wwwlicious / servicestack-authentication-identityserver

A plugin for ServiceStack and IdentityServer that provides OpenIDConnect / OAuth 2.0 Single Sign-On Authentication
Other
29 stars 15 forks source link

Plugin extensibility? #3

Closed murraywsmith closed 7 years ago

murraywsmith commented 7 years ago

I have an IdentityServer4 implementation that stores the id tokens and access tokens it creates in a nosql database.

I would like my WebApps and WebApis to validate the id tokens and access tokens they receive from calling clients directly against the tokens stored in the nosql database rather than making the extra hop of going to IdentityServer which will then go to the nosql database to validate the token.

To accomplish this I see a couple of options: 1) Implement my own ServiceStack.Auth.AuthProvider. or 2) Override the behavior of the ServiceStack.Authentication.IdentityServer plugin.

If I want to pursue option 2, is there an existing way to do that? I've been looking at implementing my own IIdentityServerIdTokenValidator. But then I need some way to plug it into the UserAuthProvider class. And I don't see any existing way to do that. A number of methods and attributes are marked internal or private making it difficult to create a new class derived from UserAuthProvider that could use my IIdentityServeridTokenvalidator instance. And then I will have the difficulty of getting my derived UserAuthProvider instantiated by the IdentityServerAuthFeature instance. So I'm not sure if this is the right approach.

I wonder if I would be better off to simply implement my own ServiceStack.Auth.Provider to handle the token validation. But the part I'm uncertain about is how to reproduce the automatic redirection to the IdentityServer login page when there is no identity token or if the id token is invalid. That all works quite nicely in the ServiceStack.Authentication.IdentityServer plugin and I'm not sure how difficult it would be to reproduce it in my own ServiceStack.Auth.AuthProvider plugin.

Any suggestions or advice are welcome.

stuartbfs commented 7 years ago

Hi there,

I can accept a pull request to make private/internal properties public / protected.

I'm not sure on the rationale for accessing the nosql database directly in your web app / services. At that point, your apps wouldn't really be using the OAuth 2 protocol which is one of the fundamental reasons for using Identity Server.