search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 763 forks source link

Calling secured Webapi from secured Webapi including User credentials #3847

Closed steffler412 closed 7 years ago

steffler412 commented 7 years ago

Hello,

we use IdentityServer3 for Authentication and Authorization in our company. RessourceOwner, Implicit and Hybrid Flows are present in our client applications. Behind the scenes there is a complex architecture including secured webapis using UseIdentityServerBearerTokenAuthentication.

But I am getting confused at the point where an secured API calls another secured API and the second API needs the user information who called the first API with his client. All I can find is that you recommend the client credentials flow in this case, but in this flow is no user included. Is there any recommended way to reuse the accesstoken in API1 to call API2? There is an "ugly" way to get to accesstoken from the Requestheader, but this solution seems not to be the way you should do it...

In other words I want to request an accesstoken including scopes for api1 and api2 to the user´s client. Then request api1 to fetch some data. In api1 is some businesslogic that needs to call api2 with the user´s identity included.

Am I getting something wrong here?

brockallen commented 7 years ago

You want an extension grant: https://identityserver4.readthedocs.io/en/release/topics/extension_grants.html

steffler412 commented 7 years ago

Thanks for the quick response. Do you recommend the implementation for an extension grant rather than requesting an access token with all relevant api scopes included and reusing the token on api side? Last solution seems like the simplest way...

brockallen commented 7 years ago

That requires your client to know internal implementation details of your API. That's leaky.

steffler412 commented 7 years ago

Seems legit. I have implemented the extension grant like above for simple delegation to exchange the token to another one with the api2 scope. Everything works fine, but this custom grant flow lasts about 600 to 1000ms for every request from api1 to api2 (because the identityserver creats a new accesstoken and load the userinfo again). That duration is too long, especially when there is an api3,4,5,6... like a microservice architecture.

Do you recommend to cache exchanged long lived tokens on api side? Is there an existing .NET library for that? The other way is to cache the userinformation on the IdentityServer, but if something changes you have old claims in the cache... Maybe there is a different quick solution, to get the user´s identity and the calling clientId from the token on the backend apis?

brockallen commented 7 years ago

Yes, caching is the solution.