IdentityServer4, Web API and Angular in a single ASP.NET Core project

This article shows how IdentityServer4 with Identity, a data Web API, and an Angular SPA could be setup inside a single ASP.NET Core project. The application uses the OpenID Connect Implicit Flow with reference tokens to access the API. The Angular application uses webpack to build.

Code: https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow

History:

2017-08-15: Updated ASP.NET Core 2.0, Angular 4.3.6

Full history:
https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow#history

Other posts in this series:

Step 1: Create app and add IdentityServer4

Use the Quickstart6 AspNetIdentity from IdentityServer 4 to setup the application. Then edit the project json file to add your packages as required. I added the Microsoft.AspNetCore.Authentication.JwtBearer package and also the IdentityServer4.AccessTokenValidation package. The buildOptions have to be extended to ignore the node_modules folder.

{
  "name": "angular-webpack-visualstudio",
  "version": "1.0.0",
  "description": "An Angular VS template",
  "main": "wwwroot/index.html",
  "author": "",
  "license": "ISC",
  "repository": {
    "type": "git",
    "url": "https://github.com/damienbod/Angular2WebpackVisualStudio.git"
  },
  "scripts": {
    "start": "concurrently \"webpack-dev-server --hot --inline --port 8080\" \"dotnet run\" ",
    "webpack-dev": "set NODE_ENV=development && webpack",
    "webpack-production": "set NODE_ENV=production && webpack",
    "build-dev": "npm run webpack-dev",
    "build-production": "npm run webpack-production",
    "watch-webpack-dev": "set NODE_ENV=development && webpack --watch --color",
    "watch-webpack-production": "npm run build-production --watch --color",
    "publish-for-iis": "npm run build-production && dotnet publish -c Release",
    "test": "karma start"
  },
  "dependencies": {
    "@angular/animations": "4.3.6",
    "@angular/common": "4.3.6",
    "@angular/compiler": "4.3.6",
    "@angular/compiler-cli": "4.3.6",
    "@angular/core": "4.3.6",
    "@angular/forms": "4.3.6",
    "@angular/http": "4.3.6",
    "@angular/platform-browser": "4.3.6",
    "@angular/platform-browser-dynamic": "4.3.6",
    "@angular/platform-server": "4.3.6",
    "@angular/router": "4.3.6",
    "@angular/upgrade": "4.3.6",
    "angular-in-memory-web-api": "0.3.2",
    "bootstrap": "3.3.7",
    "core-js": "2.4.1",
    "ie-shim": "0.1.0",
    "rxjs": "5.4.2",
    "zone.js": "0.8.12",
    "jsrsasign": "8.0.3"
  },
  "devDependencies": {
    "@ngtools/webpack": "^1.5.1",
    "@types/jasmine": "^2.5.53",
    "@types/node": "^8.0.12",
    "angular-router-loader": "^0.6.0",
    "angular2-template-loader": "^0.6.2",
    "awesome-typescript-loader": "^3.2.1",
    "clean-webpack-plugin": "^0.1.16",
    "concurrently": "^3.5.0",
    "copy-webpack-plugin": "^4.0.1",
    "css-loader": "^0.28.0",
    "file-loader": "^0.11.2",
    "html-webpack-plugin": "^2.29.0",
    "jasmine-core": "^2.6.4",
    "jquery": "^3.2.1",
    "json-loader": "^0.5.4",
    "karma": "^1.7.0",
    "karma-chrome-launcher": "^2.2.0",
    "karma-jasmine": "^1.1.0",
    "karma-sourcemap-loader": "^0.3.7",
    "karma-spec-reporter": "^0.0.31",
    "karma-webpack": "^2.0.4",
    "node-sass": "^4.5.3",
    "raw-loader": "^0.5.1",
    "rimraf": "^2.6.1",
    "sass-loader": "^6.0.6",
    "source-map-loader": "^0.2.1",
    "style-loader": "^0.18.2",
    "tslint": "^5.5.0",
    "tslint-loader": "^3.5.3",
    "typescript": "^2.4.1",
    "url-loader": "^0.5.9",
    "webpack": "^3.2.0",
    "webpack-dev-server": "^2.5.1"
  },
  "-vs-binding": {
    "ProjectOpened": [
      "watch-webpack-dev"
    ]
  }
}

