Announcing IdentityServer for ASP.NET 5 and .NET Core

Over the last couple of years, we’ve been working with the ASP.NET team on the authentication and authorization story for Web API, Katana and ASP.NET 5. This included the design around claims-based identity, authorization and token-based authentication.

In the Katana timeframe we also reviewed the OAuth 2.0 authorization server middleware (and the templates around it) and weren’t very happy with it. But as usual, there were deadlines and Web API needed a token-based security story, so it shipped the way it was.

One year ago the ASP.NET team decided to discontinue that middleware and rather focus on consuming tokens instead. They also asked us if IdentityServer can be the replacement going forward.

By that time there were many unknowns – ASP.NET was still in early betas and literally changing every day. Important features like x-plat crypto (and thus support for JWT) weren’t even existing. Nevertheless, we agreed that we will port IdentityServer to ASP.NET 5 and .NET Core once the builds are more stabilized.

With RC1 (and soon RC2), we decided that now would the right moment in time to start porting IdentityServer – and here it is: IdentityServer4 (github / nuget / samples)

What’s new
When we designed IdentityServer3, one of our main goals was to be able to run self-hosted. At that time MVC was tied to IIS so using it for our default views was not an option. We weren’t particularly keen on creating our own view engine/abstraction, but that’s what needed to be done. This is not an issue anymore in ASP.NET 5, and as a result we removed the view service from IdentityServer4.

In IdentityServer4 you have full control over all UI aspects – login, consent, logoff and any additional UI you want to show to your user. You also have full control over the technology you want to use to implement that UI – it will be even possible to implement the UI in a completely different web application. This would allow adding OAuth 2.0 / OpenID Connect capabilities to an existing or legacy login “application”.

There will be also a standard UI that you can simply add as a package as well as templates to get you started.

Furthermore, IdentityServer4 is a “real” ASP.NET 5 application using all the standard platform facilities like DI, Logging, configuration, data protection etc, which means you have to learn less IdentityServer specifics.

What’s not new
Everything else really – IdentityServer4 has (or will have) all the features of IdentityServer3. You still can connect to arbitrary user management back-ends and there will be out of the box support for ASP.NET Identity 3.

We still provide the same architecture focused modelling around users, clients and scopes and still shield you from the low level details to make sure no security holes are introduced.

Database artifacts like reference or refresh tokens are compatible which gives you a nice upgrade/migration story.

Next steps
We will not abandon IdentityServer3 – many people are successfully using it and are happy with it (so are we). We are also aware that not everybody wants to switch its identity platform to “the latest thing” but rather wait a little longer.

But we should also not forget that IdentityServer3 is built on a platform (Katana) which Microsoft is not investing in anymore – and that also applies to the authentication middleware we use to connect to external providers. ASP.NET 5 is the way forward.

We just published beta1 to nuget. There are still many things missing, and what’s there might change. We also started publishing samples (link) to showcase the various features. Please try them out, give us feedback, open issues.

Around the RC2 timeframe there will be also more documentation showing up in our docs as and the ASP.NET documentation site. At some point, there will be also templates for Visual Studio which will provide a starting point for common security scenarios.

IdentityServer3 was such a great success because of all the good community feedback and contributions. Let’s take this to the next level!

This entry was posted in ASP.NET, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI. Bookmark the permalink.

79 Responses to Announcing IdentityServer for ASP.NET 5 and .NET Core

  1. Alexey Aouslender says:

    You mentioned that Microsoft not investing in Katana any more ,isn’t it the major goal of ASP.NET 5 version to replace old System.web infrastructure with OWIN ( Katana project)?

  2. dotnetchris says:

    “We will not abandon IdentityServer3 – many people are successfully using it and are happy with it (so are we). ”

    Much kudos. So many projects abandon users who are on V-1.

  3. Lutando says:

    This is really awesome! We actually are IDS3 2.2.x in ASPNET5 and it works pretty well even in production (we started building in beta7, made the journey all the way through to RC). All the interfaces look the same so porting looks like it wont be too bad except for the CustomViewService?

