Get best of the week

IdentityServer4. Basic concepts. OpenID Connect, OAuth 2.0, and JWT

With this post I want to open an article thread dedicated to IdentityServer4. We start with the basic concepts.


The most promising authentication protocol currently is OpenID Connect , and OAuth 2.0 is the authentication (granting) protocol . IdentityServer4 implements these two protocols. It is optimized for common security problems .


OpenID Connect is a protocol and authentication standard, it does not give access to resources (Web API), but since it was developed on top of the OAuth 2.0 authorization protocol , it allows you to get user profile parameters as if you had access to the UserInfo resource .

JWT (JSON Web Token) is a web standard that defines a method for transmitting user data in JSON format in encrypted form.

OAuth 2.0 (RFC 6749) is a protocol and authorization standard. It allows applications to access secure resources, such as the Web API.

Take a look at the diagram of accessing a protected resource and deal with the main steps and accepted terminology:


is4


  1. . β€” . β€” Web API.


  2. User , , . . User ( ) β€” , , , (username) (password);


  3. IdentityServer4 (client_id, client_secret), (username, password) grant_type scope. ( ).


    OAuth 2.0 , , . client_id client_secret.
    lient_id β€” , IdentityServer4 .
    client_secret IdentityServer4. API. IdentityServer4 .

  4. , IdentiryServer4 access- ( ) (refresh-). . , .


  5. Web API, . 401, 403 498, , , .


  6. , Web API .




IdentityServer4 IdentityServer4 identity-, access- refresh-.


  • identity- ( ) β€” . , . .
  • access- ( ) β€” API ( ) .
  • refresh- ( ) β€” , .

:


Authenticatation Server Url β€” . URL-.


Resource Url β€” URL- , , , .



POST IdentityServer4


'Content-Type': 'application/x-www-form-urlencoded',
'Accept': 'application/json',
'Expect': '100-continue'

:


'grant_type' : 'password',
'username' : login,
'password' : password,
'scope' : 'scope',
'client_id' : 'client_id',
'client_secret' : '{client_secret}'

username, password, client_id client_secret . :


grant_type β€” . , , API. password, OAuth 2.0 ( ).


OAuth 2.0 :


  • (authorization code). , .. (server-side applications), ;
  • (implicit). -, ;

, :


  • (resource owner). , . , . , OAuth 2.0.
  • . API. , , URI , , , API .

scope β€” . . , , , . .. scope scope . scope (, )

More articles:


All Articles