The IProfileService interface is implemented to add your user claims to the tokens. The IdentityWithAdditionalClaimsProfileService class implements the IProfileService interface in this example and is added to the services in the Startup class.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Claims;
using System.Threading.Tasks;
using IdentityModel;
using IdentityServer4.Extensions;
using IdentityServer4.Models;
using IdentityServer4.Services;
using IdentityServerWithAspNetIdentity.Models;
using Microsoft.AspNetCore.Identity;

namespace IdentityServerWithAspNetIdentitySqlite
{
    using IdentityServer4;

    public class IdentityWithAdditionalClaimsProfileService : IProfileService
    {
        private readonly IUserClaimsPrincipalFactory<ApplicationUser> _claimsFactory;
        private readonly UserManager<ApplicationUser> _userManager;

        public IdentityWithAdditionalClaimsProfileService(UserManager<ApplicationUser> userManager,  IUserClaimsPrincipalFactory<ApplicationUser> claimsFactory)
        {
            _userManager = userManager;
            _claimsFactory = claimsFactory;
        }

        public async Task GetProfileDataAsync(ProfileDataRequestContext context)
        {
            var sub = context.Subject.GetSubjectId();

            var user = await _userManager.FindByIdAsync(sub);
            var principal = await _claimsFactory.CreateAsync(user);

            var claims = principal.Claims.ToList();

            claims = claims.Where(claim => context.RequestedClaimTypes.Contains(claim.Type)).ToList();
            
            claims.Add(new Claim(JwtClaimTypes.GivenName, user.UserName));

            if (user.IsAdmin)
            {
                claims.Add(new Claim(JwtClaimTypes.Role, "admin"));
            }
            else
            {
                claims.Add(new Claim(JwtClaimTypes.Role, "user"));
            }

            if (user.DataEventRecordsRole == "dataEventRecords.admin")
            {
                claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.admin"));
                claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.user"));
                claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords"));
                claims.Add(new Claim(JwtClaimTypes.Scope, "dataEventRecords"));
            }
            else
            {
                claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords.user"));
                claims.Add(new Claim(JwtClaimTypes.Role, "dataEventRecords"));
                claims.Add(new Claim(JwtClaimTypes.Scope, "dataEventRecords"));
            }

            if (user.SecuredFilesRole == "securedFiles.admin")
            {
                claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.admin"));
                claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.user"));
                claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles"));
                claims.Add(new Claim(JwtClaimTypes.Scope, "securedFiles"));
            }
            else
            {
                claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles.user"));
                claims.Add(new Claim(JwtClaimTypes.Role, "securedFiles"));
                claims.Add(new Claim(JwtClaimTypes.Scope, "securedFiles"));
            }

            claims.Add(new Claim(IdentityServerConstants.StandardScopes.Email, user.Email));


            context.IssuedClaims = claims;
        }

        public async Task IsActiveAsync(IsActiveContext context)
        {
            var sub = context.Subject.GetSubjectId();
            var user = await _userManager.FindByIdAsync(sub);
            context.IsActive = user != null;
        }
    }
}

Step 2: Add the Web API for the resource data

The MVC Controller DataEventRecordsController is used for CRUD API requests. This is just a dummy implementation. I would implement all resource server logic in a separate project. The Authorize attribute is used with and without policies. The policies are configured in the Startup class.

using ResourceWithIdentityServerWithClient.Model;

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Collections.Generic;
using System;

namespace ResourceWithIdentityServerWithClient.Controllers
{
    [Authorize]
    [Route("api/[controller]")]
    public class DataEventRecordsController : Controller
    {
        [Authorize("dataEventRecordsUser")]
        [HttpGet]
        public IActionResult Get()
        {
            return Ok(new List<DataEventRecord> { new DataEventRecord { Id =1, Description= "Fake", Name="myname", Timestamp= DateTime.UtcNow } });
        }

        [Authorize("dataEventRecordsAdmin")]
        [HttpGet("{id}")]
        public IActionResult Get(long id)
        {
            return Ok(new DataEventRecord { Id = 1, Description = "Fake", Name = "myname", Timestamp = DateTime.UtcNow });
        }

        [Authorize("dataEventRecordsAdmin")]
        [HttpPost]
        public void Post([FromBody]DataEventRecord value)
        {
            
        }

        [Authorize("dataEventRecordsAdmin")]
        [HttpPut("{id}")]
        public void Put(long id, [FromBody]DataEventRecord value)
        {
            
        }

        [Authorize("dataEventRecordsAdmin")]
        [HttpDelete("{id}")]
        public void Delete(long id)
        {
            
        }
    }
}

Step 3: Add client Angular client API

The Angular 4 client part of the application is setup and using the ASP.NET Core, Angular2 with Webpack and Visual Studio article. Webpack is then used to build the client application.

