Monday, November 09, 2015

IdentityServer : IdentityServer 3

There's not a lot of documentation on this.

If you come from a background of IdentityServer 2 which is  a normal ASP.NET MVC web site with web.config and heaps of admin. screens, you are in for a bit of a culture shock (as I was).

First off, idsrv3 has no Admin. screens. Yup - everything is done in code.

It's based on the OWIN concept of plug-ins.

The easiest way to get started is to go to the Samples directory i.e. IdentityServer3 Samples

Then build the "Self-Host with WS-Federation" sample in VS. I used VS 2013.

You'll notice that idsrv3 is concentrated on OpenID Connect and OAuth. WS-Fed and SAML are very much add-ons.

Then  right click the project - Debug.

You'll see this in the Command prompt.

[WRN] (IdentityServer3.Core.Configuration.IdentityServerServiceFactory)
 AuthorizationCodeStore not configured - falling back to InMemory
[WRN] (IdentityServer3.Core.Configuration.IdentityServerServiceFactory)
 TokenHandleStore not configured - falling back to InMemory
[WRN] (IdentityServer3.Core.Configuration.IdentityServerServiceFactory)
 ConsentStore not configured - falling back to InMemory
[WRN] (IdentityServer3.Core.Configuration.IdentityServerServiceFactory)
 RefreshTokenStore not configured - falling back to InMemory

Server listening at https://localhost:44333/core. Press enter to stop
The "self-host" means no IIS. It has a "built-in" web server. This is part of OWIN where the idea was to abstract away from the ASP.NET reliance on IIS.

Also, you have to plug-in your own identity store. If you don't (as in this example) it falls back to InMemory.

So now if you navigate to https://localhost:44333/core, you'll get the Welcome screen.

If you click the "discovery document" link, you'll see the OpenID Connect "metadata" in JSON format. This is part of the OpenID Connect standard.

If you click the "application permissions" link. you get a LogIn screen.

Now if you had a look through the actual idsrv3 project, you'd see that there are two canned users viz alice and bob with the password being alice / bob respectively. And there are some canned claims.

So what about WS-Fed?

The metadata address is: https://localhost:44333/core/wsfed/metadata.

Going to https://localhost:44333/core/wsfed gives:

{
  • "Message": "Invalid WS-Federation request"
}
much as going to "adfs/ls" in ADFS would.

Enjoy!

No comments: