Web API + Identity + JWT + External OIDC providers





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







1















Migrating an SPA web app (Angular) and ASP Core Web API from Auth0 auth provider to Identity framework due to some requirements and limitations.



Until now everything was handled by auth0 and I didn't give it a much thought about the whole process of authentication. I would simply redirect users to auth0 hosted login page where it'd handle everything, callback with access token and I would use it for calls to API where API would just verify the JWT.



Now that I need to do this all manually, I am a bit confused. I want to have multiple authentication options: either Email/Password or OIDC auth providers like Google/Github.



I can get access token from these OIDC providers without much problem. But what do I do exactly with it, or to be more precise how do I configure Identity framework to handle the rest, without doing a lot of manual work? All users have quite a bit of additional data inside Identity framework user classes and I'm not fully sure how do i connect that to OIDC tokens.



Sorry for a bit abstract question, I think I'm missing some small detail, but at the moment I'm just really confused.










share|improve this question





























    1















    Migrating an SPA web app (Angular) and ASP Core Web API from Auth0 auth provider to Identity framework due to some requirements and limitations.



    Until now everything was handled by auth0 and I didn't give it a much thought about the whole process of authentication. I would simply redirect users to auth0 hosted login page where it'd handle everything, callback with access token and I would use it for calls to API where API would just verify the JWT.



    Now that I need to do this all manually, I am a bit confused. I want to have multiple authentication options: either Email/Password or OIDC auth providers like Google/Github.



    I can get access token from these OIDC providers without much problem. But what do I do exactly with it, or to be more precise how do I configure Identity framework to handle the rest, without doing a lot of manual work? All users have quite a bit of additional data inside Identity framework user classes and I'm not fully sure how do i connect that to OIDC tokens.



    Sorry for a bit abstract question, I think I'm missing some small detail, but at the moment I'm just really confused.










    share|improve this question

























      1












      1








      1








      Migrating an SPA web app (Angular) and ASP Core Web API from Auth0 auth provider to Identity framework due to some requirements and limitations.



      Until now everything was handled by auth0 and I didn't give it a much thought about the whole process of authentication. I would simply redirect users to auth0 hosted login page where it'd handle everything, callback with access token and I would use it for calls to API where API would just verify the JWT.



      Now that I need to do this all manually, I am a bit confused. I want to have multiple authentication options: either Email/Password or OIDC auth providers like Google/Github.



      I can get access token from these OIDC providers without much problem. But what do I do exactly with it, or to be more precise how do I configure Identity framework to handle the rest, without doing a lot of manual work? All users have quite a bit of additional data inside Identity framework user classes and I'm not fully sure how do i connect that to OIDC tokens.



      Sorry for a bit abstract question, I think I'm missing some small detail, but at the moment I'm just really confused.










      share|improve this question














      Migrating an SPA web app (Angular) and ASP Core Web API from Auth0 auth provider to Identity framework due to some requirements and limitations.



      Until now everything was handled by auth0 and I didn't give it a much thought about the whole process of authentication. I would simply redirect users to auth0 hosted login page where it'd handle everything, callback with access token and I would use it for calls to API where API would just verify the JWT.



      Now that I need to do this all manually, I am a bit confused. I want to have multiple authentication options: either Email/Password or OIDC auth providers like Google/Github.



      I can get access token from these OIDC providers without much problem. But what do I do exactly with it, or to be more precise how do I configure Identity framework to handle the rest, without doing a lot of manual work? All users have quite a bit of additional data inside Identity framework user classes and I'm not fully sure how do i connect that to OIDC tokens.



      Sorry for a bit abstract question, I think I'm missing some small detail, but at the moment I'm just really confused.







      asp.net asp.net-web-api identity






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 23 '18 at 13:44









      Edgar.AEdgar.A

      6811621




      6811621
























          1 Answer
          1






          active

          oldest

          votes


















          1














          A lot of this is in place already, so to test the OIDC tokens, you just need them to be accepted by your consuming API.



          To do so, you need to do some configuring, probably the same as you did for Auth0. Since the dependency here of the external providers, I'll post a link:



          MSDN Google Auth






          To accept them, you'll need the following steps:


          • register your API with the exteral provider

          • use the, provider dependent, instructions to set it up in your API.


          The providers are additional to the one you have in placed and are referenced by Identity as ExternalProviders





          In general, it's pretty easy. Possible some things are left out, since I don't know your exact use case.



          So you are using an Identity Provider, previously Auth0, and now another (or custom) one.



          Just for sanity a recap of your use case:




          • You trust the Identity Provider so every token signed by this provider is valid.

          • Your Identity Provider (and the external ones e.g; Facebook, Google etc) are responsible for their own user management.

