Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 661 Commits
build		build
samples		samples
src		src
test		test
.gitattributes		.gitattributes
.gitignore		.gitignore
.travis.yml		.travis.yml
AspNet.Security.OpenIdConnect.Server.sln		AspNet.Security.OpenIdConnect.Server.sln
NuGet.config		NuGet.config
README.md		README.md
build.cmd		build.cmd
build.sh		build.sh
korebuild-lock.txt		korebuild-lock.txt
korebuild.json		korebuild.json
run.cmd		run.cmd
run.ps1		run.ps1
run.sh		run.sh

Repository files navigation

AspNet.Security.OpenIdConnect.Server

⚠️This project has been merged into OpenIddict. For more information, readIntroducing OpenIddict 3.0 beta1.

AspNet.Security.OpenIdConnect.Server is anadvanced OAuth2/OpenID Connect server framework for both ASP.NET Core 1.x/2.x and OWIN/Katana 3.x/4.x, designed to offer a low-level, protocol-first approach.

The latest official release can be found onNuGet and the nightly builds onMyGet.

Get started

Based onOAuthAuthorizationServerMiddleware fromKatana,AspNet.Security.OpenIdConnect.Server exposes similar primitives and can be directly registered inStartup.cs using theUseOpenIdConnectServer extension method:

publicvoidConfigureServices(IServiceCollectionservices){services.AddAuthentication().AddOpenIdConnectServer(options=>{// Enable the token endpoint.options.TokenEndpointPath="/connect/token";// Implement OnValidateTokenRequest to support flows using the token endpoint.options.Provider.OnValidateTokenRequest= context=>{// Reject token requests that don't use grant_type=password or grant_type=refresh_token.if(!context.Request.IsPasswordGrantType()&&!context.Request.IsRefreshTokenGrantType()){context.Reject(error:OpenIdConnectConstants.Errors.UnsupportedGrantType,description:"Only grant_type=password and refresh_token "+"requests are accepted by this server.");returnTask.CompletedTask;}// Note: you can skip the request validation when the client_id// parameter is missing to support unauthenticated token requests.// if (string.IsNullOrEmpty(context.ClientId))// {//     context.Skip();////     return Task.CompletedTask;// }// Note: to mitigate brute force attacks, you SHOULD strongly consider applying// a key derivation function like PBKDF2 to slow down the secret validation process.// You SHOULD also consider using a time-constant comparer to prevent timing attacks.if(string.Equals(context.ClientId,"client_id",StringComparison.Ordinal)&&string.Equals(context.ClientSecret,"client_secret",StringComparison.Ordinal)){context.Validate();}// Note: if Validate() is not explicitly called,// the request is automatically rejected.returnTask.CompletedTask;};// Implement OnHandleTokenRequest to support token requests.options.Provider.OnHandleTokenRequest= context=>{// Only handle grant_type=password token requests and let// the OpenID Connect server handle the other grant types.if(context.Request.IsPasswordGrantType()){// Implement context.Request.Username/context.Request.Password validation here.// Note: you can call context Reject() to indicate that authentication failed.// Using password derivation and time-constant comparer is STRONGLY recommended.if(!string.Equals(context.Request.Username,"Bob",StringComparison.Ordinal)||!string.Equals(context.Request.Password,"P@ssw0rd",StringComparison.Ordinal)){context.Reject(error:OpenIdConnectConstants.Errors.InvalidGrant,description:"Invalid user credentials.");returnTask.CompletedTask;}varidentity=newClaimsIdentity(context.Scheme.Name,OpenIdConnectConstants.Claims.Name,OpenIdConnectConstants.Claims.Role);// Add the mandatory subject/user identifier claim.identity.AddClaim(OpenIdConnectConstants.Claims.Subject,"[unique id]");// By default, claims are not serialized in the access/identity tokens.// Use the overload taking a "destinations" parameter to make sure// your claims are correctly inserted in the appropriate tokens.identity.AddClaim("urn:customclaim","value",OpenIdConnectConstants.Destinations.AccessToken,OpenIdConnectConstants.Destinations.IdentityToken);varticket=newAuthenticationTicket(newClaimsPrincipal(identity),newAuthenticationProperties(),context.Scheme.Name);// Call SetScopes with the list of scopes you want to grant// (specify offline_access to issue a refresh token).ticket.SetScopes(OpenIdConnectConstants.Scopes.Profile,OpenIdConnectConstants.Scopes.OfflineAccess);context.Validate(ticket);}returnTask.CompletedTask;};});}

Note: in order for the OpenID Connect server to work properly,the authentication middleware must be registered in the ASP.NET Core 2.0 pipeline:

publicvoidConfigure(IApplicationBuilderapp){app.UseAuthentication();}

Note:the AspNet.Security.OpenIdConnect.Server 2.x packages are only compatible with ASP.NET Core 2.x.If your application targets ASP.NET Core 1.x, use the AspNet.Security.OpenIdConnect.Server 1.x packages.

Resources

Looking for additional resources to help you get started? Don't miss these interesting blog posts:

Creating your own OpenID Connect server with ASOS byKévin Chalet

Samples

The samples foundin the current project directory always target the latest ASP.NET Core releases and are mainly meant to ease its testing.

Official samples targetting ASP.NET Core can be found onaspnet-contrib/AspNet.Security.OpenIdConnect.Samples.

Looking for something simpler? Don't missOpenIddict, thesimple and easy-to-use OpenID Connect server for ASP.NET Core 1.x and 2.0 based on AspNet.Security.OpenIdConnect.Server.

Support

Need help or wanna share your thoughts? Don't hesitate to join us on Gitter or ask your question on StackOverflow:

Gitter:https://gitter.im/aspnet-contrib/AspNet.Security.OpenIdConnect.Server
StackOverflow:https://stackoverflow.com/questions/tagged/aspnet-contrib

Contributors

AspNet.Security.OpenIdConnect.Server is actively maintained byKévin Chalet. Contributions are welcome and can be submitted using pull requests.

License

This project is licensed under theApache License. This means that you can use, modify and distribute it freely. Seehttp://www.apache.org/licenses/LICENSE-2.0.html for more details.