How to enable OpenID Connect flow with local Identity accounts?

1
votes

I am developping a new solution composed of an ASP.NET Core server, an Angular SPA and a remote OpenID Connect server (IdentityServer4). I would like to allow users to connect using their local Identity user account when the remote OpenID Connect server is not reachable, for example when internet connection is lost.

By default, local accounts, when using Asp.Net CORE Identity, are relying on cookies, which is obviously bad, because I want the Angular SPA to use ONLY OpenID Connect, instead of developping several providers/flows.

Is it possible to develop an authorize endpoint (I'm using ONLY the 'implicit' grant type) on my ASP.NET Core server app which would redirect to my OpenID Connect server's authorize endpoint when it is reachable, and that would return a locally computed token when the OpenID Connect server is unavailable? This way, my Angular SPA would only know the authorize endpoint of my ASP.NET Core server, and the latter would be able to switch from local to remote accounts depending on needs.

Thanks in advance

2
c#asp.net-coreidentityserver4openid-connect

2 Answers

2
votes

I will compose an answer on my understanding regarding your questions.

First implement JWT bearer authentication in you .Net Core application. Implement another endpoint, let's say Login which accepts a user name and a password. These usernames and passwords are kept locally in the database. Login should be implemented in a way that it returns a JWT bearer token upon successful credential validation against the database.

Now your SPA should first send the authorization request to Identity server. If it successful then there is no problem as per your question. But if it is some other error code related to unavailability, upon that response you must prompt a another login screen for user to provide local credentials. Then a request will be send to the Login endpoint we implemented earlier where the credentials passed would be validated against the database and SPA receives a JWT bearer token if credentials are valid.

1
votes

So, in the end, Ive chosen to turn my Asp.Net Core into an IdentityServer so that the SPA only requests that server, without knowledge of my remote IdentityServer, and add the latter as an external provider (with AddOpenIDConnect service collection extension method).

In the Login action of my Asp.Net Core server, I check if the remote IdentityServer is available.

If it is, I challenge it with the 'idsrv.external' scheme, thus seemlessly redirecting the user to the external IdentityServer.

If it is not, I proceed with the normal login process as described in the IdentityServer4 docs.

This way, my SPA only needs to know my server's url, and the latter seemlessly provide the token, should it produce it itself or delegate it to the external IdentityServer x)