For many years now, Dominic Baier and his team at Thinktecture has been relentlessly pursuing the cause to provide a lightweight alternative to securing costly server technologies in implementing really simple claims-based identity solutions. Their IdentityServer framework has graduated into an enterprise class identity suite with many large corporations leveraging it for single sign-on. With the release of IdentityServer3, it now becomes an OWIN/ Katana based framework with hostable components to support SSO in modern web applications supporting all modern identity specifications like OpenID Connect and OAuth2.0. It is very easy to configure IdentityServer3 in your ASP.NET MVC or Web API application.
First you need to install the relevant NuGet packages in Microsoft.Owin.Host.SystemWeb and Thinktecture.IdentityServer3. Next you need to setup an OWIN startup host file that replaces the ASP.NET host. You can create a Startup.cs file in your ASP.NET MVC project and call the
UseIdentityServer extension method with
IAppBuilder to setup IdentityServer in your OWIN host.
public void Configuration(IAppBuilder app)
var options = new IdentityServerOptions
SigningCertificate = <implementation to fetch the certificate>,
Factory = Factory.Create()
You must also decorate the class with OwinStartupAttribute attribute.
[assembly: OwinStartup(typeof(<your project name space>))]
In addition, in your Web.config file you must set the run all managed modules for all requests attribute to true to allow identify server resources to be loaded correctly.
It is also possible to specify the clients that will leverage the identity server for authentication and the provider supplying the identity information from a user database or LDAP repository. This configures identity server and you can browse the /identity/.well-known/opened-configuration URL to discover the end points.
To add OAuth 2.0 support, the IAppBuilder provides the
UseJsonWebToken method that you can configure in your Startup.cs file
You are all set. You can now use the
AuthorizeAttribute attribute on your controller actions to authorize resource access, and initiate authentication with IdentityServer3. IdentityServer3 will present the login page, and based on the configured identity provider will allow you to login to access the resource. The Authorize attribute is available out of the box in MVC. You can use the more robust annotated resource authorization feature in IdentityServer3. To use that, install the Thinktecture.IdentityModel.Owin.ResourceAuthorization.Mvc package and then you can start using the ResourceAuthorizationAttribute attribute in your controller actions:
You can now isolate access control in terms of who can read the order details (in our example above) in an AuthorizationManager call that invokes the relevant manager depending on the resource being accessed.
The AuthorizationManager should be part of the OWIN startup configuration using the IAppBuilder
OAuth, single sign-on, SSO, Web API, web application security, ASP.NET MVC 4, single sign on