The last months we’ve been heads down re-writing IdentityServer from scratch (see here for background) – and we are now at a point where we think we have enough up and running to show it to you!
What we’ve done so far
- Started with File –> New
- Implemented OpenID Connect basic and implicit client profile (including support for form post response mode)
- Implemented support for OpenID Connect discovery documents and session logout
- Implemented OAuth2 code, client credentials, password and assertion grants
- Created a general purpose login page and consent screen for local and external accounts
- created out of the box support for MembershipReboot and ASP.NET Identity
- integrated existing Katana authentication middleware for social providers
- and made that all pluggable
- Defined an authorization enforcement policy around clients, flows, redirect URIs and scopes
- Designed everything to run on minimal data access interfaces so you can seamlessly scale from in-memory objects to simple config files up to relational or document databases for configuration and state management
- Designed everything to be API-first
- Defined several extensibility points that allow customization of request validation, token creation, claims acquisition and transformation and more
- and yes, we don’t use MEF anymore …
- Split up IdSrv into composable components like core token engine and authentication, configuration APIs, configuration UIs and user management
- These components use OWIN/Katana and Web API as abstractions which means we have quite a bit of flexibility when it comes to logical hosting – embeddable in an existing application or standalone
- When it comes to physical hosting, we have no dependency on IIS and System.Web which means you can use a command line, OWIN host, an NT Service, of course IIS or any other OWIN/Katana compatible server
Minimal startup code:
public void Configuration(IAppBuilder app)
{
app.Map(“/core”, coreApp =>
{
var factory = TestOptionsFactory.Create(
issuerUri: “https://idsrv3.com “,
siteName: “Thinktecture IdentityServer v3”,
certificateName: “CN=idsrv3test”,
publicHostAddress: “http://localhost:3333 “);
var opts = new IdentityServerCoreOptions
{
Factory = factory,
};
coreApp.UseIdentityServerCore(opts);
});
}
What’s missing?
- quite a bit, e.g.
- a persistence layer for configuration and state – everything is in-memory right now which is good enough for testing
- Refresh tokens
- Admin UI and APIs
- OpenID Connect session management and cleanup
- Support for WS-Federation and OpenID Connect based identity providers for federation
- A lot more testing
- Your feedback!
What’s next?
- We’ve defined several milestones over the next months for implementing the next rounds of features. We currently plan to be done with v1 around end of summer.
- Participate in OpenID Connect compatibility and interop testing (see here).
Where to get it?
The github repo is here, the issue tracker here and the wiki here. We also recorded videos on Overview, Samples Walkthrough and Extensibility Check them out…
Oh – and I should mention – while designing IdentityServer v3 we realized that we really also need a good solution for managing users, identity, claims etc – and that this should be ideally a separate project – so I’d also like to announce Thinktecture IdentityManager – head over to Brock’s blog to find out more!!!
Looking forward to your feedback!
leastprivilege.com 
Imagine an Thinktecture IdentityServer acting as a SAML 2.0 IDP – I would be so happy ;-)
…much more anticipated than a WS-Fed endpoint
Keep up the great work!
You should consider entering your server in the OpenID Connect interop: http://osis.idcommons.net/wiki/OC5:OpenID_Connect_Interop_5
done already ;)
I tried to include the assemblies from the build folder as well as the AspNetUserService dll from it’s bin/Debug into a sample project, however, when I try to build it I get error that namesapace IdentityServer could not be found. Am I missing something? IntelliSense picks everything up but building fails. I tried referencing the projects directly from git repo and also including the dll files but keep getting the same build error. I’ve uploaded sample project if you care too look: https://dl.dropboxusercontent.com/u/2184396/Identity.zip
Solved my own problem – had to change .NET to 4.5.1 (was using 4.5.0). Looking great so far!
In WIF, the SamlSecurityTokenHandler was a “mapToWindows” option that we could use for Kerberos constrained delegation. Is there any similar functionality in OWIN? I don’t use this often, but I have a very specific use for this with Citrix.