  4. Abubakar says:

    Great Dominick This is what I was waiting for :D let me dig into it Thanks to All Gurus :D

  5. This sounds great! Will this make it easier to use Windows Auth/AD as a provider as well?

    • Heath Yates says:

      I second this question. Any reply please?

      • Not sure what you mean with “easier” – we have the windows authentication service that we use successfully.

        There might be new opportunities with the new IIS platform handler. But this is a bit up in the air right now (like many other details of asp.net core). It will def be Windows only.

  6. Misha says:

    Hi Dominick,
    Will you update your Workshop on DEV-Intersection to include this new development?
    Will this be a hands-on training?
    Looking forward to seeing you in Florida!

  7. Paw says:

    Do you have any idea about final release date? Spring, summer, fall… ?

  8. Abubakar says:

    Hi Dominick !

    I have to use IdentityServer4 with Asp.net Identity3. As you mentioned it has out of box support for Identity3 but don’t know how to make it work? can you please guide me ?

    • Martin says:

      Hi Abubakar, i’m also waiting for this feature. But as far as he mentioned there “will be” out of the box support for ASP.net v3 instead of already is.

      Regards
      Martin

      • Abubakar says:

        Oh, I see, Alright :)

        But as far as “arbitrary user management” is concerned, I am still not able to use Users from a DB table regardless of AspNet Identity. Because I couldn’t find “IdentityServerServiceFactory” (used in IdentityServer3 samples to register IUserService) in IdentityServer4.

        So “arbitrary user management” is added or will be added ?, I am confused. Because there is written “You still can connect to arbitrary user management back-ends”

        So we are able to achieve the goal ? or we will be able to achieve?

  9. Hi Dominic,

    Firstly, IdentityServer4 is an outstanding contribution. “Most excellent”!

    I was wondering if the Thinkecture team have tried deploying IdentityServer4 onto the Linux platform using the docker integration that comes with Asp.NET 5 / MVC 6 / dnx?

    Thanks in advance,
    Michael McD.

    • We haven’t tried it yet since we are focusing on the code right now. But give it a try and let us know!

      • FYI: Got it running in a Docker container on an Ubuntu Linux VM. It’s issuing tokens to my .Net and Node client apps now.

        The only change (apart from creating the Dockerfile) was to the Host’s project.json file:

        “commands”: {
        “web”: “Microsoft.AspNet.Server.Kestrel –server.urls http://*:5000/
        },
        i.e. adding the server and port parameters.

        Michael McD.

  10. great. thanks for letting me know!

  11. Sam Jost says:

    I’m new to identityserver, which docs should I read to get started using v4 with asp.net5?

  12. Bobby Dowling says:

    Appreciate it!

  13. @Abubakar – you can today. Check the samples. It is not fully done yet but totally possible. I would also suggest to move this discussion to the github issue tracker.

  14. Hi
    How can i go about using custom user from DB ? CORS ?
    I am missing IdentityServerServiceFactory from which UserService , CorsPolicyService are used

    Thanks

  15. Hi Dominick

    Will Identity server 4 support mixed mode (Windows, Individual User Account & Social Logins) authentication?

    Thanks

  16. Michael McD. says:

    Hi Dominic,
    Quick question: where might I go to find documentation describing how to implement SSO using OpenID Connect, ideally based upon the Thinnktecture AG IdentityServer4v 4?
    Thanks in advance,
    Michael McDowwell

  17. Venkat says:

    Is there a document on how to run the IdentityServer4 samples? I am trying to look at flow:
    User to Server1 to Server2. User token/credentials/claims should flow to Server2

  18. Venkat says:

    Thank you Dominick. I will go through the Identityserver3 docs. I could not able to run SampleApi in Client4 solution in VS 2015, looks like I need to host this in IIS.
    Another question: Does IdentityServer4 supports On Behalf flow?

  19. Venkat says:

    Ok, we will discuss further “on behalf on / act as” later.
    On running samples, I am getting the following message (I tried the SampleApi project)

    The selected debug option is IIS Express but this project is not a web project. To use IIS Express you need to add the wwwroot attribute to project.json

    So is there a problem with project.json file deployed with samples?

