Consuming Asp.Net Core Identity based site: how to handle authentication on mobile app?

1
votes

I have a website in ASP.Net Core based on Identity, I can't find how to interact with its services from a c# app. The website allows to login via email+password or facebook, I would like to do the same from the app, but of course via an API, not the mobile website.

I am a bit confused, I can find different solutions, such as:

OAuth2.0, OpenId Connect and IdentityServer or just OpenId Connect

The second link seems like what I am looking for, but I am a bit confused, what is the difference with the service OpenIdDict-Core that is mentioned in the description?

Which one should be the right solution? I am just willing to authenticate, using password or external login, and then consume APIs using a C# client (.Net Standard).

Thanks!

1
authenticationoauth-2.0asp.net-coreasp.net-identityasp.net-core-mvc
I posted a few details about ASOS/OpenIddict, I hope it will help. Note that I deliberately ignored your second question, as it's "primarily opinion-based" (and since I'm the main guy behind ASOS and OpenIddict, I'm not really objective). - Kévin Chalet
I guess OpenIddict is the right solution for me then, I am going to investigate/test a bit more :) Thanks for the clarifications! (including the fact that ASOS and OpenIddict are linked together by somebody) - Jean

1 Answers

1
votes

The second link seems like what I am looking for, but I am a bit confused, what is the difference with the service OpenIdDict-Core that is mentioned in the description?

AspNet.Security.OpenIdConnect.Server (codenamed ASOS) is the equivalent of OWIN/Katana's OAuthAuthorizationServerMiddleware in the ASP.NET Core world: it's a low-level OpenID Connect framework that can be used to implement your own server, using the same events-based approach as the rest of the ASP.NET Core Security middleware.

ASOS provides all the primitives you need (e.g OpenIdConnectRequest and OpenIdConnectResponse) and handles most of the protocol details for you (e.g request validation, or token generation), but it's up to you to implement things like client authentication or user authentication.

ASOS is not for everyone: it has been specifically designed to offer a low-level, protocol-first experience and to be as flexible as possible: if you're not comfortable at all with how OAuth2/OpenID Connect work in general, then it's likely not for you.

For more information about ASOS, you can read this blog posts series: http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction.

OpenIddict is an OpenID Connect server library that is based on ASOS: it handles things like client authentication or token revocation for you and provides the interfaces you need for that (it also comes with default EF-based stores).

Unlike ASOS, it's an opinionated server whose main objective is to encourage you to do the right thing by rejecting everything that is not considered as "safe" from a security perspective (e.g it will reject authorization requests containing response_type=token if the client is a confidential client).

The idea behind OpenIddict is that all you have to implement is user authentication, which can be done using ASP.NET Core Identity in your own MVC controller. Everything else is considered "as dangerous" and deliberately hidden and handled by OpenIddict.

If you want to learn more about OpenIddict, I'd recommend reading this blog post: https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/