done a course on OAuth 2.0/OpenID Connect which seems like a much better standard. Which involved creating a separate Identity Provider API.

However, when logging in with Hybrid flow all the claims were explicitly requested and the user had to check them and hit 'allow'... which is fine (infact, it's what we want for the third party provider) but it would look a bit stupid logging into your own profile from Company A at companyA.com and it asks for access to your Company A account details. It was setup like this

services.AddMvc();
services.AddIdentityServer()

...

app.UseIdentityServer();

What I really want to know is how should I architect this?

1) Can I use Open ID Connect for both? (Normal 'login' box on our website with no more steps. Claims Request/Challenge for external apps)

2) Should I stick to my current pattern for our own web, and then add something like Open ID Connect ontop for third party clients?

3) Are there any examples of this that you know of that I could see?

I essentially want something like facebook, where you login once with a username and password and it just keeps you logged in until you logout. But when I access it via a third party it will ask for permissions. Both scenarios will need to use refresh tokens to avoid typing info in frequently.

Mark McGookin
  • 141
  • 3

0 Answers0