From 9e14e30552baffa5ba4cc2784b2068c6900b6312 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Tue, 4 Feb 2025 20:02:19 +0100 Subject: [PATCH 1/5] Update identity-server.md to use latest documentation links --- .../cloud-native/identity-server.md | 87 +++++++++---------- 1 file changed, 41 insertions(+), 46 deletions(-) diff --git a/docs/architecture/cloud-native/identity-server.md b/docs/architecture/cloud-native/identity-server.md index 6725202e50614..4bbb3ce19f91f 100644 --- a/docs/architecture/cloud-native/identity-server.md +++ b/docs/architecture/cloud-native/identity-server.md @@ -1,7 +1,7 @@ --- title: IdentityServer for Cloud Native Apps description: Architecting Cloud Native .NET Apps for Azure | IdentityServer -ms.date: 04/06/2022 +ms.date: 04/02/2025 --- # IdentityServer for cloud-native applications @@ -26,7 +26,7 @@ Typically, applications need to support some or all of the following scenarios: In each of these scenarios, the exposed functionality needs to be secured against unauthorized use. At a minimum, this typically requires authenticating the user or principal making a request for a resource. This authentication may use one of several common protocols such as SAML2p, WS-Fed, or OpenID Connect. Communicating with APIs typically uses the OAuth2 protocol and its support for security tokens. Separating these critical cross-cutting security concerns and their implementation details from the applications themselves ensures consistency and improves security and maintainability. Outsourcing these concerns to a dedicated product like IdentityServer helps the requirement for every application to solve these problems itself. -IdentityServer provides middleware that runs within an ASP.NET Core application and adds support for OpenID Connect and OAuth2 (see [supported specifications](https://docs.duendesoftware.com/identityserver/v6/overview/specs/)). Organizations would create their own ASP.NET Core app using IdentityServer middleware to act as the STS for all of their token-based security protocols. The IdentityServer middleware exposes endpoints to support standard functionality, including: +IdentityServer provides middleware that runs within an ASP.NET Core application and adds support for OpenID Connect and OAuth2 (see [supported specifications](https://docs.duendesoftware.com/identityserver/v7/overview/specs/)). Organizations would create their own ASP.NET Core app using IdentityServer middleware to act as the STS for all of their token-based security protocols. The IdentityServer middleware exposes endpoints to support standard functionality, including: - Authorize (authenticate the end user) - Token (request a token programmatically) @@ -39,57 +39,52 @@ IdentityServer provides middleware that runs within an ASP.NET Core application ## Getting started -IdentityServer4 is available under dual license: +IdentityServer is available: -* RPL - lets you use the IdentityServer4 free if used in open-source work -* Paid - lets you use the IdentityServer4 in a commercial scenario +* Community license - lets you use the [IdentityServer free for small companies and non-profits](https://duendesoftware.com/products/communityedition) (conditions apply) +* Paid - lets you use the IdentityServer [in a commercial scenario](https://duendesoftware.com/products/identityserver) For more information about pricing, see the official product's [pricing page](https://duendesoftware.com/products/identityserver). -You can add it to your applications using its NuGet packages. The main package is [IdentityServer4](https://www.nuget.org/packages/IdentityServer4/), which has been downloaded over four million times. The base package doesn't include any user interface code and only supports in-memory configuration. To use it with a database, you'll also want a data provider like [IdentityServer4.EntityFramework](https://www.nuget.org/packages/IdentityServer4.EntityFramework), which uses Entity Framework Core to store configuration and operational data for IdentityServer. For user interface, you can copy files from the [Quickstart UI repository](https://github.com/IdentityServer/IdentityServer4.Quickstart.UI) into your ASP.NET Core MVC application to add support for sign in and sign out using IdentityServer middleware. +You can add it to your applications using its NuGet packages. The main package is [IdentityServer](https://www.nuget.org/packages/Duende.IdentityServer/), which has been downloaded over four million times. The base package doesn't include any user interface code and only supports in-memory configuration. To use it with a database, you'll also want a data provider like [Duende.IdentityServer.Storage](https://www.nuget.org/packages/Duende.IdentityServer.Storage), which uses Entity Framework Core to store configuration and operational data for IdentityServer. For user interface, you can copy files from the [Quickstart UI repository](https://github.com/DuendeSoftware/IdentityServer.Quickstart.UI) into your ASP.NET Core MVC application to add support for sign in and sign out using IdentityServer middleware. ## Configuration -IdentityServer supports