This document discusses authentication and authorization standards including OAuth 2.0, OpenID Connect, and IdentityServer 4. It provides an overview of these specifications, how they relate, and how IdentityServer 4 can be used to implement authentication and authorization in ASP.NET Core applications using standards-based flows like authorization code flow and hybrid flow. Code samples and diagrams are included to demonstrate concepts like identity tokens, access tokens, and the roles of the authorization server and resource server.
7. OAuth 2.0
● Authorization Protocol
○ Delegation Protocol
● Designed for HTTP APIs
● Scoped Access
● User Authentication & Client Authentication
scottbrady91.com/OAuth/The-Wrong-Ways-to-Protect-an-API
8. Resource Owner
(User)
Authorization Server
Client Application
Protected Resource
(HTTP API)
Authorization
Request
Authorization
Grant
Authorization
Grant
Access
Token
Request + Access Token
Response
9. The Problems with OAuth
● Specification Issues
● Token Type
● OAuth != Authentication
10. OpenID Connect
● OAuth 2.0 + Authentication
● Formalises OAuth
○ Standard Token Type
○ Standard Cryptography
○ Standard Validation
● Authorization Server becomes an Identity provider
○ Identity Resource
○ Identity Tokens
● Designed to be simple for the client
31. Next Steps
● ASP.NET Core Identity
● User Management Functionality
● identityserver.com
● scottbrady91.com
Hinweis der Redaktion
Identity token sent alongside access token
Intended audience is the client application
Never sent to resource
Signed within the authorization server (always a JWT), typically using RS256 (public key crypto, asymmetric). Only private key can generate tokens & signature, public key can verify.
3 parts: Header (about token & how signed), Body (claims), and Signature
Kid: key identifier (which key to use to verify signature
Sub: unique to that user within that client. Always the same in that client
amr: authentication method reference
at_hash: access token hash
c_hash: authorization code hash