/IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core

Primary LanguageC#Apache License 2.0Apache-2.0

IdentityServer4.AccessTokenValidation

Important

This library is deprecated and not being maintained anymore.

Read this blog post about the reasoning and recommedations for a superior and more flexible approach:

https://leastprivilege.com/2020/07/06/flexible-access-token-validation-in-asp-net-core/

Description

Authentication handler for ASP.NET Core 2 that allows accepting both JWTs and reference tokens in the same API.

Technically this handler is a decorator over both the Microsoft JWT handler as well as our OAuth 2 introspection handler. If you only need to support one token type only, we recommend using the underlying handlers directly.

JWT Usage

Simply specify authority and API name (aka audience):

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(options =>
    {
        options.Authority = "https://demo.identityserver.io";
        options.ApiName = "api1";
    });

Enable reference tokens

Additionally specify the API secret for the introspection endpoint:

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(options =>
    {
        options.Authority = "https://demo.identityserver.io";
        options.ApiName = "api1";
        options.ApiSecret = "secret";
    });

Specifying the underlying handler options directly

In case you need access to a setting that the combined options don't expose, you can fallback to configuring the underlying handler directly.

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme,
        jwtOptions =>
        {
            // jwt bearer options
        },
        referenceOptions =>
        {
            // oauth2 introspection options
        });

Scope validation

In addition to API name checking, you can do more fine-grained scope checks. This package includes some convenience helpers to do that.

Create a global authorization policy

services
    .AddMvcCore(options =>
    {
        // require scope1 or scope2
        var policy = ScopePolicy.Create("scope1", "scope2");
        options.Filters.Add(new AuthorizeFilter(policy));
    })
    .AddJsonFormatters()
    .AddAuthorization();

Composing a scope policy

services.AddAuthorization(options =>
{
    options.AddPolicy("myPolicy", builder =>
    {
        // require scope1
        builder.RequireScope("scope1");
        // and require scope2 or scope3
        builder.RequireScope("scope2", "scope3");
    });
});