A suitable case for IdentityServer?

[feina]

I want to add authentication to a group of websites. I would like to add traditional authentication (user and password) and social login (Facebook & Google+).

I would like to delegate all authentication related tasks to IdentityServer. Is IdentityServer suitable for this use case? Which authentication flow would be the best in order to deliver the best user experience?

Thanks

[leastprivilege]

Absolutely. Check the samples repo (especially the clients sample).

[feina]

Thanks. I checked the samples repo but I didn't find a sample matching my use case.

In my case, I would like to integrate a login form requiring user and password in some place of my webapp main page. Logins performed using this form would neither cause the redirect of the main page nor opening a new window. I would also like to show social login buttons, which would inevitably open a new window to the corresponding social provider, but still without causing a redirection in my main page.

Can I get all this functionality using IdentityServer?

[leastprivilege]

Well - the whole point of identity server is encapsulate and separate the functionality from the actual business application. If you want everything "inside" your application I don't see the point.

That said - you could "remote control" idsrv using the acr_values authorize request parameter (check the docs). Not sure that's what you are really looking for.

[feina]

The idea of having identity functionality encapsulated in a service certainly appeals to me: this is the main reason I am considering Identity Server. I would like to use Identity Server as a service for authenticating users in websites, mobile apps, APIs and desktop applications.

In the case of our website authentication however, a seamless user experience is a must. Users should be able to authenticate (local login: user & password) at any point with an integrated experience: without seeing redirects or new browser windows appear. So the login form should be embedded in the website page.

I was wondering how to deal with this case since (with my limited knowledge) I have not found any authentication flow that does not perform a redirection at some point. Maybe using the JavascriptImplicitClient sample or some sort of resource owner password credential flow?

[leastprivilege]

You can use resource owner flow from your server side code - but you will not get SSO.

You can use acr_values to send username/password from a local form to idsrv (with redirect). There is no way to do google etc auth without redirect.

[feina]

From your answers I come to the conclusion that the best solution for my case is using an iframe to get the login page from IdentityServer. I think commercial identity providers like LoginRadius and Janrain use this technique, don't they?.

What do you think of this solution? Does it have any security issues (like clickjacking)?

[leastprivilege]

Many issues. We don't allow that.

Sent from my iPhone

On 25.03.2015, at 22:47, feina notifications@github.com wrote:

From your answers I come to the conclusion that the best solution for my case is using an iframe to get the login page from IdentityServer. I think commercial identity providers like LoginRadius and Janrain use this technique, don't they?.

What do you think of this solution? Does it have any security issues (like clickjacking)?

— Reply to this email directly or view it on GitHub.

[joukeatze]

I think I read a thread that stated that the consent option of the user would allow an iframe, although the SAMEORIGIN is set in the X-Frame-Options header....???

[brockallen]

The iframe only works for authorization requests to renew tokens where the user has already given consent. In that scenario, there is no HTML being displayed (thus no need for XFO).