different kinds of protocols and social authentication providers that can be configured as part of each custom installation. This is typically done in the ASP.NET Core application's `Program` class (or in the `Startup` class in the `ConfigureServices` method). The configuration involves specifying the supported protocols and the paths to the servers and endpoints that will be used. Figure 8-2 shows an example configuration taken from the IdentityServer4 Quickstart UI project: +IdentityServer supports different kinds of protocols and social authentication providers that can be configured as part of each custom installation. This is typically done in the ASP.NET Core application's `Program` class (or in the `Startup` class in the `ConfigureServices` method). The configuration involves specifying the supported protocols and the paths to the servers and endpoints that will be used. Figure 8-2 shows an example configuration taken from the [IdentityServer Quickstart for ASP.NET Core applications](https://docs.duendesoftware.com/identityserver/v7/quickstarts/2_interactive/) project: ```csharp -public class Startup -{ - public void ConfigureServices(IServiceCollection services) +// some details omitted +builder.Services.AddIdentityServer(); + +builder.Services.AddAuthentication(options => + { + options.DefaultScheme = "Cookies"; + options.DefaultChallengeScheme = "oidc"; + }) + .AddCookie("Cookies") + .AddGoogle("Google", options => + { + options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; + + options.ClientId = ""; + options.ClientSecret = ""; + }) + .AddOpenIdConnect("oidc", options => { - services.AddMvc(); - - // some details omitted - services.AddIdentityServer(); - - services.AddAuthentication() - .AddGoogle("Google", options => - { - options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; - - options.ClientId = ""; - options.ClientSecret = ""; - }) - .AddOpenIdConnect("demoidsrv", "IdentityServer", options => - { - options.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme; - options.SignOutScheme = IdentityServerConstants.SignoutScheme; - - options.Authority = "https://demo.identityserver.io/"; - options.ClientId = "implicit"; - options.ResponseType = "id_token"; - options.SaveTokens = true; - options.CallbackPath = new PathString("/signin-idsrv"); - options.SignedOutCallbackPath = new PathString("/signout-callback-idsrv"); - options.RemoteSignOutPath = new PathString("/signout-idsrv"); - - options.TokenValidationParameters = new TokenValidationParameters - { - NameClaimType = "name", - RoleClaimType = "role" - }; - }); - } + options.Authority = "https://localhost:5001"; + + options.ClientId = "web"; + options.ClientSecret = "secret"; + options.ResponseType = "code"; + + options.Scope.Clear(); + options.Scope.Add("openid"); + options.Scope.Add("profile"); + + options.MapInboundClaims = false; // Don't rename claim types + + options.SaveTokens = true; + }); } ``` @@ -97,13 +92,13 @@ public class Startup ## JavaScript clients -Many cloud-native applications use server-side APIs and rich client single page applications (SPAs) on the front end. IdentityServer ships a [JavaScript client](https://docs.duendesoftware.com/identityserver/v6/quickstarts/js_clients/) (`oidc-client.js`) via NPM that can be added to SPAs to enable them to use IdentityServer for sign in, sign out, and token-based authentication of web APIs. +Many cloud-native applications use server-side APIs and rich client single page applications (SPAs) on the front end. IdentityServer ships a [JavaScript client](https://docs.duendesoftware.com/identityserver/v7/quickstarts/js_clients/) (`oidc-client.js`) via NPM that can be added to SPAs to enable them to use IdentityServer for sign in, sign out, and token-based authentication of web APIs. In addition, a [backend-for-frontend (BFF)](https://docs.duendesoftware.com/identityserver/v7/quickstarts/js_clients/js_with_backend/) that implements all of the security protocol interactions with the token server can be used which implements the IETF's [OAuth 2.0 for Browser-Based Applications spec](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps). ## References -- [IdentityServer documentation](https://docs.duendesoftware.com/identityserver/v6/) +- [IdentityServer documentation](https://docs.duendesoftware.com/identityserver/v7/) - [Application types](/azure/active-directory/develop/app-types) -- [JavaScript OIDC client](https://docs.duendesoftware.com/identityserver/v6/quickstarts/js_clients/) +- [JavaScript OIDC client](https://docs.duendesoftware.com/identityserver/v7/quickstarts/js_clients/) >[!div class="step-by-step"] >[Previous](azure-active-directory.md) From e5320e1e3d448b835a0c37b545628b1691a46694 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Wed, 5 Feb 2025 07:30:24 +0100 Subject: [PATCH 2/5] Update docs/architecture/cloud-native/identity-server.md Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- docs/architecture/cloud-native/identity-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/cloud-native/identity-server.md b/docs/architecture/cloud-native/identity-server.md index 4bbb3ce19f91f..0146cd302e51a 