  20. Venkat says:

    Sure Dominick, I moved this disc to github (posted this as an issue). Yes I am using RC1-Update1.
    Please check it.

  21. Greg says:

    if there a sample to run the identity server 4 on a asp.net core mvc web application? I am trying to have 1 project that has it all and allows cookies on mvc side.
    It only creates session cookies for idsrv – I want to create a persisted cookie when I SignInAsync on that authentication type.

    Am I missing tsomething – it seems to be ignoring the cookie options I am setting

    My startup in configservices
    //setup for IdentityServer Service Component Middleware
    //setup signing cert
    var cert = new X509Certificate2(Path.Combine(_appEnv.ApplicationBasePath + @”\Infrastructure\IdentityServer\Cert”, “idsrv4test.pfx”), “idsrv3test”);

    var cookieopt = new CookieAuthenticationOptions
    {
    AutomaticAuthenticate = true,
    AutomaticChallenge = true,
    AuthenticationScheme = IdentityServer4.Core.Constants.PrimaryAuthenticationType,
    CookieDomain = “/”,
    CookieHttpOnly = true,
    CookieName = “TestCookie”,
    LoginPath = “/Account/Login”,
    LogoutPath = “/Account/Logout”,
    SlidingExpiration = true,
    ExpireTimeSpan = TimeSpan.FromMinutes(4)

    };
    var builder = services.AddIdentityServer(options =>
    {
    options.SigningCertificate = cert;
    options.SiteName = “Test Site”;
    options.AuthenticationOptions.CookieAuthenticationOptions = cookieopt;
    });
    builder.AddInMemoryClients(Clients.Get());
    builder.AddInMemoryScopes(Scopes.Get());
    builder.AddInMemoryUsers(Users.Get());

    In Configure
    app.UseIdentityServer();

  22. I am using the latest version of identity server 4 beta 1 update 1 (from beta 1)
    my code breaks…
    No UserServiceBase class for DB authetication ?

  23. RD says:

    Hi Dominic,
    Is there any guidence (even for Identity Server 3 would do right now) on how to
    – Connect with custom identity providers
    – Creating a custom identity provider or Making sure that Identity Server can talk to an already existing Identity Provider (SAML based)

  24. dagimf says:

    Hi Dominick, I have been using identity server 3, with membership reboot, and its awesome. I was wondering if membership reboot integration is possible with identity server 4, at this moment or should i wait.

  25. danixen says:

    Hey, i’m trying to run it in a Docker container, but im having a hard time. Any help with it?
    Thanks

  26. Google? or ask on the issue tracker / SO

  27. Dominick,

    I have been reading your blog a lot lately trying to understand open id connect/oauth but truthfully I have been struggling even with what direction to go down.

    The code base is Angular 2 front end, with ASP.net Core API. I want my users to login via google or facebook (eventually to pull their friends list down). Obviously I don’t want to store any usernames/password but I would need to access data stored to their account (so I would need a UserId of some sort to build on top of).

    This seems overall like a simple idea but I can’t find any examples or guides. All the examples I see are creating your own Oauth server (which I don’t need), or logging into google/facebook via a cookie(which doesn’t sound like the right approach since I will be using Angular and an API).

    Do you have any quick tips or suggestions? Identity server seems like overkill but maybe I am wrong.

    Thank you so much for the blog and reading this!

    • Well – the issue is, this is not a simple scenario.

      I would use identityserver.

      • Dominick, I just wanted to say thanks. I had struggled making any progress on this for months (its just a fun/side project). I am also new to C# in general. However I learned a ton about open id connect, oauth and security in general. But your comment and just flat out saying what I was doing “was not a simple scenario” made me feel much better. I did end up going Identity server 3 not 4 but Identity server made everything so much easier! I am not fully done… need to figure out if I am using refresh tokens correctly :-p But overall using identity server just made things so much easier!

        Again thank you so much for taking the time out of your day to reply and send me a helpful link! I don’t know how you make time for it all but I did want to show you my appreciation for your help and let you know I was successful.

