brockallen
commented
7 years ago This seems to be a general question about IdentityServer - not a bug report or an issue.
Please use StackOverflow for that. This has the advantage that questions and answers can be easily found by search engines, and that there are more people answering questions than just us.
For IdentityServer3 https://stackoverflow.com/questions/tagged/?tagnames=identityserver3&sort=newest
For IdentityServer4 https://stackoverflow.com/questions/tagged/?tagnames=identityserver4&sort=newest
For commercial support https://identityserver.io/
Hi,
Appreciate these are very newbie questions but I am completely new to IdentityServer.
My target scenario is:
User authenticates with a number of different clients (either through AD or by providing username and password to the client). Client sends the user name only to the STS (Identity Server) STS validates the user name against a database, if valid it issues a token to the client. Client sends encrypted token containing the user name to the API that needs protecting, the API needs to know what the user name is.
My questions are:
Principally, is my target scenario achievable in IdentityServer?
Can trust be established between client and Identity Server to ensure Identity Server is protected from malicious callers sending a user name? I believe this could be achieved with client certificates but how does IdentityServer verify that it trusts the certificate that the client passes to it?
How would the API know how to decrypt the token that originated from IdentityServer? Would it need to have a copy of the server certificate that Identity Server used to create the token?
What method should I be calling on the TokenClient class when passing simply a user name on from the client?
Appreciate these are very basic newbie / abstract questions here but any bits of guidance would be much appreciated.
Thanks
Tristan.