Additions and extensions for IdentityServer.
License required for production
Additions/extensions to be able to setup a configurable, globalizable and localizable implementation of IdentityServer.
The idea is to setup an IdentityServer-implementation like the included implementation and configure continous-release with substitution/transforms for Web.config & appsettings.json or to copy the sample and use it as a template. The copy can then bee changed regarding configuration, style and translations.
IdentityServer:
- Documentation: https://docs.duendesoftware.com/
- GitHub: https://github.com/DuendeSoftware/IdentityServer/
- NuGet: https://www.nuget.org/packages/Duende.IdentityServer/
See above.
Solution behind it:
- Microsoft Account external login setup with ASP.NET Core
- https://portal.azure.com/?l=en.en-001#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/RegisteredApps
- Examples
Some features/configuration depends on the Duende.IdentityServer license, https://duendesoftware.com/products/identityserver#pricing.
If your Duende.IdentityServer license doesn't include the Automatic key management-feature you should disable it in appsettings.json:
{
"IdentityServer": {
"KeyManagement": {
"Enabled": false
},
}
}
Configure for signing- and validation-certificates instead:
{
"IdentityServer": {
"SigningCertificate": {
"Options": {
"Path": "CERT:\\LocalMachine\\My\\CN=IdentityServer-Signing-4"
},
"Type": "RegionOrebroLan.Security.Cryptography.Configuration.StoreResolverOptions, RegionOrebroLan"
},
"ValidationCertificates": [
{
"Options": {
"Path": "CERT:\\LocalMachine\\My\\CN=IdentityServer-Signing-1"
},
"Type": "RegionOrebroLan.Security.Cryptography.Configuration.StoreResolverOptions, RegionOrebroLan"
},
{
"Options": {
"Path": "CERT:\\LocalMachine\\My\\CN=IdentityServer-Signing-2"
},
"Type": "RegionOrebroLan.Security.Cryptography.Configuration.StoreResolverOptions, RegionOrebroLan"
},
{
"Options": {
"Path": "CERT:\\LocalMachine\\My\\CN=IdentityServer-Signing-3"
},
"Type": "RegionOrebroLan.Security.Cryptography.Configuration.StoreResolverOptions, RegionOrebroLan"
}
]
}
}
{
"IdentityServer": {
"SigningCertificate": {
"Options": {
"Password": "password",
"Path": "Data/Development-Signing-Certificate-4.pfx"
},
"Type": "RegionOrebroLan.Security.Cryptography.Configuration.FileResolverOptions, RegionOrebroLan"
},
"ValidationCertificates": [
{
"Options": {
"Password": "password",
"Path": "Data/Development-Signing-Certificate-1.pfx"
},
"Type": "RegionOrebroLan.Security.Cryptography.Configuration.FileResolverOptions, RegionOrebroLan"
},
{
"Options": {
"Password": "password",
"Path": "Data/Development-Signing-Certificate-2.pfx"
},
"Type": "RegionOrebroLan.Security.Cryptography.Configuration.FileResolverOptions, RegionOrebroLan"
},
{
"Options": {
"Password": "password",
"Path": "Data/Development-Signing-Certificate-3.pfx"
},
"Type": "RegionOrebroLan.Security.Cryptography.Configuration.FileResolverOptions, RegionOrebroLan"
}
]
}
}
If your Duende.IdentityServer license doesn't include the Dynamic Authentication Providers-feature you should disable it in appsettings.json:
{
"FeatureManagement": {
...
"DynamicAuthenticationProviders": false,
...
}
}
or remove the line:
{
"FeatureManagement": {
...
// Remove the line below
"DynamicAuthenticationProviders": true,
...
}
}
We might want to create/recreate migrations. If we can accept data-loss we can recreate the migrations otherwhise we will have to update them.
Copy all the commands below and run them in the Package Manager Console for the affected database-context.
If you want more migration-information you can add the -Verbose parameter:
Add-Migration TheMigration -Context TheDatabaseContext -OutputDir Data/Migrations -Project Project -Verbose;
Important! Before running the commands below you need to ensure the "Project"-project is set as startup-project.
