Using Single Sign-On for Securing Applications in ASP.NET Core/

...

/

Using OpenID Connect for Authentication

Using OpenID Connect for Authentication

Learn how to build a basic OpenID Connect Provider to define endpoints for authentication purposes.

We'll cover the following...

OpenID Connect (OIDC) is an authentication protocol that is used to enable SSO capabilities for web and mobile applications. OIDC provides a way to authenticate users and obtain information about their identity. This is achieved through the use of identity tokens, which contain claims about the user, such as their username, email, and other profile information.

OIDC is responsible for authentication flow. It defines how the endpoints involved in the authentication should be structured, how different parts of the system should interact with each other, and what should be the shape of the data exchanged between the different parts of the system.

Building a basic OIDC provider

To explain how OIDC works, we will build an IdP application with the most bare-bone OIDC functionality. It's not necessary to do this in a commercial setting because off-the-shelf providers, such as Okta and Keycloak, already support OIDC. However, this exercise will help us to understand better how OIDC works.

Our complete application is represented by the following playground. We will now go through the code step-by-step to see how the OIDC functionality is enabled.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*"
}
OpenID Connect client credentials flow demonstration

Configuring the OIDC server startup

The first part of the OIDC configuration in the middleware can be found on lines 1223, where we chain the following invocation to the flow, which configures the OIDC server and its endpoints:

.AddServer(serverBuilder =>

{

    serverBuilder.AllowClientCredentialsFlow();

    serverBuilder.SetTokenEndpointUris("api/authorization/token");

    serverBuilder.AddDevelopmentEncryptionCertificate()

     .AddDevelopmentSigningCertificate();

    serverBuilder.DisableAccessTokenEncryption();

    serverBuilder.UseAspNetCore()

     .EnableTokenEndpointPassthrough()

     .DisableTransportSecurityRequirement();

    serverBuilder.AllowRefreshTokenFlow();

    });
Adding the OIDC server configuration

Let's go over all the methods invocations one by one:

  • AllowClientCredentialsFlow: This invocation enables the client credentials flow, ...