          • Your own Identity Provider needs to handle specific authentication methods, tested against a corporate UserStore. These need to be managed, possibly with AD, Identity username/password or something similar.

          • Your Identity Provider provides authentication through JWTs

          • You also want to use external Identity Providers like Facebook etc.


          So, as for the setup, you must do the following:




          • Implement (or reuse, or use ActiveDirectory or any other) user management tools, if you need to perform some management on them. This means password recovery and all that stuff, which is available in a lot of standard libraries (I think it comes out of the box in Identity)

          • Define clients, scopes and claims throughout your system(s). Possibly there is some effort to be made.

          • Make sure the JWT's are accepted as authentication throughout your system (this was already in place) and the proper claims are assigned when called for the correct client.

          • Register your API with the external providers

          • Setup your API to accept the external JWT tokens (needs some setup with secrets and API keys)


          A lot of this is already in place in the Identity framework. There is an article about it here.



          If you are willing to do a good exercise (and a lot of work), you could also try to implement things fully customized with IdentityServer4






          share|improve this answer


























            Your Answer






            StackExchange.ifUsing("editor", function () {
            StackExchange.using("externalEditor", function () {
            StackExchange.using("snippets", function () {
            StackExchange.snippets.init();
            });
            });
            }, "code-snippets");

            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "1"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: true,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: 10,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53447853%2fweb-api-identity-jwt-external-oidc-providers%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            1 Answer
            1






            active

            oldest

            votes








            1 Answer
            1






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            1














            A lot of this is in place already, so to test the OIDC tokens, you just need them to be accepted by your consuming API.



            To do so, you need to do some configuring, probably the same as you did for Auth0. Since the dependency here of the external providers, I'll post a link:



            MSDN Google Auth






            To accept them, you'll need the following steps:


            • register your API with the exteral provider

            • use the, provider dependent, instructions to set it up in your API.


            The providers are additional to the one you have in placed and are referenced by Identity as ExternalProviders





            In general, it's pretty easy. Possible some things are left out, since I don't know your exact use case.



            So you are using an Identity Provider, previously Auth0, and now another (or custom) one.



            Just for sanity a recap of your use case:




            • You trust the Identity Provider so every token signed by this provider is valid.

            • Your Identity Provider (and the external ones e.g; Facebook, Google etc) are responsible for their own user management.

            • Your own Identity Provider needs to handle specific authentication methods, tested against a corporate UserStore. These need to be managed, possibly with AD, Identity username/password or something similar.

            • Your Identity Provider provides authentication through JWTs

            • You also want to use external Identity Providers like Facebook etc.


            So, as for the setup, you must do the following:




            • Implement (or reuse, or use ActiveDirectory or any other) user management tools, if you need to perform some management on them. This means password recovery and all that stuff, which is available in a lot of standard libraries (I think it comes out of the box in Identity)

            • Define clients, scopes and claims throughout your system(s). Possibly there is some effort to be made.

            • Make sure the JWT's are accepted as authentication throughout your system (this was already in place) and the proper claims are assigned when called for the correct client.

            • Register your API with the external providers

            • Setup your API to accept the external JWT tokens (needs some setup with secrets and API keys)


            A lot of this is already in place in the Identity framework. There is an article about it here.



            If you are willing to do a good exercise (and a lot of work), you could also try to implement things fully customized with IdentityServer4






            share|improve this answer






























              1














              A lot of this is in place already, so to test the OIDC tokens, you just need them to be accepted by your consuming API.



              To do so, you need to do some configuring, probably the same as you did for Auth0. Since the dependency here of the external providers, I'll post a link:



              MSDN Google Auth






              To accept them, you'll need the following steps:


              • register your API with the exteral provider

              • use the, provider dependent, instructions to set it up in your API.


              The providers are additional to the one you have in placed and are referenced by Identity as ExternalProviders





              In general, it's pretty easy. Possible some things are left out, since I don't know your exact use case.



              So you are using an Identity Provider, previously Auth0, and now another (or custom) one.



              Just for sanity a recap of your use case:




              • You trust the Identity Provider so every token signed by this provider is valid.

              • Your Identity Provider (and the external ones e.g; Facebook, Google etc) are responsible for their own user management.

              • Your own Identity Provider needs to handle specific authentication methods, tested against a corporate UserStore. These need to be managed, possibly with AD, Identity username/password or something similar.

              • Your Identity Provider provides authentication through JWTs

              • You also want to use external Identity Providers like Facebook etc.


              So, as for the setup, you must do the following:




              • Implement (or reuse, or use ActiveDirectory or any other) user management tools, if you need to perform some management on them. This means password recovery and all that stuff, which is available in a lot of standard libraries (I think it comes out of the box in Identity)

              • Define clients, scopes and claims throughout your system(s). Possibly there is some effort to be made.

