Software developer and consultant • Telco and media industries • Focus on Web APIs, Identity and Access Management • Designing Evolvable Web APIs with ASP.NET, O’Reilly, 2014 See http://webapibook.net/
to a HTTP request • Define protocols for a client application to obtain access tokens... • ... on its own behalf (server – server) • Client application identity • ... on an user’s behalf (user – server) • Client application identity • User identity • Delegated authorization scope
to a HTTP request • Define protocols for a client application to obtain access tokens... • ... on its own behalf (server – server) • Client application identity • ... on an user’s behalf (user – server) • Client application identity • User identity • Delegated authorization scope
the client app • Not defined by any spec • Define • User (resource owner) • Client application • Usage scope ID tokens • Internal claims visible to the client app • Specified by OpenID Connect • Define • Identity claims
claim container • Based on the JSON format • “Intended for space constrained environments such as HTTP Authorization headers and URI query parameters.” • Relies on • JWS – JSON Web Signature • JWE – JSON Web Encryption • Represented as • Sequence of Base64url encoded parts • Separeted by ‘.’ 37
Brock Allen • Apache 2.0 • .NET Foundation • https://github.com/IdentityServer/IdentityServer3 • Extensible OpenID Connect and OAuth2 authorization server • “framework and a hostable component” • “allows implementing single sign-on and access control for modern web applications and APIs” • “using protocols like OpenID Connect and OAuth2”
Brock Allen • Apache 2.0 • .NET Foundation • https://github.com/IdentityServer/IdentityServer3 • Extensible OpenID Connect and OAuth2 authorization server • “framework and a hostable component” • “allows implementing single sign-on and access control for modern web applications and APIs” • “using protocols like OpenID Connect and OAuth2” • Based on Katana and ASP.NET Web API
Based on IdentityServer3, hosted on System.Web using Katana • app1.example.com • Relying party Web app and API • Based on ASP.NET MVC 5 and Web API • app2.example.com • JS-based client application • Consumes app1 API • Based on http://brockallen.com/2015/06/19/demos-ndc-oslo-2015/
OpenID Connect unifies both authentication delegation, single sign-in and access delegation • JWT as a protected claims container • IdentityServer3 is a highly configurable framework for creating • Identity Providers • Authorization Servers