Announcing Thinktecture IdentityServer v3 – Preview 1

The last months we’ve been heads down re-writing IdentityServer from scratch (see here for background) – and we are now at a point where we think we have enough up and running to show it to you!

What we’ve done so far

  • Started with File –> New
  • Implemented OpenID Connect basic and implicit client profile (including support for form post response mode)
  • Implemented support for OpenID Connect discovery documents and session logout
  • Implemented OAuth2 code, client credentials, password and assertion grants
  • Created a general purpose login page and consent screen for local and external accounts
    • created out of the box support for MembershipReboot and ASP.NET Identity
    • integrated existing Katana authentication middleware for social providers
      • and made that all pluggable
  • Defined an authorization enforcement policy around clients, flows, redirect URIs and scopes
  • Designed everything to run on minimal data access interfaces so you can seamlessly scale from in-memory objects to simple config files up to relational or document databases for configuration and state management
  • Designed everything to be API-first
  • Defined several extensibility points that allow customization of request validation, token creation, claims acquisition and transformation and more
    • and yes, we don’t use MEF anymore …
  • Split up IdSrv into composable components like core token engine and authentication, configuration APIs, configuration UIs and user management
    • These components use OWIN/Katana and Web API as abstractions which means we have quite a bit of flexibility when it comes to logical hosting – embeddable in an existing application or standalone
    • When it comes to physical hosting, we have no dependency on IIS and System.Web which means you can use a command line, OWIN host, an NT Service, of course IIS or any other OWIN/Katana compatible server

Minimal startup code:

public void Configuration(IAppBuilder app)

{

    app.Map(“/core”, coreApp =>

        {

            var factory = TestOptionsFactory.Create(

                issuerUri:         https://idsrv3.com,

                siteName:          “Thinktecture IdentityServer v3″,

                certificateName:   “CN=idsrv3test”,

                publicHostAddress: http://localhost:3333);

                   

            var opts = new IdentityServerCoreOptions

            {

                Factory = factory,

            };

 

            coreApp.UseIdentityServerCore(opts);

        });

}

What’s missing?

  • quite a bit, e.g.
  • a persistence layer for configuration and state – everything is in-memory right now which is good enough for testing
  • Refresh tokens
  • Admin UI and APIs
  • OpenID Connect session management and cleanup
  • Support for WS-Federation and OpenID Connect based identity providers for federation
  • A lot more testing
  • Your feedback!

What’s next?

  • We’ve defined several milestones over the next months for implementing the next rounds of features. We currently plan to be done with v1 around end of summer.
  • Participate in OpenID Connect compatibility and interop testing (see here).

Where to get it?

The github repo is here, the issue tracker here and the wiki here. We also recorded videos on Overview, Samples Walkthrough and Extensibility Check them out…

Oh – and I should mention – while designing IdentityServer v3 we realized that we really also need a good solution for managing users, identity, claims etc – and that this should be ideally a separate project – so I’d also like to announce Thinktecture IdentityManager – head over to Brock’s blog to find out more!!!

Looking forward to your feedback!

This entry was posted in ASP.NET, AuthorizationServer, IdentityModel, IdentityServer, Katana, OAuth, OpenID Connect, OWIN, WebAPI. Bookmark the permalink.

31 Responses to Announcing Thinktecture IdentityServer v3 – Preview 1

  1. Kantiran says:

    Imagine an Thinktecture IdentityServer acting as a SAML 2.0 IDP – I would be so happy ;-)
    …much more anticipated than a WS-Fed endpoint

    Keep up the great work!

  2. You should consider entering your server in the OpenID Connect interop: http://osis.idcommons.net/wiki/OC5:OpenID_Connect_Interop_5

  3. I tried to include the assemblies from the build folder as well as the AspNetUserService dll from it’s bin/Debug into a sample project, however, when I try to build it I get error that namesapace IdentityServer could not be found. Am I missing something? IntelliSense picks everything up but building fails. I tried referencing the projects directly from git repo and also including the dll files but keep getting the same build error. I’ve uploaded sample project if you care too look: https://dl.dropboxusercontent.com/u/2184396/Identity.zip

  4. mrdan says:

    In WIF, the SamlSecurityTokenHandler was a “mapToWindows” option that we could use for Kerberos constrained delegation. Is there any similar functionality in OWIN? I don’t use this often, but I have a very specific use for this with Citrix.

  5. Don’t know – ask Microsoft ;)

    • mrdan says:

      Hah, I did ask their source code repo and discovered this isn’t too difficult by making my own owin middleware. Thanks for the advice ;-)

  6. Hi Dominick,

    I have been perusing the source code and have a question. When redirecting from the authorization endpoint controller (webapi), I notice that you create a JwtSecurity token with a single claim (the callback url) to post data to your mvc controller for user interaction. Is that something that is required by the spec, a personal preference or is there a security issue with just posting the data in clear text over tls?

  7. Jason says:

    Hi Dominick,

    I have done an integration between Microsoft ADFS 2.0 and Thinktecture 2.1. Would you be able to comment if there is any support for that capability currently or in the future? Or if you know of anyone that has done this yet? Any information regarding this topic would be highly appreciated.

    Thanks!
    Jason

  8. Steven says:

    Does IdSrv v3 now remove the need for AuthSrv? I noticed in following the videos that I can put claims in using the Identity Manager and this would work even when I authenticate via third party (google, twitter, facebook) so it seems AuthSrv is now an extra step, is that correct?

  9. Once IdSrv3 is ready – it will replace AS.

  10. Hi Dominick,

    You guys have done a great job on IdSrv3 and I cannot wait until the next release and see the product grow. Although the product is just a first preview, it really helps out a lot. There is one thing missing that I do really need now and that is the support for refresh tokens. Do you perhaps have a sample (C#) that you could share, that shows how to add this support to the current bits?

    Kind regards,
    Xander

  11. Atul Sachan says:

    IdentityServer v3 is very good for application for Authentication and Authorization. I can easily embedded in dot.net Application.
    I checked the all blogs . I did’t find how to consume IdentityServer v3 services in Java Client application. If any blog or link is there, please reply.

  12. Atul Sachan says:

    How to use two factor authentication in Identity Server v3.

  13. Atul Sachan says:

    Hi Dominick,

    How we can use Identity Server V3 for Securing WCF Service?
    There is any link or example for this.

  14. Jason says:

    All the download links of previous versions on http://thinktecture.github.io/Thinktecture.IdentityServer.v2/downloads/ are broken. Is there a new place to get the binaries for v2?

  15. Alin Nemet says:

    Hi, is v3 production safe, or do you strongly advice not to use v3, and maybe go with v2 or so?

    Thanks,
    Alin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s