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteConfiguration -Force -Project Project;
Remove-Migration -Context SqlServerConfiguration -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Data\Migrations\Configuration" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteConfigurationMigration -Context SqliteConfiguration -OutputDir Data/Migrations/Configuration/Sqlite -Project Project;
Add-Migration SqlServerConfigurationMigration -Context SqlServerConfiguration -OutputDir Data/Migrations/Configuration/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Updating migrations...";
Add-Migration SqliteConfigurationMigrationUpdate -Context SqliteConfiguration -OutputDir Data/Migrations/Configuration/Sqlite -Project Project;
Add-Migration SqlServerConfigurationMigrationUpdate -Context SqlServerConfiguration -OutputDir Data/Migrations/Configuration/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteIdentity -Force -Project Project;
Remove-Migration -Context SqlServerIdentity -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Identity\Data\Migrations" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteIdentityMigration -Context SqliteIdentity -OutputDir Identity/Data/Migrations/Sqlite -Project Project;
Add-Migration SqlServerIdentityMigration -Context SqlServerIdentity -OutputDir Identity/Data/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Updating migrations...";
Add-Migration SqliteIdentityMigrationUpdate -Context SqliteIdentity -OutputDir Identity/Data/Migrations/Sqlite -Project Project;
Add-Migration SqlServerIdentityMigrationUpdate -Context SqlServerIdentity -OutputDir Identity/Data/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteOperational -Force -Project Project;
Remove-Migration -Context SqlServerOperational -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Data\Migrations\Operational" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteOperationalMigration -Context SqliteOperational -OutputDir Data/Migrations/Operational/Sqlite -Project Project;
Add-Migration SqlServerOperationalMigration -Context SqlServerOperational -OutputDir Data/Migrations/Operational/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Updating migrations...";
Add-Migration SqliteOperationalMigrationUpdate -Context SqliteOperational -OutputDir Data/Migrations/Operational/Sqlite -Project Project;
Add-Migration SqlServerOperationalMigrationUpdate -Context SqlServerOperational -OutputDir Data/Migrations/Operational/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteSamlConfiguration -Force -Project Project;
Remove-Migration -Context SqlServerSamlConfiguration -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Data\Saml\Migrations" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteSamlConfigurationMigration -Context SqliteSamlConfiguration -OutputDir Data/Saml/Migrations/Sqlite -Project Project;
Add-Migration SqlServerSamlConfigurationMigration -Context SqlServerSamlConfiguration -OutputDir Data/Saml/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Updating migrations...";
Add-Migration SqliteSamlConfigurationMigrationUpdate -Context SqliteSamlConfiguration -OutputDir Data/Saml/Migrations/Sqlite -Project Project;
Add-Migration SqlServerSamlConfigurationMigrationUpdate -Context SqlServerSamlConfiguration -OutputDir Data/Saml/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteWsFederationConfiguration -Force -Project Project;
Remove-Migration -Context SqlServerWsFederationConfiguration -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Data\WsFederation\Migrations" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteWsFederationConfigurationMigration -Context SqliteWsFederationConfiguration -OutputDir Data/WsFederation/Migrations/Sqlite -Project Project;
Add-Migration SqlServerWsFederationConfigurationMigration -Context SqlServerWsFederationConfiguration -OutputDir Data/WsFederation/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
Write-Host "Updating migrations...";
Add-Migration SqliteWsFederationConfigurationMigrationUpdate -Context SqliteWsFederationConfiguration -OutputDir Data/WsFederation/Migrations/Sqlite -Project Project;
Add-Migration SqlServerWsFederationConfigurationMigrationUpdate -Context SqlServerWsFederationConfiguration -OutputDir Data/WsFederation/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
This solution is built on:
- Visual Studio Enterprise 2019
- Windows 10
The solution uses the following NuGet-packages:
Various saved notes that appeared during development.
- Mutual TLS ? IdentityServer4 1.0.0 documentation
- Transport Layer Security (TLS) registry settings
- Overview of TLS - SSL (Schannel SSP)
- Answer to: Mutual certificates authentication fails with error 403.16
- Testing with client certificate authentication in a development environment on IIS 8.5
- What's New in TLS/SSL (Schannel SSP)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\SendTrustedIssuerList
If it does not exist, create it as REG_DWORD.
Values:
- Off
- On
If it does not exist, create it as REG_DWORD.
Values:
- Machine Trust (default) - Requires that the client certificate is issued by a certificate in the Trusted Issuers list.
- Exclusive Root Trust - Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list
- Exclusive CA Trust - Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.
- /connect/mtls/token
- /connect/mtls/revocation
- /connect/mtls/introspect
- /connect/mtls/deviceauthorization
- Example site with multiple authentication schemes: https://auth0.com/auth/login/
- Icons/svg's: https://iconscout.com/
- https://www.scottbrady91.com/OpenID-Connect/ASPNET-Core-using-Proof-Key-for-Code-Exchange-PKCE#pkce
- https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.inboundclaimtypemap?view=azure-dotnet
- https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.defaultinboundclaimtypemap?view=azure-dotnet
- https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.outboundclaimtypemap?view=azure-dotnet
- https://docs.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.jwt.jwtsecuritytokenhandler.defaultoutboundclaimtypemap?view=azure-dotnet
- https://github.com/aspnet/AuthSamples/tree/master/samples/DynamicSchemes
- https://docs.microsoft.com/en-us/azure/redis-cache/cache-configure
- SAML 2.0 Integration with IdentityServer4
- https://github.com/RockSolidKnowledge/Samples.IdentityServer4.Saml2pIntegration/
- IdentityServer4 - WS-Federation and SharePoint