Don’t know – ask Microsoft ;)
Hah, I did ask their source code repo and discovered this isn’t too difficult by making my own owin middleware. Thanks for the advice ;-)
Hi Dominick,
I have been perusing the source code and have a question. When redirecting from the authorization endpoint controller (webapi), I notice that you create a JwtSecurity token with a single claim (the callback url) to post data to your mvc controller for user interaction. Is that something that is required by the spec, a personal preference or is there a security issue with just posting the data in clear text over tls?
see here
https://github.com/thinktecture/Thinktecture.IdentityServer.v3/commit/285c30f4264d1a6db6f579306095987b41cdaa97
Hi Dominick,
I have done an integration between Microsoft ADFS 2.0 and Thinktecture 2.1. Would you be able to comment if there is any support for that capability currently or in the future? Or if you know of anyone that has done this yet? Any information regarding this topic would be highly appreciated.
Thanks!
Jason
What do you mean with integration? as in adding ADFS as an identity provider in IdSrv?
Does IdSrv v3 now remove the need for AuthSrv? I noticed in following the videos that I can put claims in using the Identity Manager and this would work even when I authenticate via third party (google, twitter, facebook) so it seems AuthSrv is now an extra step, is that correct?
Once IdSrv3 is ready – it will replace AS.
Hi Dominick,
You guys have done a great job on IdSrv3 and I cannot wait until the next release and see the product grow. Although the product is just a first preview, it really helps out a lot. There is one thing missing that I do really need now and that is the support for refresh tokens. Do you perhaps have a sample (C#) that you could share, that shows how to add this support to the current bits?
Kind regards,
Xander
If i would have a sample I could have implemented it myself already ;) It’s a tricky topic – but pretty much next on the todo list.
IdentityServer v3 is very good for application for Authentication and Authorization. I can easily embedded in dot.net Application.
I checked the all blogs . I did’t find how to consume IdentityServer v3 services in Java Client application. If any blog or link is there, please reply.
Use OAuth2/OpenID Connect – no libraries required.
http://openid.net/specs/openid-connect-core-1_0.html
How to use two factor authentication in Identity Server v3.
This is not implemented yet. Please use the github issue tracker for questions and timeline.
Hi Dominick,
How we can use Identity Server V3 for Securing WCF Service?
There is any link or example for this.
We don’t support WS-Trust anymore.
And what is the preferred way to secure an existing WCF service then? Use IdentityServer v2? Convert the WCF Service to Web API?
Regards,
Markus
V2 works fine for WCF.
All the download links of previous versions on http://thinktecture.github.io/Thinktecture.IdentityServer.v2/downloads/ are broken. Is there a new place to get the binaries for v2?
Thanks!
https://github.com/thinktecture/Thinktecture.IdentityServer.v2/releases
Hi, is v3 production safe, or do you strongly advice not to use v3, and maybe go with v2 or so?
Thanks,
Alin
It is beta right now – check the milestones on github for further timing.
Hi! Can v3 support the “Solution #3 — IdentityServer’s ADFS password” from the below page?
http://brockallen.com/2013/04/14/getting-json-web-tokens-jwts-from-adfs-via-thinktecture-identityservers-adfs-integration/
Please use the github issue tracker.
Hi Dominick,
I am working on Thinktecture IdentityManager for a couple of week. I’m going throgh the source code downloaded from Github. what I see,
I’m able to create user successfully on local system using Identity Manager GUI. But when I try to login with the same UID and password, it doesn’t allow me to login and throw the Error message as ” Invalid username or password” I tried to find out the source code for the same, but didn’t get it on project. Please help me to solve this issue.
Any information regarding this topic would be highly appreciated.
Thanks!
Shyam
Hi,
please use the github issue tracker for questions. thanks!
Any traction on an Admin UI for ID3?
No – not really. Github is the better place to discuss this.