Any SPA client can be used which supports the OpenID Connect Implicit Flow. IdentityServer4 (IdentityModel) also have good examples using the OIDC javascript client.

Step 4: Configure application host URL

The URL host is the same for both the client and the server. This is configured in the Config class as a static property HOST_URL and used throughout the server side of the application.

public class Config
{
        public static string HOST_URL =  "https://localhost:44363";

The client application reads the configuration from the auth.configuration.ts provider.

import { Injectable } from '@angular/core';

@Injectable()
export class AuthConfiguration {

    // The Issuer Identifier for the OpenID Provider (which is typically obtained during Discovery) MUST exactly match the value of the iss (issuer) Claim.
    public iss = 'https://localhost:44363';

    public server = 'https://localhost:44363';

    public redirect_url = 'https://localhost:44363';
    
    // This is required to get the signing keys so that the signiture of the Jwt can be validated.
    public jwks_url = 'https://localhost:44363/.well-known/openid-configuration/jwks';

    // The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience.
    // The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.
    public client_id = 'singleapp';

    public response_type = 'id_token token';

    public scope = 'dataEventRecords openid';

    public post_logout_redirect_uri = 'https://localhost:44363/Unauthorized';
}

IIS Express is configured to run with HTTPS and matches these configurations. If a different port is used, you need to change these two code configurations. In a production environment, the data should be configurable pro deployment.

Step 5: Deactivate the consent view

The consent view is deactivated because the client is the only client to use this data resource and always requires the same consent. To improve the user experience, the consent view is removed from the flow. This is done by setting the RequireConsent property to false in the client configuration.

public static IEnumerable<Client> GetClients()
{
	// client credentials client
	return new List<Client>
	{
		new Client
		{
			ClientName = "singleapp",
			ClientId = "singleapp",
			RequireConsent = false,
			AccessTokenType = AccessTokenType.Reference,
			//AccessTokenLifetime = 600, // 10 minutes, default 60 minutes
			AllowedGrantTypes = GrantTypes.Implicit,
			AllowAccessTokensViaBrowser = true,
			RedirectUris = new List<string>
			{
				HOST_URL

			},
			PostLogoutRedirectUris = new List<string>
			{
				HOST_URL + "/Unauthorized"
			},
			AllowedCorsOrigins = new List<string>
			{
				HOST_URL
			},
			AllowedScopes = new List<string>
			{
				"openid",
				"dataEventRecords"
			}
		}
	};
}

Step 6: Deactivate logout screens

When the Angular 2 client requests a logout, the client is logged out, reference tokens are invalidated for this application and user, and the user is redirected back to the Angular 2 application without the server account logout views. This improves the user experience.

The existing 2 Logout action methods are removed from the AccountController and the following is implemented. The controller requires the IPersistedGrantService to remove the reference tokens.

[HttpPost]
[ValidateAntiForgeryToken]
[AllowAnonymous]
public async Task<IActionResult> Logout(LogoutViewModel model)
{
	var idp = User?.FindFirst(JwtClaimTypes.IdentityProvider)?.Value;
	var subjectId = HttpContext.User.Identity.GetSubjectId();

	if (idp != null && idp != IdentityServerConstants.LocalIdentityProvider)
	{
		if (model.LogoutId == null)
		{
			// if there's no current logout context, we need to create one
			// this captures necessary info from the current logged in user
			// before we signout and redirect away to the external IdP for signout
			model.LogoutId = await _interaction.CreateLogoutContextAsync();
		}

		string url = "/Account/Logout?logoutId=" + model.LogoutId;
		try
		{
			// hack: try/catch to handle social providers that throw
			await HttpContext.Authentication.SignOutAsync(idp, new AuthenticationProperties { RedirectUri = url });
		}
		catch(NotSupportedException)
		{
		}
	}

	// delete authentication cookie
	await _signInManager.SignOutAsync();

	// set this so UI rendering sees an anonymous user
	HttpContext.User = new ClaimsPrincipal(new ClaimsIdentity());

	// get context information (client name, post logout redirect URI and iframe for federated signout)
	var logout = await _interaction.GetLogoutContextAsync(model.LogoutId);

	var vm = new LoggedOutViewModel
	{
		PostLogoutRedirectUri = logout?.PostLogoutRedirectUri,
		ClientName = logout?.ClientId,
		SignOutIframeUrl = logout?.SignOutIFrameUrl
	};

	await _persistedGrantService.RemoveAllGrantsAsync(subjectId, "angular2client");

	return Redirect(Config.HOST_URL + "/index.html");
}

Step 7: Configure Startup to use all three application parts

The Startup class configures all three application parts to run together. The Angular 2 application requires that its client routes are routed on the client and not the server. Middleware is added so that the server does not handle the client routes.