  28. Venkat says:

    Hi Dominick,
    one question on “we will port IdentityServer to ASP.NET 5 and .NET Core”
    What do you mean by porting IdentityServer to ASP.NET 5 and .NET core?
    You mean IdentityServer would available as part of the ASP.NET 5? or .NET Framework?
    Actually Identity Server is like an STS, nothing specific to web applications, right? I should be able to use IdentityServer with web, windows or any kind of application and get the token and claims.
    Would like to get more details on the IdentityServer and ASP.NET 5 relation.

  29. Venkat says:

    Thanks for reply Dominick. I am wondering why MS is not providing this middleware as out of the box software. I am looking for support on validating the usage of IdentityServer in our product. I have the POC done, but not quite sure though whether we are doing it right way. For example, I am still figuring out how to validate the token… first of all is it required to validate it explicitly?
    Is there any other support available apart from support forums? Thanks.

  30. drobertson123 says:

    Thanks for IdentityServer4, really great stuff.
    Can you give us some guidance on how the shift to CLI for ASP.NET Core RC2 might be affecting the delivery schedule for IdentityServer4. Are you waiting for clarity about ASP.NET CLI and RC2 before you can make further progress or will we be seeing some new beta releases soon?
    I understand that the shift at MS away from dnx is causing lots of ripples, just looking to get a little sense of how much it has affected you guys.
    Thanks for all the work.

    • Our plan is to ship close to the date asp.net core ships. Given the changes that will happen in RC2 – we will have to wait until that is released first.

      • drobertson123 says:

        Understood. I figured that was the case. Hopefully, for everyone, we will get some clarity on RC2 fairly soon and we can all get going. I am looking forward to your next release.
        Keep it coming as soon as you can.

  31. Felix says:

    This week marks four months since this post, with no follow-up. And while there are samples, those are better suited for people familiar with IdentityServer 3. For teams (like ours) that migrate from legacy WebForms application with legacy membership database to ASP.NET Core / AngularJS, absence of even the most trivial User-Agent flow tutorial is quite frustrating. “Hello, Authenticated User – Logout, Authenticated User” is all we ask!
    Oh, well – I hope you are timing opening the floodgate to the release of RC2. For now, we are just mocking the authentication :sigh:

    • This almost sounds a little bit like I am responsible for teaching you how things work?! You might have the wrong expectations.

      We have a lot of samples and docs for released and supported technologies – aka IdentityServer3 and Katana. We had more important things to do than keeping up with the changes to AspNetCore in the last months.

      If you want to use bleeding edge technology than you have to figure out things yourself – deal with it.

      • Felix says:

        Thank you. Very illuminating.

      • Khuzema says:

        Whats wrong in you teaching us? why not a updated Pluralsight course for IdentityServer4? Don’t you think?

      • There is nothing wrong with that. When I have the time I will do it.

        But how about finishing IdentityServer4 first, before thinking about training? Btw – we run several workshops across the year in both Europe and the US.

  32. Alex says:

    Could we use identity server 4 with Windows authentication in same way as it was possible with Identity Server 3? Thanks!

    • No – because WS-Fed is not supported in ASP.NET core (yet). Windows auth coordination works slightly different now due to the changes to IIS hosting. I haven’t looked into it yet.

      • Alex says:

        Thanks – we just started working on new Portal with Angular 2.0 front end and ASPNET Core Web API. We are planning to use Identity Server 4 as it would allow as to use ASPNET Core everywhere. We need WS-FED for windows authentication of internal users and identity server for external users. Would you recommend us to wait till windows authentication will be support in Identity Server 4 or just use Identity Server 3 at this time? Going to Identity Server 3 is just a step back but it could be the only choice now. How other people are moving into this direction? Thanks!

  33. WS-Fed is not a requirement for Windows authentication – it is just how IdentityServer3 handled it. As I said I haven’t looked into Windows AuthN for ASP.NET Core yet.

  34. G says:

    Hi,

    Is ScopeAuthorize attribute works for identity server 4?

  35. Laurence says:

    Does anyone know where I can get more information or documentation specifically about being able to implement the Login in a different web application to specifically support legacy or existing applications

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s