Welcome to the first quickstart for IdentityServer! To see the full list of quickstarts, please see Quickstarts Overview.
This first quickstart provides step by step instructions to set up IdentityServer in the most basic scenario: protecting APIs for server-to-server communication. You will create a solution containing three projects:
The client will request an access token from IdentityServer using its client ID and secret and then use the token to gain access to the API.
Finished source code for each quickstart in this series is available in the Samples repository, and a reference implementation of this quickstart is available here.
The IdentityServer templates for the dotnet CLI are a good starting point for the quickstarts. To install the templates open a console window and type the following command:
dotnet new --install Duende.IdentityServer.Templates
In this section, you will create a directory for the solution and use the isempty (IdentityServer Empty) template to create an ASP.NET Core application that includes a basic IdentityServer setup.
Back in the console, run the following commands to create the directory structure for the solution.
mkdir quickstart
cd quickstart
mkdir src
dotnet new sln -n Quickstart
This will create a quickstart directory that will serve as the root of the solution, a src subdirectory to hold your source code, and a solution file to organize your projects. Throughout the rest of the quickstart series, paths will be written relative to to the quickstart directory.
From the new quickstart directory, run the following commands to use the isempty template to create a new project. The template creates a web project named IdentityServer with the IdentityServer package installed and minimal configuration added for it.
cd src
dotnet new isempty -n IdentityServer
This will create the following files within a new src/IdentityServer directory:
The src/IdentityServer/Properties/launchSettings.json file created by the isempty template sets the applicationUrl to https://localhost:5001. You can change the port that your IdentityServer host listens on by changing the port in this url. This url also sets the protocol (http or https) that the IdentityServer host will use. In production scenarios you should always use https.
Next, add the IdentityServer project to the solution. Back in the console, navigate up to the quickstart directory and add the IdentityServer project to the solution.
cd ..
dotnet sln add ./src/IdentityServer/IdentityServer.csproj
Scope is a core feature of OAuth that allows you to express the extent or scope of access. Clients request scopes when they initiate the protocol, declaring what scope of access they want. IdentityServer then has to decide which scopes to include in the token. Just because the client has asked for something doesn’t mean they should get it! There are built-in abstractions as well as extensibility points that you can use to make this decision. Ultimately, IdentityServer issues a token to the client, which then uses the token to access APIs. APIs can check the scopes that were included in the token to make authorization decisions.
Scopes don’t have structure imposed by the protocols - they are just space-separated strings. This allows for flexibility when designing the scopes used by a system. In this quickstart, you will create a scope that represents complete access to an API that will be created later in this quickstart.
Scope definitions can be loaded in many ways. This quickstart shows how to use a “code as configuration” approach. A minimal Config.cs was created by the template at src/IdentityServer/Config.cs. Open it and add an ApiScope to the ApiScopes property:
public static IEnumerable<ApiScope> ApiScopes =>
new List<ApiScope>
{
new ApiScope(name: "api1", displayName: "MyAPI")
};
See the full file here.
In production it is important to give your API a useful name and display name. Use these names to describe your API in simple terms to both developers and users. Developers will use the name to connect to your API, and end users will see the display name on consent screens, etc.
The next step is to configure a client application that you will use to access the API. You’ll create the client application project later in this quickstart. First, you’ll add configuration for it to your IdentityServer project.
In this quickstart, the client will not have an interactive user and will authenticate with IdentityServer using a client secret.
Add this client definition to Config.cs:
public static IEnumerable<Client> Clients =>
new List<Client>
{
new Client
{
ClientId = "client",
// no interactive user, use the clientid/secret for authentication
AllowedGrantTypes = GrantTypes.ClientCredentials,
// secret for authentication
ClientSecrets =
{
new Secret("secret".Sha256())
},
// scopes that client has access to
AllowedScopes = { "api1" }
}
};
Again, see the full file here.
Clients can be configured with many options. Your minimal machine-to-machine client here contains
The scope and client definitions are loaded in HostingExtensions.cs. The template created a ConfigureServices method there that is already loading the scopes and clients. You can take a look to see how it is done. Note that the template adds a few things that are not used in this quickstart. Here’s the minimal ConfigureServices method that is needed:
public static WebApplication ConfigureServices(this WebApplicationBuilder builder)
{
builder.Services.AddIdentityServer()
.AddInMemoryApiScopes(Config.ApiScopes)
.AddInMemoryClients(Config.Clients);
return builder.Build();
}
That’s it - your IdentityServer is now configured. If you run the project and then navigate to https://localhost:5001/.well-known/openid-configuration in your browser, you should see the discovery document. The discovery document is a standard endpoint in OpenID Connect and OAuth. It is used by your clients and APIs to retrieve configuration data needed to request and validate tokens, login and logout, etc.
On first startup, IdentityServer will use its automatic key management feature to create a signing key and store it in the src/IdentityServer/keys directory. To avoid accidentally disclosing cryptographic secrets, the entire keys directory should be excluded from source control. It will be recreated if it is not present.
Next, add an API project to your solution. This API will serve protected resources that will be secured by IdentityServer.