The API service needs to check the reference token and validate. Policies are added for this and also the extension method UseIdentityServerAuthentication is used to check the reference tokens for each request.

IdentityServer4 is setup to use Identity with a SQLite database.

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using IdentityServerWithAspNetIdentity.Data;
using IdentityServerWithAspNetIdentity.Models;
using IdentityServerWithAspNetIdentity.Services;
using QuickstartIdentityServer;
using IdentityServer4.Services;
using System.Security.Cryptography.X509Certificates;
using System.IO;
using Microsoft.AspNetCore.Http;
using System.Linq;
using System;
using System.IdentityModel.Tokens.Jwt;
using System.Collections.Generic;
using IdentityServer4.AccessTokenValidation;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;

namespace IdentityServerWithAspNetIdentitySqlite
{
    public class Startup
    {
        private readonly IHostingEnvironment _environment;

        public Startup(IHostingEnvironment env)
        {
            var builder = new ConfigurationBuilder()
                .SetBasePath(env.ContentRootPath)
                .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
                .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);

            _environment = env;

            builder.AddEnvironmentVariables();
            Configuration = builder.Build();
        }

        public IConfigurationRoot Configuration { get; }

        public void ConfigureServices(IServiceCollection services)
        {
            var cert = new X509Certificate2(Path.Combine(_environment.ContentRootPath, "damienbodserver.pfx"), "");

            services.AddDbContext<ApplicationDbContext>(options =>
                options.UseSqlite(Configuration.GetConnectionString("DefaultConnection")));

            services.AddIdentity<ApplicationUser, IdentityRole>()
            .AddEntityFrameworkStores<ApplicationDbContext>()
            .AddDefaultTokenProviders()
            .AddIdentityServer();

            var guestPolicy = new AuthorizationPolicyBuilder()
           .RequireAuthenticatedUser()
           .RequireClaim("scope", "dataEventRecords")
           .Build();

            services.AddTransient<IProfileService, IdentityWithAdditionalClaimsProfileService>();

            services.AddTransient<IEmailSender, AuthMessageSender>();
            services.AddTransient<ISmsSender, AuthMessageSender>();

            services.AddIdentityServer()
                .AddSigningCredential(cert)
                .AddInMemoryIdentityResources(Config.GetIdentityResources())
                .AddInMemoryApiResources(Config.GetApiResources())
                .AddInMemoryClients(Config.GetClients())
                .AddAspNetIdentity<ApplicationUser>()
                .AddProfileService<IdentityWithAdditionalClaimsProfileService>();

            services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
              .AddIdentityServerAuthentication(options =>
              {
                  options.Authority = Config.HOST_URL + "/";
                  options.AllowedScopes = new List<string> { "dataEventRecords" };
                  options.ApiName = "dataEventRecords";
                  options.ApiSecret = "dataEventRecordsSecret";
                  options.SupportedTokens = SupportedTokens.Both;
              });

            //JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

            //IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions
            //{
            //    Authority = Config.HOST_URL + "/",
            //    AllowedScopes = new List<string> { "dataEventRecords" },
            //    ApiSecret = "dataEventRecordsSecret",
            //    ApiName = "dataEventRecords",
            //    AutomaticAuthenticate = true,
            //    SupportedTokens = SupportedTokens.Both,
            //    // TokenRetriever = _tokenRetriever,
            //    // required if you want to return a 403 and not a 401 for forbidden responses
            //    AutomaticChallenge = true,
            //};

            //app.UseIdentityServerAuthentication(identityServerValidationOptions);

            services.AddAuthorization(options =>
            {
                options.AddPolicy("dataEventRecordsAdmin", policyAdmin =>
                {
                    policyAdmin.RequireClaim("role", "dataEventRecords.admin");
                });
                options.AddPolicy("admin", policyAdmin =>
                {
                    policyAdmin.RequireClaim("role", "admin");
                });
                options.AddPolicy("dataEventRecordsUser", policyUser =>
                {
                    policyUser.RequireClaim("role", "dataEventRecords.user");
                });

