23

I've been studying ASP.NET 5 for some time now and there is something I'm yet confused. To implement authentication in Web API 2 what I used to do was basically use the OWIN OAuth Authentication Server Middleware. It was simple to use, I could configure just what I needed and there wasn't a bunch of stuff I needed to put on the app without need for it.

Now, at first I didn't find this in ASP.NET 5 and I thought it was a matter of time to wait the middleware to show up. But yesterday, reading on the issues on the Security repo I found out that apparently there is no intention to port this middleware to the new version of the framework.

Instead, it seems people are encouraged to use Identity Server 3. I took a look on the project and although it is nice and has many usages I really prefer to configure just the minimum I need sometimes. Also, another drawback is that Identity Server 3 needs the full CLR, so if I need to use it in order to provide authentication on my application I would need to stop using Core CLR, which for me is a huge disadvantage since Core CLR is a lot more lightweight.

So, if I don't want to use the Identity Server 3 on ASP.NET 5, how can I implement authentication for Web API if the OAuth Authentication Server middleware is gone? Has anyone been through that and found a way to deal with it?

How to deal with authentication on ASP.NET 5 Web API without using Identity Server 3?

Improve this question
3
  • you don't necessarily have to use the Identity Server3 and instead build your own Authentication server which would return token on authentication Commented May 10, 2015 at 9:14
  • So I would need to implement one OAuth authentication server myself? Commented May 10, 2015 at 16:59
  • Identity server 4 targets core now: leastprivilege.com/2016/01/11/… Commented Mar 23, 2016 at 17:09

2 Answers 2

Reset to default
11

Indeed, there'll be no OAuthAuthorizationServerMiddleware in ASP.NET 5.

If you're looking for the same low-level approach, you should take a look at AspNet.Security.OpenIdConnect.Server: it's an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3 but that targets OpenID Connect, as you already figured out ( OAuth Authorization Service in ASP.NET Core).

https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server

OpenID Connect is itself based on OAuth2 and is basically a superset offering standardized authentication features. Don't worry: you can, of course, use ANY OAuth2 client with ANY OpenID Connect server, including AspNet.Security.OpenIdConnect.Server.

Don't miss the MVC 6 sample: https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server/tree/dev/samples/Mvc

app.UseJwtBearerAuthentication(new JwtBearerOptions
{
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    Audience = "http://localhost:54540/",
    Authority = "http://localhost:54540/"
});

app.UseOpenIdConnectServer(options =>
{
    options.Provider = new AuthorizationProvider();
});

Good luck, and don't hesitate to ping me if you need help.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Hi, I have the same setup and it works on my dev machine. I have tried publishing it to server (test environment) and there I get an error "InvalidOperationException: IDX10803: Unable to obtain configuration from: 'localhost:5000/.well-known/openid-configuration'". I have installed HttpPlatformHandler and set my application pool to "No managed code". My site is bound to port 8890. Navigating to "localhost:8890" throws the error in Chrome and IE. When I run web.cmd from approot folder and navigate to "localhost:5000" it works but only in Chrome. IE gives the same error. Any help, plz?
0

I ran into the exact same issue when trying to use the OWIN OAuth Authorization Server middleware in ASP.NET 5, so I decided to port the code myself. You can find the source at this GitHub repo https://github.com/XacronDevelopment/oauth-aspnet or just use the NuGet packages OAuth.AspNet.AuthServer and OAuth.AspNet.Tokens. Check out the source code to see how things are wired up; the samples in the source are the same samples Microsoft created here http://bit.ly/1MOGDEJ except with ASP.NET 5 examples added.

Improve this answer

1 Comment

Katana's authorization server had many unsolved bugs, still listed on the Codeplex tracker. I took a brief look at your fork and it seems that you've fixed none of them. If you're still looking for the "original authorization server", take a look at AspNet.Security.OpenIdConnect.Server, it offers the same experience but fixes all the known bugs Katana's server had.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.