IdentityServer4 Protecting an API using Passwords

1. About this Post

In this post on IdentityServer4, we will continue our study from my last post “Creating ASP.NET Core Identity Using IdentityServer4 Visual Studio 2017” and the IdentityServer4 official documentation. We are going to discuss using user passwords with IdentityServer4.

We are going to discuss using user passwords with IdentityServer4 based on our existing projects from my last post. You can find the solution source at my Github Repository.

2. Modify Identity Server Application

Before modifying our code, let’s check the authentication type in our last post.

We set the grant type as Client Credentials, This is the simplest grant type and is used for server to server communication. In IdentityServer4, there are many other powerful types supported, please click here to have a check.

In this update, we create new method “GetClients2”, using grant type as “ResourceOwnerPassword“. (Hold, we will update the code later.)

Compared with Client CredentialsResourceOwnerPassword has a username & password checking based on client secret checking. In order to login into the Identity Server, firstly, you need tell the server what “client” you are. For example, we need to login to Facebook from Facebook Mobile App, we need tell Facebook Server we are logging by mobile app client, instead of web app client. By giving the client id and client secret, the server will understand the client identity and deal with the request with certain patterns.

In order to login into the Identity Server, firstly, you need tell the server what “client” you are. For example, we need to login to Facebook from Facebook Mobile App, we need tell Facebook Server we are logging by mobile app client, instead of web app client. By giving the client id and client secret, the server will understand the client identity and deal with the request with certain patterns. What is more, IdentityServer can specify the allow scope for the client connection, which can benefit the application user groups, like the normal users, admin users.

After the server shakes hand with a client with the right client id and secret, the client needs to give the correct username and password to get the connection. This password step is very easy to understand.

Now, let’s update our Server code, the code has no big difference from the official website, you can read more in the link in the top of this page.

Add these code to your Config.cs file in your IdentyServer4_Server porject. We are adding the new users with password and the client set up.

Now, in your Startup.cs file, modify the ConfigureServices method.

Notice here, we comment out the

instead, we are using the our new client setup.

3. Modify Client Console App

Open the Program.cs file in the console client. Modify your Main method and add another CallAPIAsyncUsingPassword method. It should be like the codes below.

In this file, we use the new method to call the server using the user name password. As we discussed above, before using the password, we need to use the client id and secret to talk with the server to get the token.

Then, start your application, it should get this token. Cool!

You can copy your token to https://jwt.io/ to view the token value.

Leave a reply:

Your email address will not be published.

Site Footer