100644 --- a/docs/architecture/cloud-native/identity-server.md +++ b/docs/architecture/cloud-native/identity-server.md @@ -92,7 +92,7 @@ builder.Services.AddAuthentication(options => ## JavaScript clients -Many cloud-native applications use server-side APIs and rich client single page applications (SPAs) on the front end. IdentityServer ships a [JavaScript client](https://docs.duendesoftware.com/identityserver/v7/quickstarts/js_clients/) (`oidc-client.js`) via NPM that can be added to SPAs to enable them to use IdentityServer for sign in, sign out, and token-based authentication of web APIs. In addition, a [backend-for-frontend (BFF)](https://docs.duendesoftware.com/identityserver/v7/quickstarts/js_clients/js_with_backend/) that implements all of the security protocol interactions with the token server can be used which implements the IETF's [OAuth 2.0 for Browser-Based Applications spec](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps). +Many cloud-native applications use server-side APIs and rich client single page applications (SPAs) on the front end. IdentityServer ships a [JavaScript client](https://docs.duendesoftware.com/identityserver/v7/quickstarts/js_clients/) (`oidc-client.js`) via NPM that can be added to SPAs to enable them to use IdentityServer for sign in, sign out, and token-based authentication of web APIs. In addition, you can use a [backend-for-frontend (BFF)](https://docs.duendesoftware.com/identityserver/v7/quickstarts/js_clients/js_with_backend/) that implements all of the security protocol interactions with the token server and the IETF's [OAuth 2.0 for Browser-Based Applications spec](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps). ## References From be935b206dc4be22c06aff6bd4f9f612efb8d6a4 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Wed, 5 Feb 2025 07:30:38 +0100 Subject: [PATCH 3/5] Update docs/architecture/cloud-native/identity-server.md Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- docs/architecture/cloud-native/identity-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/cloud-native/identity-server.md b/docs/architecture/cloud-native/identity-server.md index 0146cd302e51a..3a54f06bd324f 100644 --- a/docs/architecture/cloud-native/identity-server.md +++ b/docs/architecture/cloud-native/identity-server.md @@ -41,7 +41,7 @@ IdentityServer provides middleware that runs within an ASP.NET Core application IdentityServer is available: -* Community license - lets you use the [IdentityServer free for small companies and non-profits](https://duendesoftware.com/products/communityedition) (conditions apply) +* With a community license, which lets you use the [IdentityServer free for small companies and non-profits](https://duendesoftware.com/products/communityedition) (conditions apply) * Paid - lets you use the IdentityServer [in a commercial scenario](https://duendesoftware.com/products/identityserver) For more information about pricing, see the official product's [pricing page](https://duendesoftware.com/products/identityserver). From ac98bc567c0cb84711136d9ff7bce6affb76e8c8 Mon Sep 17 00:00:00 2001 From: Maarten Balliauw Date: Wed, 5 Feb 2025 07:30:45 +0100 Subject: [PATCH 4/5] Update docs/architecture/cloud-native/identity-server.md Co-authored-by: Genevieve Warren <24882762+gewarren@users.noreply.github.com> --- docs/architecture/cloud-native/identity-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/cloud-native/identity-server.md b/docs/architecture/cloud-native/identity-server.md index 3a54f06bd324f..5ad57892a8d58 100644 --- a/docs/architecture/cloud-native/identity-server.md +++ b/docs/architecture/cloud-native/identity-server.md @@ -42,7 +42,7 @@ IdentityServer provides middleware that runs within an ASP.NET Core application IdentityServer is available: * With a community license, which lets you use the [IdentityServer free for small companies and non-profits](https://duendesoftware.com/products/communityedition) (conditions apply) -* Paid - lets you use the IdentityServer [in a commercial scenario](https://duendesoftware.com/products/identityserver) +* Paid, which lets you use the IdentityServer [in a commercial scenario](https://duendesoftware.com/products/identityserver) For more information about pricing, see the official product's [pricing page](https://duendesoftware.com/products/identityserver). From afc6a2c012b6cd2fcaf9e8d22fde18d86f819177 Mon Sep 17 00:00:00 2001 From: Genevieve Warren <24882762+gewarren@users.noreply.github.com> Date: Thu, 6 Feb 2025 13:23:17 -0800 Subject: [PATCH 5/5] Update date format --- docs/architecture/cloud-native/identity-server.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/cloud-native/identity-server.md b/docs/architecture/cloud-native/identity-server.md index 5ad57892a8d58..cf10e0ea14d8e 100644 --- a/docs/architecture/cloud-native/identity-server.md +++ b/docs/architecture/cloud-native/identity-server.md @@ -1,7 +1,7 @@ --- title: IdentityServer for Cloud Native Apps description: Architecting Cloud Native .NET Apps for Azure | IdentityServer -ms.date: 04/02/2025 +ms.date: 02/06/2025 --- # IdentityServer for cloud-native applications