Identity Server 4-hybrid Flow-Protect API Resources

This article series describes the Hybrid Flow for Identity Server 4, which describes how to protect an MVC client in this article, which describes how to protect API resources.

Article protecting the MVC client: https://www.cnblogs.com/cgzl/p/9253667.html, https://www.cnblogs.com/cgzl/p/9268371.html

Related code: Https://github.com/solenovex/Identity-Server-4-Tutorial-Code inside 03 that part.

Review Hybrid Flow

Review the process used by the project

The IDP (Identity Provider, in my case, the project built with identity Server 4) and the client (in my case, the MVC client).

After the process has gone through, the MVC client obtains access token, and after the MVC client validates access token and succeeds, it can use access token to access the protected API resources, and access Token will be verified again at the protected API.

Protect API

First configure a method to return Apiresoruce in the IDP:

Similar to Identityresource, Apiresource is an API-related scopes.

In the client configuration there, add this apiresource name to the allowed scopes:

Finally, in the IDP startup, register Apiresources:

Now come to the MVC client here, you need to add the above scope:

Finally, to the API project, first make sure to use https:

The API project also needs to install the Identityserver4.accesstokenvalidation package, which can be installed through NuGet.

After installation, the configuration is also required (Official document: https://identityserver4.readthedocs.io/en/release/quickstarts/1_client_credentials.html# ADDING-AN-API):

One of the identityserverauthenticationdefaults.authenticationscheme is the meaning of "Bearer", and this is the plan used here.

The Addidentityserverauthentication () method registers the processor for access Token validation. Inside authority is the IDP URI, and Apiname is the name of the API configured in the IDP.

In the startup configure method, you also need to add it to the pipeline:

Make sure it is called before Usemvc.

I use filters in the API project to add authorization filtering to all controllers:

Of course, you can also write this on a specific controller or action level:

In any case, access to country resources now requires authorization.

Return to the MVC client and invoke the COUNTRYAPI resource in the home contact action:

The following tests the situation where access token has not been used for accessing the protected country resource, and re-operates to see that the User Consent authorization page appears with the API resource name that was just configured:

When accessing the contact page, the prompt is not authorized:

Use the previously described method to get access token and set the authorization header to "Bearer [Accesstoken]":

Modify the contact page to show access tokens:

Re-operation, you can see the country resource data:

Access Token

Go to Jwt.io to decode access tokens:

Take a look at the AUD (audience, audience) property, which has two values, the first of which is the IDP over the resource (invoking the user information endpoint), and the second refers to the API project.

This attribute indicates that the access token is intended for both of them.

The "Restapi" inside the scope is the "RESTAPI" inside the AUD, so this token is allowed to be used to access our "RESTAPI".

The scopes, such as "profile" in scope, corresponds to the value of another AUD, which is scopes from the IDP.

Access tokens now have these claims, and the API can get these claims, but sometimes the API also requires user identity-related claims.

To modify the Apiresource configuration of the IDP:

Once again, check the token to see the two claim I just added:

And the role of this claim, in the API can be identified as roles, if I set the permissions on the action of the API as follows:

So, Nick, the user can get country data, and Dave will show 403 Forbidden:

Identity Server 4-hybrid Flow-Protect API Resources