Configure the authorization server endpoint

by

EDIT (01/28/2021): AspNet.Security.OpenIdConnect.Server has been merged into OpenIddict as part of the 3.0 update. To get started with OpenIddict, visit documentation.openiddict.com.

Okay, let’s recap the different OAuth2 middleware (and their respective IAppBuilder extensions) that were offered by OWIN/Katana 3 and the ones that will be ported to ASP.NET Core:

  • app.UseOAuthBearerAuthentication/OAuthBearerAuthenticationMiddleware: its name was not terribly obvious, but it was (and still is, as it has been ported to ASP.NET Core) responsible for validating access tokens issued by the OAuth2 server middleware. It’s basically the token counterpart of the cookies middleware and is used to protect your APIs. In ASP.NET Core, it has been enriched with optional OpenID Connect features (it is now able to automatically retrieve the signing certificate from the OpenID Connect server that issued the tokens).

Note: starting with ASP.NET Core beta8, it is now namedapp.UseJwtBearerAuthentication/JwtBearerAuthenticationMiddleware.

  • app.UseOAuthAuthorizationServer/OAuthAuthorizationServerMiddleware: as the name suggests, OAuthAuthorizationServerMiddleware was an OAuth2 authorization server middleware and was used to create and issue access tokens. This middleware won’t be ported to ASP.NET Core: OAuth Authorization Service in ASP.NET Core.

  • app.UseOAuthBearerTokens: this extension didn’t really correspond to a middleware and was simply a wrapper around app.UseOAuthAuthorizationServer and app.UseOAuthBearerAuthentication. It was part of the ASP.NET Identity package and was just a convenient way to configure both the OAuth2 authorization server and the OAuth2 bearer middleware used to validate access tokens in a single call. It won’t be ported to ASP.NET Core.

ASP.NET Core will offer a whole new middleware (and I’m proud to say I designed it):

  • app.UseOAuthAuthentication/OAuthAuthenticationMiddleware: this new middleware is a generic OAuth2 interactive client that behaves exactly like app.UseFacebookAuthentication or app.UseGoogleAuthentication but that supports virtually any standard OAuth2 provider, including yours. Google, Facebook and Microsoft providers have all been updated to inherit from this new base middleware.

So, the middleware you’re actually looking for is the OAuth2 authorization server middleware, aka OAuthAuthorizationServerMiddleware.

Though it is considered as an essential component by a large part of the community, it won’t be ported to ASP.NET Core.

Luckily, there’s already a direct replacement: AspNet.Security.OpenIdConnect.Server (https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server)

This middleware is an advanced fork of the OAuth2 authorization server middleware that comes with Katana 3 but that targets OpenID Connect (which is itself based on OAuth2). It uses the same low-level approach that offers a fine-grained control (via various notifications) and allows you to use your own framework (Nancy, ASP.NET Core MVC) to serve your authorization pages like you could with the OAuth2 server middleware. Configuring it is easy:

ASP.NET Core 1.x:

// Add a new middleware validating access tokens issued by the server.
app.UseOAuthValidation();

// Add a new middleware issuing tokens.
app.UseOpenIdConnectServer(options =>
{
    options.TokenEndpointPath = "/connect/token";

    // Create your own `OpenIdConnectServerProvider` and override
    // ValidateTokenRequest/HandleTokenRequest to support the resource
    // owner password flow exactly like you did with the OAuth2 middleware.
    options.Provider = new AuthorizationProvider();
});

ASP.NET Core 2.x:

// Add a new middleware validating access tokens issued by the server.
services.AddAuthentication()
    .AddOAuthValidation()

    // Add a new middleware issuing tokens.
    .AddOpenIdConnectServer(options =>
    {
        options.TokenEndpointPath = "/connect/token";

        // Create your own `OpenIdConnectServerProvider` and override
        // ValidateTokenRequest/HandleTokenRequest to support the resource
        // owner password flow exactly like you did with the OAuth2 middleware.
        options.Provider = new AuthorizationProvider();
    });

There’s an OWIN/Katana 3 version, and an ASP.NET Core version that supports both .NET Desktop and .NET Core.

Don’t hesitate to give the Postman sample a try to understand how it works. I’d recommend reading the associated blog post, that explains how you can implement the resource owner password flow.

Feel free to ping me if you still need help.
Good luck!

More Related Contents:

  1. IdentityServer4 Role Based Authorization for Web API with ASP.NET Core Identity
  2. How do I get the contents of a JSON file I added in the StartUp method to use it in one of my actions?
  3. Where did IMvcBuilder AddJsonOptions go in .Net Core 3.0?
  4. ASP.NET Identity’s default Password Hasher – How does it work and is it secure?
  5. Dynamically change connection string in Asp.Net Core
  6. Return View as String in .NET Core
  7. How to get current user, and how to use User class in MVC5?
  8. ASP.NET Core: Exclude or include files on publish
  9. How do I get the kestrel web server to listen to non-localhost requests?
  10. ASP.NET Core Identity – get current user
  11. How to make EF-Core use a Guid instead of String for its ID/Primary key
  12. Why is Asp.Net Identity IdentityDbContext a Black-Box?
  13. TempData null in asp.net core
  14. Convert IHtmlContent/TagBuilder to string in C#
  15. ASP.NET Identity – Multiple object sets per type are not supported
  16. ASP.Net Core MVC – Client-side validation for custom attribute
  17. Unable to edit db entries using EFCore, EntityState.Modified: “Database operation expected to affect 1 row(s) but actually affected 0 row(s).”
  18. Identity in ASP.Net Core 2.1< - Customize AccountController
  19. Simple JWT authentication in ASP.NET Core 1.0 Web API
  20. “Context cannot be used while the model is being created” exception with ASP.NET Identity
  21. How do I inject ASP.NET 5 (vNext) user-secrets into my own utility class?
  22. Tag helper not being processed in ASP.NET Core 2
  23. Bind Dictionary with list in viewmodel to checkboxes
  24. Get the current user, within an ApiController action, without passing the userID as a parameter
  25. The entity type ‘IdentityUserLogin’ requires a primary key to be defined [duplicate]
  26. Error 500.19 with 0x8007000d when running ASP.NET Core app in IIS despite AspNetCoreModule being installed
  27. Dealing with large file uploads on ASP.NET Core 1.0
  28. How can I ensure that appsettings.dev.json gets copied to the output folder?
  29. Can System.Web be used with ASP.Net Core with Full Framework
  30. An error occurred attempting to determine the process id of dotnet.exe which is hosting your application. One or more error occured

Leave a Comment