            });

            services.AddMvc();
        }

        public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
        {
            loggerFactory.AddConsole(Configuration.GetSection("Logging"));
            loggerFactory.AddDebug();

            var angularRoutes = new[] {
                "/Unauthorized",
                "/Forbidden",
                "/uihome",
                "/dataeventrecords/",
                "/dataeventrecords/create",
                "/dataeventrecords/edit/",
                "/dataeventrecords/list",
                "/usermanagement",
                };

            app.Use(async (context, next) =>
            {
                if (context.Request.Path.HasValue && null != angularRoutes.FirstOrDefault(
                    (ar) => context.Request.Path.Value.StartsWith(ar, StringComparison.OrdinalIgnoreCase)))
                {
                    context.Request.Path = new PathString("/");
                }

                await next();
            });

            app.UseDefaultFiles();
            app.UseStaticFiles();

            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
                app.UseDatabaseErrorPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
            }

            app.UseIdentityServer();
            app.UseAuthentication();

            app.UseMvc(routes =>
            {
                routes.MapRoute(
                    name: "default",
                    template: "{controller=Home}/{action=Index}/{id?}");
            });
        }
    }
}

The application can then be run and tested. To test, right click the project and debug.

Links

https://github.com/IdentityServer/IdentityServer4

http://docs.identityserver.io/en/dev/

https://github.com/IdentityServer/IdentityServer4.Samples

https://docs.asp.net/en/latest/security/authentication/identity.html

https://github.com/IdentityServer/IdentityServer4/issues/349

https://damienbod.com/2016/06/12/asp-net-core-angular2-with-webpack-and-visual-studio/

Advertisements

39 comments

  1. Thank you for great example! I’d like to know what are the benefits of using Implicit Flow for SPA if the developer is the owner of both backend and frontend part? Is it possible to convert backend of this sample to use ROPC and so use cool modal panels for registration and login right in angular part? If so will ROPC allows me to integrate social integration later?

  2. Thank you for great example! I’d like to know what are the benefits of using Implicit Flow for SPA if the developer is the owner of both backend and frontend part? Is it possible to convert backend of this sample to use ROPC and so use cool modal panels for registration and login right in angular part? If so will ROPC allows me to integrate social integration later?

  3. Hi Damien. For anyone interested, I posted an example that uses ROPC: https://github.com/robisim74/Angular2SPAWebAPI. Greetings

    1. Hey Roberto, can you share your thoughts on refreshing the Access Token … couldn’t see that in your code.

      I have something like this in my code:

      public scheduleRefresh() {
      // If the user is authenticated, use the token stream and flatMap the token
      let source = this.tokenStream.flatMap(
      token => {
      return Observable.interval(this.authInfo.expires_in * 1000);
      });

      this.refreshSubscription = source.subscribe(() => {
      this.getNewJwt();
      });
      }

      public startupTokenRefresh() {
      // If the user is authenticated, use the token stream and flatMap the token
      if (this.authInfo && this.authInfo.access_token) {
      if (this.tokenNotExpired(this.authInfo.access_token)) {
      let source = this.tokenStream.flatMap(
      token => {
      // Get the expiry time to generate a delay in milliseconds
      let now: number = new Date().valueOf();
      let jwtExp: number = this.decodeToken(token).exp;
      let exp: Date = new Date(0);
      exp.setUTCSeconds(jwtExp);
      let delay: number = exp.valueOf() – now;

      // Use the delay in a timer to run the refresh at the proper time
      return Observable.timer(delay);
      });

      // Once the delay time from above is reached, get a new JWT and schedule additional refreshes
      source.subscribe(() => {
      this.getNewJwt();
      this.scheduleRefresh();
      });
      }
      }
      }

      public unscheduleRefresh() {
      // Unsubscribe fromt the refresh (logout)
      if (this.refreshSubscription) {
      this.refreshSubscription.unsubscribe();
      }
      }

      public getNewJwt() {
      // Get a new JWT using the refresh token saved in local storage
      if (this.authInfo && this.authInfo.refresh_token) {
      this.refresh();
      } else {
      console.error(JSON.stringify(this.authInfo));
      alert(“Error refreshing token”);
      }
      }

      Just wanted to compare, maybe there is a better way to do this.
      Took the code and idea from here : https://github.com/auth0/angular2-jwt/issues/172

      1. Hi @boban984, please post your questions directly on the project, because this is a different project. There is also a new issue for the refresh token. Greetings

  4. Thank you for great example. However I think a few images would have been nice to show how these parts are working together.