              • Make sure the JWT's are accepted as authentication throughout your system (this was already in place) and the proper claims are assigned when called for the correct client.

              • Register your API with the external providers

              • Setup your API to accept the external JWT tokens (needs some setup with secrets and API keys)


              A lot of this is already in place in the Identity framework. There is an article about it here.



              If you are willing to do a good exercise (and a lot of work), you could also try to implement things fully customized with IdentityServer4






              share|improve this answer




























                1












                1








                1







                A lot of this is in place already, so to test the OIDC tokens, you just need them to be accepted by your consuming API.



                To do so, you need to do some configuring, probably the same as you did for Auth0. Since the dependency here of the external providers, I'll post a link:



                MSDN Google Auth






                To accept them, you'll need the following steps:


                • register your API with the exteral provider

                • use the, provider dependent, instructions to set it up in your API.


                The providers are additional to the one you have in placed and are referenced by Identity as ExternalProviders





                In general, it's pretty easy. Possible some things are left out, since I don't know your exact use case.



                So you are using an Identity Provider, previously Auth0, and now another (or custom) one.



                Just for sanity a recap of your use case:




                • You trust the Identity Provider so every token signed by this provider is valid.

                • Your Identity Provider (and the external ones e.g; Facebook, Google etc) are responsible for their own user management.

                • Your own Identity Provider needs to handle specific authentication methods, tested against a corporate UserStore. These need to be managed, possibly with AD, Identity username/password or something similar.

                • Your Identity Provider provides authentication through JWTs

                • You also want to use external Identity Providers like Facebook etc.


                So, as for the setup, you must do the following:




                • Implement (or reuse, or use ActiveDirectory or any other) user management tools, if you need to perform some management on them. This means password recovery and all that stuff, which is available in a lot of standard libraries (I think it comes out of the box in Identity)

                • Define clients, scopes and claims throughout your system(s). Possibly there is some effort to be made.

                • Make sure the JWT's are accepted as authentication throughout your system (this was already in place) and the proper claims are assigned when called for the correct client.

                • Register your API with the external providers

                • Setup your API to accept the external JWT tokens (needs some setup with secrets and API keys)


                A lot of this is already in place in the Identity framework. There is an article about it here.



                If you are willing to do a good exercise (and a lot of work), you could also try to implement things fully customized with IdentityServer4






                share|improve this answer















                A lot of this is in place already, so to test the OIDC tokens, you just need them to be accepted by your consuming API.



                To do so, you need to do some configuring, probably the same as you did for Auth0. Since the dependency here of the external providers, I'll post a link:



                MSDN Google Auth






                To accept them, you'll need the following steps:


                • register your API with the exteral provider

                • use the, provider dependent, instructions to set it up in your API.


                The providers are additional to the one you have in placed and are referenced by Identity as ExternalProviders





                In general, it's pretty easy. Possible some things are left out, since I don't know your exact use case.



                So you are using an Identity Provider, previously Auth0, and now another (or custom) one.



                Just for sanity a recap of your use case:




                • You trust the Identity Provider so every token signed by this provider is valid.

                • Your Identity Provider (and the external ones e.g; Facebook, Google etc) are responsible for their own user management.

                • Your own Identity Provider needs to handle specific authentication methods, tested against a corporate UserStore. These need to be managed, possibly with AD, Identity username/password or something similar.

                • Your Identity Provider provides authentication through JWTs

                • You also want to use external Identity Providers like Facebook etc.


                So, as for the setup, you must do the following:




                • Implement (or reuse, or use ActiveDirectory or any other) user management tools, if you need to perform some management on them. This means password recovery and all that stuff, which is available in a lot of standard libraries (I think it comes out of the box in Identity)

                • Define clients, scopes and claims throughout your system(s). Possibly there is some effort to be made.

                • Make sure the JWT's are accepted as authentication throughout your system (this was already in place) and the proper claims are assigned when called for the correct client.

                • Register your API with the external providers

                • Setup your API to accept the external JWT tokens (needs some setup with secrets and API keys)


                A lot of this is already in place in the Identity framework. There is an article about it here.



                If you are willing to do a good exercise (and a lot of work), you could also try to implement things fully customized with IdentityServer4







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Nov 23 '18 at 14:18

























                answered Nov 23 '18 at 14:02









                StefanStefan

                8,57173862




                8,57173862
































                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Stack Overflow!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53447853%2fweb-api-identity-jwt-external-oidc-providers%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    這個網誌中的熱門文章

                    Xamarin.form Move up view when keyboard appear

                    Post-Redirect-Get with Spring WebFlux and Thymeleaf

                    Anylogic : not able to use stopDelay()