You can either use the ASP.NET Core Web API template from Visual Studio or use the .NET CLI to create the API project. To use the CLI, run the following command from the src directory:
dotnet new webapi -n Api
Then navigate back up to the root quickstart directory and add it to the solution by running the following commands:
cd ..
dotnet sln add ./src/Api/Api.csproj
Now you will add JWT Bearer Authentication to the API’s ASP.NET pipeline. The goal is to authorize calls to your API using tokens issued by the IdentityServer project. To that end, you will add authentication middleware to the pipeline from the Microsoft.AspNetCore.Authentication.JwtBearer nuget package. This middleware will
Run this command in the src directory to install the middleware package in the Api:
dotnet add ./Api/Api.csproj package Microsoft.AspNetCore.Authentication.JwtBearer
Now add JWT Bearer authentication services to the Service Collection to allow for dependency injection (DI), and configure Bearer as the default Authentication Scheme.
builder.Services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
Audience validation is disabled here because access to the api is modeled with ApiScopes only. By default, no audience will be emitted unless the api is modeled with ApiResources instead. See here for a more in-depth discussion.
Add authentication middleware to the pipeline immediately before authorization:
app.UseAuthentication();
app.UseAuthorization();
UseAuthentication adds the authentication middleware to the pipeline so authentication will be performed automatically on every call into the host. UseAuthorization adds the authorization middleware to make sure your API endpoint cannot be accessed by anonymous clients.
Add a new class called IdentityController in src/Api/Controllers:
[Route("identity")]
[Authorize]
public class IdentityController : ControllerBase
{
[HttpGet]
public IActionResult Get()
{
return new JsonResult(from c in User.Claims select new { c.Type, c.Value });
}
}
This controller will be used to test authorization and to display the claims identity through the eyes of the API. See the full file here.
Configure the API to run on https://localhost:6001 only. You can do this by editing the launchSettings.json file in the src/Api/Properties directory. Change the application URL setting to be:
"applicationUrl": "https://localhost:6001"
Run the API project and then navigate to the identity controller at https://localhost:6001/identity in a browser. This should return a 401 status code, which means your API requires a credential and is now protected by IdentityServer.
The last step is to create a client that requests an access token and then uses that token to access the API. Your client will be a console project in your solution. From the quickstart/src directory, run the following command:
dotnet new console -n Client
Then as before, add it to your solution using:
cd ..
dotnet sln add ./src/Client/Client.csproj
The token endpoint at IdentityServer implements the OAuth protocol, and you could use raw HTTP to access it. However, we have a client library called IdentityModel that encapsulates the protocol interaction in an easy to use API.
Add the IdentityModel NuGet package to your client. This can be done either via Visual Studio’s Nuget Package manager or dotnet CLI. From the quickstart directory, run the following command:
dotnet add ./src/Client/Client.csproj package IdentityModel
IdentityModel includes a client library to use with the discovery endpoint. This way you only need to know the base address of IdentityServer - the actual endpoint addresses can be read from the metadata. Add the following to the client’s Program.cs in the src/Client/Program.cs directory:
// discover endpoints from metadata
var client = new HttpClient();
var disco = await client.GetDiscoveryDocumentAsync("https://localhost:5001");
if (disco.IsError)
{
Console.WriteLine(disco.Error);
return;
}
If you get an error connecting it may be that you are running https and the
development certificate for localhost is not trusted. You can run dotnet dev-certs https --trust
in order to trust the development certificate. This
only needs to be done once.
Next you can use the information from the discovery document to request a token from IdentityServer to access api1:
// request token
var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = disco.TokenEndpoint,
ClientId = "client",
ClientSecret = "secret",
Scope = "api1"
});
if (tokenResponse.IsError)
{
Console.WriteLine(tokenResponse.Error);
return;
}
Console.WriteLine(tokenResponse.AccessToken);
Copy and paste the access token from the console to jwt.ms to inspect the raw token.
To send the access token to the API you typically use the HTTP Authorization header. This is done using the SetBearerToken extension method:
// call api
var apiClient = new HttpClient();
apiClient.SetBearerToken(tokenResponse.AccessToken);
var response = await apiClient.GetAsync("https://localhost:6001/identity");
if (!response.IsSuccessStatusCode)
{
Console.WriteLine(response.StatusCode);
}
else
{
var doc = JsonDocument.Parse(await response.Content.ReadAsStringAsync()).RootElement;
Console.WriteLine(JsonSerializer.Serialize(doc, new JsonSerializerOptions { WriteIndented = true }));
}
The completed Program.cs file can be found here.
To test the flow, start the IdentityServer and API projects. Once they are running, run the Client project.
The output should look like this:
If you’re using Visual Studio, here’s how to start everything up:
By default an access token will contain claims about the scope, lifetime (nbf and exp), the client ID (client_id) and the issuer name (iss).
Right now, the API accepts any access token issued by your IdentityServer. In this section, you will add an Authorization Policy to the API that will check for the presence of the “api1” scope in the access token. The protocol ensures that this scope will only be in the token if the client requests it and IdentityServer allows the client to have that scope. You configured IdentityServer to allow this access by including it in the allowedScopes property. Add the following to the ConfigureServices method in the API’s Program.cs file:
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("ApiScope", policy =>
{
policy.RequireAuthenticatedUser();
policy.RequireClaim("scope", "api1");
});
});
You can now enforce this policy at various levels, e.g.:
Typically you set the policy for all controllers where they are mapped in src/Api/Program.cs:
app.MapControllers().RequireAuthorization("ApiScope");
This quickstart focused on the success path:
You can now try to provoke errors to learn how the system behaves, e.g.: