search

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

Manually configure endpoints when discovery mechanism not supported? #88

Closed eldiosyeldiablo closed 7 years ago

eldiosyeldiablo commented 7 years ago

We are unfortunately using IdentityServer2 which did not implement the discovery mechanism as that was not in the specification back then.

How can I turn off the discovery mechanism and manually define the endpoints in dotnet core 2.0?

I used https://github.com/IdentityServer/IdentityServer4.Samples/blob/dev/Quickstarts/1_ClientCredentials/src/Api/Startup.cs as a starting point then attempted to define my own BackchannelHttpHandler but it is never invoked.

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
    options.RequireHttpsMetadata = false;

    options.ApiName = "foobar";
    //options.ApiSecret = "secret";

    var foobarClientConfig = new foobarClientConfig()
    {
        OAuth = new OAuthConfig()
        {
            EndPoints = new EndPoints()
            {
                OAuth = new OAuthEndPoints()
                {
                    Authorize = "https://auth.example.com/IdSvr/issue/oauth2/authorize",
                    Home = "https://auth.example.com/IdSvr/",
                    Token = "https://auth.example.com/IdSvr/issue/oauth2/token"
                }
            }
        }
    };

FoobarCertificateService certificateService = new FoobarCertificateService(treeAuthApiClientConfig);

options.ConfigureJwtBearer(new JwtBearerOptions()
{
    BackchannelHttpHandler = new FoobarConfigHttpPipeline(certificateService, foobarClientConfig),
    RefreshOnIssuerKeyNotFound = true,
    Configuration = new Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration()
    {
        AuthorizationEndpoint = foobarClientConfig.OAuth.EndPoints.OAuth.Authorize,
        Issuer = foobarClientConfig.OAuth.IssuerName,
        TokenEndpoint = foobarClientConfig.OAuth.EndPoints.OAuth.Token,
    },

    IncludeErrorDetails = true,
    TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
    {
        ValidateIssuerSigningKey = false,
        ValidateIssuer = false,
        ValidateLifetime = false,
        ValidateAudience = false,
        RequireSignedTokens = false,
        ValidIssuer = "http://auth.example.com",
        AuthenticationType = "OAuth2",
//        ValidAudiences = new List<string>() { "urn:foobar" },
        ValidAudience = "urn:foobar"
    }
});

options.Validate();
});

Application is 2.0 web api project using nuget packages:

<ItemGroup>
    <PackageReference Include="IdentityServer4.AccessTokenValidation" Version="2.0.0-rc2" />
    <PackageReference Include="Microsoft.AspNetCore.All" Version="2.0.0" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication" Version="2.0.0" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="2.0.0" />
    <PackageReference Include="Microsoft.AspNetCore.Mvc.Core" Version="2.0.0" />
  </ItemGroup>
leastprivilege commented 7 years ago

I would recommend you use the Microsoft JWT handler. They allow setting the endpoints on the Configuration property IIRC.

...or upgrade to a version of IdentityServer from this century ;)