0

I'm trying to get my head around how to implement security in a microservices environment and am currently toying with the idea of using .NET Core Identity for User access management (usernames, passwords, hashing, etc) and IdentityServer4 for token based authentication and management.

This is because I want a veriety of clients to authenticate: a Blazer web site that will use usernames and passwords; other internal APIs which may use tokens; and a mobile app which will also use OAUTH token/refresh token logic.

I am trying to implement all this in one microservice so there is just one place all clients go to authenticate - a gate keeper of sorts.

My questions is: is this a good idea or should I be splitting the services?

Secondly: Wnen I'm testing my Login API call from postman I'm getting a 404 as the API is trying to redirect me to a login page. I would expect a 401 here instead as I've defined the authentication scheme to be Bearer.

Here is my code:

   public void ConfigureServices(IServiceCollection services)
        {
       services.AddControllers().AddNewtonsoftJson();
       var connectionString = Configuration.GetConnectionString("DefaultConnection");
                
       //add Users and Role system
        services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlServer(connectionString));

            //this configures the dependancy injection for the UserManager in the Identity controller constructor.
        services.AddIdentity<IdentityUser, IdentityRole>()
                .AddEntityFrameworkStores<ApplicationDbContext>()
                .AddDefaultTokenProviders();
    
       //add Client tokens system
      
       var migrationsAssembly = typeof(Startup).GetTypeInfo().Assembly.GetName().Name;
            services.AddIdentityServer()
                .AddConfigurationStore(options =>
                {
                    options.ConfigureDbContext = builder =>
                        builder.UseSqlServer(connectionString,
                        sql => sql.MigrationsAssembly(migrationsAssembly));
                })
                .AddOperationalStore(options =>
                {
                    options.ConfigureDbContext = b => b.UseSqlServer(connectionString,
                        sql => sql.MigrationsAssembly(migrationsAssembly));
                })
               .AddAspNetIdentity<IdentityUser>();//required for Identity and IdentityServer4 to play nice together.
    
       //add authentication for this service
        services.AddAuthentication("Bearer")
           .AddIdentityServerAuthentication(options =>
           {
               options.Authority = "http://localhost:5001";//this service
               options.RequireHttpsMetadata = false;
               options.ApiName = "Identity";
           });
    }

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            //  InitializeIdentityServerDatabase(app);

            app.UseHttpsRedirection();

            app.UseRouting();

            app.UseIdentityServer();

            app.UseAuthorization();
            
            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
Improve this question
4
  • What does your Startup.Configure method look like? Commented Aug 27, 2020 at 6:42
  • 1
    you should read up on developing an IDP. With an IDP you want to redirect clients to your login page or a 3rd party login page instead of having the login page as part off the app trying to authenticate. Commented Aug 27, 2020 at 7:06
  • @GuyLowe did you ever resolve this? I've been struggling with identity/identityserver4 for a loooooong time now, and I think I got it, would love to chat. Commented Sep 6, 2020 at 8:43
  • No, not yet Aviad P We have put that development on hold for now but I would love to find out how you have gone with this. Can you add an answer here? Commented Sep 7, 2020 at 0:05

1 Answer 1

Reset to default
2

The AddIdentityServerAuthentication will only kick in if you get a challenge back from the Authorization middleware, ie there is an authorize attribute on the controllers/actions.

In general I also I always recommend that you separate IdentityServer from your clients and APIs to get a better separation of concerns.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Right, so I should have a seperate microservice for IdentityServer and another that handles the Identity layer? I thought by combining them I could share 1 resource and 1 database as it made sense to have them all together. I guess not?
How have you added authorization to the API endpoints (controllers?) without that you would get a 404 i guess. By placing IdentityServer in its own service (perhaps with ASP.NET Identity) for user management, then you can more easily add more services in the future that shares the same identityserver..... The hardest part with IdentitySever is how to administrate the users.
i removed some parts from my answer because it might be correct, I think the issue with 404 and 401 is due to authorization, not the pipieline setup. but i might be wrong.
if you were to have a pure API with just AddIdentityServerAuthentication, then you should not see any 404's from your API for pages that are found and protected with the authorize attribute. you have as i said before many services in the same pot, so it can because of that be hard to reason who is doing what.
Good idea! for sanity, keeping them apart will make your life much easier! I think its important to understand what you build and having it in the same app makes it hard to reason about it.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.