The slides from my talk at DDDSydney 2016 around Integrating IdentityServer into your applications.

1. OAUTH2 AND
IDENTITYSERVER3
Integrating into your application

2. What we will and won’t cover
■ Will –What is Identity Server and why use it.
■ Will – How to start integrating into your app.
■ Will – Extension points, customisation points, token types.
■ Will – Nasty bits, hard stuff, pain points.
■ Won’t – Detail or explain all OAuth2 flows.
■ Won’t – Show every possible integration scenario and customisation point
■ Take away
– Having a good idea on technical cost, difficulty and suitability for a given situation.
– How to begin and where to go from there.

3. Its not you, It’s me
■ Paul Glavich
■ @glav, glav@theglavs.com
■ ASP.Net MVP 12 years
■ Author 3 books, various articles, http://weblogs.asp.net/pglavich
■ International speaker (does NZ count?)
■ ASPInsider
■ CTO Saasu.com

4. What is Identity Server
■ Spec compliantOAuth2 Authorisation server (STS)
– (That means it’s big and complex)
■ OAuth2 flows and OpenID connect
■ Can integrate with external providers (google etc)
■ Open source, (Dominick Baier and Brock Allen)
– Identity Server 3 v2.5 (latest)
– Identity Server 4 (support for .Net core/vNext) – In progress
■ Series of Nuget packages,Owin based implementation

5. Free accessories
■ Identity Manager
– In beta
– Tool to admin users, claims etc.
– Similar to website admin tool
■ Identity Model
– Helper classes
– Client code
■ https://identityserver.github.io/

6. Why bother?
■ Can develop your own right . . . . .?

7. Writing your own OAuth/Identity Server
■ It can be done…..
■ But often ends in tears.

8. Alternatives
■ Other alternatives
– Auth0 ( https://auth0.com/ )
■ Cloud based, good integration hooks, some cost
– Azure/AD (https://azure.microsoft.com/en-us/services/active-directory/ )
■ Cloud, multi-protocol, some cost
– WS02 ( http://wso2.com/ )
■ Java, multi-protocol (WS-*, OpenId, EIB) – open source and paid versions.

9. Getting started
■ Install nuget package “IdentityServer3”
■ Configure startup
■ Demo: Simplest setup

10. Logging
■ Supports a variety of pluggable log sources.
■ Get logging working first and worry about all the flows later.
■ Saves hours in debugging time.
■ Supports Serilog, Nlog, Log4Net, Enterprise Library & Loupe.
– Install requisite nuget package

11. High levelView
IdSrv Endpoints
AssetsExternal
Integration
Application
Services
Repository
Stores
* Can customise
* Can customise
* Can customise
* Can configure
* Not applicable
to all OAuth flows

12. Customising Assets
■ Stylesheets
■ HtmlViews/Templates
– Login/Logout form
– Consent form
– Permissions view
– Error form
■ Loaded via DefaultViewService (implements IViewService)
■ Customise loading via custom IViewService implementation
<Asset>
<img src=“funny-cat.gif” />
</Asset>

13. Configuring custom assets
■ Only the welcome page is not configurable (but is replaceable)
– Can disable
■ Setup loading of custom partial views
■ Demo

14. What about the data store?
■ EntityFramework 6 Nuget package
■ Fully customisable storage engine via custom interface implementation
– TokenHandleStore, ConsentStore, ClientStore, etc…
– TokenHandleService, ConsentService, ClientService
■ Should at least configure IUserStore, IClientStore, IScopeStore (mandatory).
– AuthorizationCodeStore,TokenHandleStore, RefreshTokenStore, ConsentStore
(mandatory for prod)
■ Demo with dapper

15. Embedded IdentityServer with OpenId
■ IdentityServer to manage the authentication of users and token/cookies.
■ [Authorise] – just works
[Authorize]
public ActionResult Index()
{
ViewBag.Title = "Secured Page";
return View();
}
■ [ResourceAuthorize(“action”,”resource”)] – based on resource and action
– Requires nuget package IdentityModel.Owin.ResourceAuthorization.Mvc
■ Demo

16. It is not all unicorns and rainbows…
■ Integrating IdentityServer is far from simple.
– In reality, it will take some time
■ Errors are not always obvious
■ Look to the samples.There are many.
■ Get used to reading the issue register and following threads.
■ Testing, particularlyAuthorization Code and hybrid flow can be tricky
– Utilise this test harness/console app or write your own

17. Takeaways and items to remember
■ Get logging working first. It will save you hours of debugging.
■ Download all the samples, and familiarise yourself with your specific scenarios.
– Looking at alternate samples may only serve to confuse initially.
– Lots of different ways to get going.
■ When looking at documentation, ensure you are looking at the latest.
– Can easily be looking at older versions inadvertently. Much confusion.
■ Create a test harness, callback site, or something to assist testing and verifications

18. Links and resources
■ Identity Server: https://identityserver.github.io/
■ Demo code, DB scripts: https://github.com/glav/DDDSyd2016
■ OAuth2: http://oauth.net/2/
■ Auth0: https://auth0.com/
■ WS02: http://wso2.com/
■ Me: glav@theglavs.com and @glav

19. 1-5 August
DDD Sydney thanks our sponsors