Protecting Web API 2.2 with IdentityServer4

11
votes

I have Web API 2.2 which uses .Net 4.5.2 framework which is being used by angular2 application and there is existing IdentityServer4 implementation. I want to protect my Web API using IdentityServer4. My question is can I protect Web API 2.2 using IdentityServer4? If yes then I have two follow up questions

  1. Should I use IdentityServer3.AccessTokenValidation nuget package or I will have to use IdentityServer4.AccessTokenValidation? (I tried using IdentityServer4.AccessTokenValidation package however its adding many dependencies related to ASP.Net Core)
  2. What should be value of Authority URL I will have to use?

I could find many examples where IdentityServer4 is being used to protect ASP.Net Core Web APIs. However couldn't find good example where Web API 2.2 protected using IdentityServer4. If possible please point me to good example of identityserver configuration that is required on Web API side.

2
.netasp.net-web-apiidentityserver4
Are you using ASP.NET 4.5? If so, I would think it would be safer to stick with IdentityServer3. IdentityServer4 is a rewrite to include the modularity of ASP.NET Core (including but not limited to Dependency Injection) - DOMZE
Pankaj, did you ever get this working? I'm facing the same project and I'm curious. Any helpful tips would be greatly appreciated! - Post Impatica
I am looking for same sort of solution. were you able to deploy successfully ? can you share some good reference link ? Thanks. - Kishan Gajjar

2 Answers

9
votes

To answer your questions:

1) Your WebApi 2.2 project is undoubtedly using OWIN/Katana from ASP.NET 4.x which means you should to use IdentityServer3.AccessTokenValidation. IdentityServer4.AccessTokenValidation is compatible with the new ASP.NET MVC Core pipeline.

2) You can get your authority by going to your identity providers discovery document at {IdentityUrl}/.well-known/openid-configuration. The authority should be the same one as the "issuer" value in the discovery document. You can also get the authority by looking at a JWT issued by your identity provider by looking at the "iss" claim.

4
votes

After 2017 IdentityServer3.AccessTokenValidation stays frozen while Microsoft refactored their Owin and Identity libs, so the preferred solution for ASP.NET 4.6+ becomes IdentityServer3.Contrib.AccessTokenValidation -- a fork, refactored according to the recent framework changes.