    1. Hi Dave

      Thanks for you feedback. Would make a good improvement. Next time I update this article, I will try to add some.

      Updating the code now.

      Greetings Damien

      1. I also second this. As an Identity Server novice it’s difficult to work out how this all hangs together with the provided code snippets.

  5. I tried to follow your posts about IdentityServer4 to accomplish a scenario which I’m dealing with but so far with no luck. I’m trying to build a very secure application and also offer the API’s to the others.

    After a lot of thinking I decided to build an angular 2 client application and a gateway-api. The users with enough permission may use the UI or the gateway directly. But my gateway-api’s should use the internal api’s(internal microservices).

    After reading the IdentityServer4 documentation, I guess I should use the IdentityServer4(with EntityFramework and AspNetIdentity packages) with hybrid flow.

    I tried to follow your IdentityServer4 posts, but unfortunatly I still can not glue all these together.

    I have to admit that I use https://github.com/aspnet/JavaScriptServices for the angular part.

    Do you have any suggestions or advice for me? Am I totally off-road? Do you know any tutorial or blogpost about my scenario? Because I’m searching for it days and still no luck.

    Thanks in advance.

    1. Hi Dave, JavaScriptServices is tip top, I use the Implicit Flow OpenID with reference tokens. If you use the hybrid, you have to change the client logic, as far as I know, no example exists for a javascript client. Reference tokens are important if you want to control the lifecycle (full logout is important)

      Everything seems good but why the hybrid flow for the SPA?

      Greetings Damien

      1. I am trying to follow all your articles. I have a question for this one – when we logout and press Back button, it works very well at all browsers. It does not take from cache previous page – what part of code preventing that? I am having issue with my current app that it works very well at chrome but still get previous page from cache after logout. Adding cache-control – no-store – to response header helps but it would just disallow any cache.

  6. Hi Damien,

    I’m not sure why Hybrid flow 🙂
    I may have misunderstood this part of the documentation. http://docs.identityserver.io/en/release/quickstarts/5_hybrid_and_api_access.html

    Basically I want to have something like the pictures in this page of the documentation (see http://docs.identityserver.io/en/release/intro/big_picture.html) with OpenId Connect and OAuth2 to call the second level Web API’s which are internal and may not be seen or accessed from outside.

  7. Hi Damien,

    I think I have to use hybrid flow because other kind of clients like mobile apps and console apps may use the gateway api’s as well. So not only a javascript client(SPA) but also other kind of clients may use the public api’s as well.

  8. Sam Ellis · · Reply

    I have never run an Angular app in a .NET app like this. I’ve got the project building and running in VS with IIS Express, but I can’t seem to launch the Angular app itself? I only ever get the “This is server routing, not angular2 routing” returned when I try and hit any of the routes registered in the AngularRoutes array. Is there something I’m missing?

    1. Hi Sam
      You need to build the angular app. Go to the folder where the project file is in the commnad line
      $ npm install
      $ npm run-build-production

      Then it will work. See the packages.json for the possible scripts, to run in dev, production or publish

      Greetings Damien

  9. Hi Damien. Thank you so much for your time and creating this online. I downloaded the VS 2015 version to get familiar. I updated the packages and eventually seem to have everything working. The project builds so off to a great start. There’s a file named Find-VS2017.cs in 2 projects that is causing 10 warnings? For instance, Warning CS0618 ‘UnmanagedType.VariantBool’ is obsolete: ‘Marshalling as VariantBool may be unavailable in future releases…’

    Can you please explain why this file is here?

    Kind regards,

    Michael

    1. Hi Michael, thanks

      I don’t have these files in the VS2017 version. Don’t know what there are, maybe something to do with the upgrade. The master version is a VS2017, I have stopped maintaining the VS2015 version. Maybe you can compare yours to this. Greetings Damien

  10. Hi Damien. I shall. I’ll compare the VS2017 version with the VS2015. I see that you’re maintaining the VS2017 version. Cool! Thanks again!

