Quantcast
Channel: IdentityModel – leastprivilege.com
Viewing all articles
Browse latest Browse all 204

Authentication in AuthorizationServer

$
0
0

AS does not do its own authentication – that’s by design. When you download from the repo, AS is set up to be a WS-Federation relying party. In the configuration folder of the WebHost project you’ll find two config files: identity.config and identityservices.config that wire up AS to an IdP.

<system.identityModel.services>

  <federationConfiguration>

   

    <wsFederation passiveRedirectEnabled=true

                  issuer=https://idsrv.local/issue/wsfed

                  realm=urn:authorizationserver />

 

  </federationConfiguration>

</system.identityModel.services>

 

You can change these settings to connect to your own IdP, e.g. IdentityServer, ADFS, ACS or WAAD. The “Identity & Access” VS plugin makes it even easier to “auto-configure” AS (just don’t forget to remove the pesky authorization elements from web.config).

AS really only needs a single claim on the current principal to function properly – sub – the subject identifier claim from the JWT spec. It’s the job of claims transformation to provide this claim after authentication has happened. For this purpose AS comes with a pre-defined claims authentication manager that turns incoming NameIdentifier or Name claims into a sub claim. That works out of the box for the above mentioned IdPs:

public class NameIdToSubjectClaimsTransformer : ClaimsTransformerBase
{
    public NameIdToSubjectClaimsTransformer(
     
IAuthorizationServerAdministratorsService
svc)
        : base(svc)
    { }
 
    protected override Claim GetSubject(ClaimsPrincipal principal)
    {
        var nameId = principal.FindFirst(ClaimTypes.NameIdentifier);
        if (nameId == null)
        {
            nameId = principal.FindFirst(ClaimTypes.Name);
            if (nameId == null)
            {
                throw new InvalidOperationException(
                 
"No nameidentifier claim"
);
            }
        }
 
        return new Claim(Constants.ClaimTypes.Subject, nameId.Value);
    }
}

 

If your IdP uses a different mapping, simply change the implementation of GetSubject. If you want to wire up a different claims transformer altogether, you can find the relevant code in global.asax.

If you don’t use an IdP at all, you can also add a local login form to AS or switch to Windows authentication. In that case simply run the claims transformer in PostAuthenticateRequest to provide the sub claim.

The second authentication related plumbing is for the OAuth2 resource owner password flow. Since AS does not do authentication, the credential validation needs to be delegated. By default we do that using WS-Trust to the same IdP that takes care of the web login. This is implemented in the WSTrustResourceOwnerCredentialValidation class, and configured in autofac.config:

<component type=" WSTrustResourceOwnerCredentialValidation …"
            service=" IResourceOwnerCredentialValidation … " >
  <parameters>
    <parameter name="address"
               value="https://idsrv.local/issue/wstrust/mixed/username" />
    <parameter name="realm"
               value="urn:authorizationserver" />
    <parameter name="issuerThumbprint"
               value="BFF6C249A2FFAA51A959B422DAAEDCF10E8A38EB" />
  </parameters>
</component>

 

Again, you can take control over that process be implementing IResourceOwnerCredentialValidation and wire it up in above config.


Filed under: AuthorizationServer, IdentityModel, IdentityServer, OAuth, WebAPI

Viewing all articles
Browse latest Browse all 204

Trending Articles