OWIN as audience for IdentityServer4

2
votes

My organization uses an IdentityServer4 for Bearer-Authentication as a Single-Sign-On Provider.

We also have a number of services written in .NET Framework 4.6 and OWIN. What would be the "correct" way to validate tokens from IdentityServer4 in an OWIN Web API?

I found the NuGet-Package IdentityServer3.AccessTokenValidation which works with OWIN. But the package IdentityServer4.AccessTokenValidation seems only to work with ASP.NET Core as far as I understand it.

Do I have to configure validation manually via the IdentityServerBearerTokenValidationMiddleware class? Or is there a better solution?

1
asp.netowinidentityserver4

1 Answers

5
votes

You can use IdentityServer 3 packages for .NET Framework 4.6 applications while IdentityServer 4 runs on .net core.

They should be compatible and I know this is true for .net core 1.1. I haven't tried for .net core 2.0. There are lots of breaking changes, but I assume it is still possible.

From the updated article from Scott Brady:

When we integrate a client application with IdentityServer, we are not integrating to an implementation. Instead we are integrating using the OpenID Connect or OAuth specifications. This means any application that currently works with IdentityServer 3 will work with IdentityServer 4.

As a side note: IdentityServer 3 isn't maintained anymore. But this shouldn't matter for the current packages.