    ~ Michael

  11. Hi Damien. So, I skipped ahead and I’m using your VS 2017 project. The project built successfully, but I haven’t tried to run it because I’m looking around still. Quite excellent and impressive. I’m a 15-year Microsoft SQL Server DBA. I’m following along in the IdentityServer4 documentation too. I hope you have time for some specific questions. I added the folder “Keys” under “ResourceServer”. I see in the config.json file that you are pointing to this directory. Is something missing from the project or is the empty folder correct? Second, I suppose it’s a good idea to know how to make a .pfx file?

    I hope my questions will help others wanting to understand all of this through your project templates.

    Thanks again!

  12. Hi again. I found that I need to run Update-Database. I had to add a reference to the project AngularClient from IdentityServerWithIdentitySQLite. Now I am only getting the error: SQLite Error 14: ‘unable to open database file’. Not sure yet, but I’m sharing my progress in getting your project working on my machine. 🙂

    ~ Michael

    1. The project uses a sqlite database, which is a file in the same directory as the csproj. you need to change the path in the config file to match this on your PC. Greetings Damien

  13. Hi Damien. I wish I could buy you a beer! I was able to register and that’s so freakin’ awesome to see this in action! Here’s an update on what I did, right I suppose, but possibly unnecessary.

    Recap: The project builds successfully and starts, but when I try and register myself, I get an error that states: A database operation failed while processing the request. SqliteException: SQLite Error 14: ‘unable to open database file’. Applying existing migrations for ApplicationDbContext may resolve this issue …

    The update command Update-Database ran successfully for the sqlite database in the ResourceServer project, but not the 2 others. There are 3 sqlite databases. When I ran update-database, I received the error: Could not load assembly ‘ResourceWithIdentityServerWithClient’. Ensure it is referenced by the startup project ‘IdentityServerWithIdentitySQLite’.

    I added the project reference. Then after running update-database again, I got the error: More than one DbContext was found. Specify which one to use. Use the ‘-Context’ parameter for PowerShell commands and the ‘–context’ parameter for dotnet commands.

    The above project reference issue is not the real issue. There are 3 sqlite databases and the path must be updated in the appsettings.json file for each project. One is in a config.json.

    So far so great! I’m going to read through your tutorial again and look at other related ones, and continue to get intimately comfortable with the application parts.

  14. Hi Damien. I imagine you’ve noticed that when you set the startup project to IdentityServerWithAspNetIdentity, the default page is https://localhost:44363/Index.html, and it’s empty. Going here shows the welcome page: https://localhost:44363/Home/Index … where I can then register.

  15. Okay. A question: How do I get to the Angular pages? I haven’t figured this out today.

    1. JoelS · · Reply

      Open up a package manager console and build the angular pages via webpack – i.e. ‘webpack -d’

      1. use the npm task runner and click on the webpack task you want to execute

      2. Thank you for the reply Joel!

      3. You too Damien. Thank you! I had to shift focus for several weeks. I also took a dive into SQLite, which is quite cool.

  16. Hi Damienbod, I was trying to run the project and couldn’t succeed . I was not able to run core project and also in the angular Uncaught SyntaxError: Unexpected identifier in polyfill . Could you please kindly let me know the steps required for a successful run

    1. Hi raki, you propbably need to build the SPA app. Try from the commandline

      > npm install
      > npm run build-production

      Should build without problems, otherwise you need to install node, npm etc.

      Then try running it from inside VS

      Hope this helps, greetings Damien

  17. Hi, I am getting “Error: Cannot find module ‘interpret'” when running watch-webpack-dev. Any ideea why?

    1. Forgot to mention this happens only for the ResourceWithIdentityServerWithClient project.

    2. No, I’ll have a look, try deleting the node_modules folder, npm install, and npm run build-dev

  18. Hi damienbod, here is the issue, since you combined Web API , Auth Server and Client App in the same , once you logged in , to access the Web API we don’t need to pass the token because you enabled the Cookie auth in the Server(since you conbined all API and AUTH Server in the same Project), In this case how will you for force the API to authenticate only through the token and not through the cookie.

    1. Hi Jay thanks for this info. I need to clean this up. In ASP.NET Core 2.0, the first Scheme is the defualt one. For the API, the Bearer must be just, which I need to fix, in the Auth Attribute on the controller. Thanks and greetings Damien

      1. Damienbod,
        do we need to custom AuthorizeAttribute to validate only token and skip cookie.
        Thanks,

      2. Authorize(AuthenicationScheme=”Bearer”) , I got it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: