Generally speaking, web security is the first step towards creating any user applications now a days. It is not just enough to secure application with simple password authentication and use simple cookie/session for further user state management, rather than we need to use some strong authentication mechanism using different authentication protocols like OAuth 2.0, OpenId Connect, SAML2, WS-Federation etc.
Here I am going to demonstrate IdentityServer4, which is open source authentication provider built on the top of OpenId Connect and OAuth 2.0.
Now a days, we are not having a simple server-client application in our real-time scenario, but some complex scenarios like Web Application -> Web API call, Web API -> Web API call, Native App -> Web API, Client App -> API call are there like shown in below image.
In this type of system, it is better to use the central token-based authentication mechanism, because it provides better security approach and also prevents duplication of authentication mechanism among applications.
IdentityServer4 provides authentication option to manage all these scenarios.
Let's start with the journey of Identity Server as a novice:
What is Identity Server?
- It is an authentication server, which authenticates client applications and its users and provides its identity to the client applications.
- It also provides single sign-on between various applications.
- It can also authenticate users via third-party authenticate providers like Facebook, Google etc.
- In short, it is the framework, which manages and authenticate clients, issue identity and access tokens to the clients, protect resources and also validate tokens.
How it will help in securing applications?
- It is the middleware which adds OpenId Connect and OAuth 2.0 compliant endpoints to the Asp.Net core application.
- You just need to build login/logout pages, Identity Server will add necessary authentication protocol mechanism so that other client application can talk to it.
Now let's understand terms used during Identity Server integration:
Identity Server/ Identity Provider:
It the authentication server, which authenticate users and provides its identity to client applications.
These are the applications which use identity server for user authentication and registered as a client in identity server clients.
These are the applications users of client applications.
Those are the things you want to protect with identity server either it is users data or APIs.
Two types of tokens are used during various authentication methods.
1) Identity token:
It is provided once the user is authenticated and it contains basic identity data of the user and can also contain various user data required.
2) Access Token:
It is provided when the client is authenticated or client and user both are authenticated to use resources like API and can be used to further call API from the client application.
We would definitely say thanks to Dominick Baier and Brock Allen for this awesome framework.
To brief, here I have introduced Identity Server. You can various authentication flows and code samples to understand more regarding Identity Server. I will explain the single sign out among IdentityServer4 clients using back-channel specifications of OpenId Connect in the next post.