search

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

Enhanced AddIdentityServerAuthentication extension method to accpet J… #102

Closed mortezaalizadeh closed 6 years ago

mortezaalizadeh commented 6 years ago

Enhanced AddIdentityServerAuthentication extension method to accpet JWT and OAuth2 Interospection configuration options as input parameters

dnfclas commented 6 years ago

CLA assistant check
All CLA requirements met.

leastprivilege commented 6 years ago

What excactly is enhanced here?

mortezaalizadeh commented 6 years ago

My requirement is to have both JWT and Reference token configured in my APIs. The client request will include bearer token and the API service will authorize the request by going to the Identity Server to validate that. I'd also like to secure the request messages between different API servers without the need to go to the Identity Server again. This is where I need the self-contained token support in my APIs. There is no easy way to configure an ASP.Net application to have both JWT and Reference token configured in IdentityServerAuthenticationExtensions class. The enhancement will let the user to pass down the JWT configuration option while calling the AddIdentityServerAuthentication method to configure the reference token.

leastprivilege commented 6 years ago

Aren't we doing that already here:

https://github.com/IdentityServer/IdentityServer4.AccessTokenValidation/blob/dev/src/IdentityServer4.AccessTokenValidation/IdentityServerAuthenticationExtensions.cs#L79

DavidLievrouw commented 6 years ago

No, this is not the same, imho.

Use case: I want to set introspectionOptions.DiscoveryPolicy.ValidateIssuerName to false. There is no overload of the extension method that allows you to do that.

The overload you are pointing to, requires me to duplicate the code in "IdentityServerAuthenticationOptions.ConfigureJwtBearer" and "IdentityServerAuthenticationOptions.ConfigureIntrospection" internal methods.

For my issue, you could also add another property to IdentityServerAuthenticationOptions called "ValidateIssuerName", like you have "RequireHttpsMetadata", or make the "DiscoveryPolicy" configurable in IdentityServerAuthenticationOptions. But I think this pull request provides a more flexible solution.

mortezaalizadeh commented 6 years ago

Sorry guys for delay in response, it's been a very busy two to three weeks for me. If I can recall my actual requirement, I wanted to have both self contained and reference tokens support configured and that was not possible through the available APIs. That's why I created this pull request. We had to put that work on-hold for a while, but I need to come back to it soon again. If you still need the detail, I can get back to code, re-implement the use case again and attached the code snippets here. Cheers

leastprivilege commented 6 years ago

@mortezaalizadeh I am looking into it now. Is this still an issue / would you still implement it like that?

mortezaalizadeh commented 6 years ago

Hi @leastprivilege, I left the company where I had the use case and where I work now does not use IdentityServer, so it is not a priority for me, but if you think changes make sense to you and is worth merging, please go ahead. Thank you

leastprivilege commented 6 years ago

OK - I put the DiscoveryPolicy on the top level options.