Forem: Muhammad Naeem The latest articles on Forem by Muhammad Naeem (@naeemsahil). https://forem.com/naeemsahil https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F783901%2F635917c9-3af0-41fd-acf3-2b734058bd8f.png Forem: Muhammad Naeem https://forem.com/naeemsahil en 🌟Implementing OpenID Connect with OpenIddict Muhammad Naeem Wed, 03 Jul 2024 06:30:38 +0000 https://forem.com/naeemsahil/implementing-openid-connect-with-openiddict-4fmp https://forem.com/naeemsahil/implementing-openid-connect-with-openiddict-4fmp <p>Recently, I had the opportunity to work with OpenIddict for implementing OpenID Connect. It can be frustrating when you're trying to set up something new without a complete, step-by-step guide. So, I decided to write this article for other developers who might be struggling with the same challenges.</p> <p>This article will guide you through setting up an authentication server using OpenIddict in a .NET Core Web API project. We'll cover how to implement the Password, Refresh Token, and Client Credentials flows for secure authentication. By the end, you'll have a solid foundation for integrating robust authentication mechanisms into your web applications.</p> <p>Contents</p> <ul> <li>Setting Up the Auth Server</li> <li>Add OpenIddict To Auth Server</li> <li>Registering New User</li> <li>Implementing the Password Flow</li> <li>Creating a Web API Project as a Resource Server</li> <li>Testing Out Generated Tokens</li> <li>Implementing the Refresh Token Flow</li> <li>Implementing the Client Credentials Flow</li> <li>Conclusion</li> </ul> <h3> πŸ› οΈ Setting Up the Auth Server </h3> <p>To begin setting up the authentication server using OpenIddict in a .NET Core Web API project, follow these steps:</p> <ul> <li> <p><strong>Create a new Web API Project</strong>:</p> <ul> <li>Open Visual Studio and create a new project using the "ASP.NET Core Web Application" template.</li> <li>Choose the API template and proceed with the project creation.</li> </ul> </li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgist.github.com%2Fassets%2F73548959%2F4b84e7dd-01e5-46c1-b131-16349c249343" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgist.github.com%2Fassets%2F73548959%2F4b84e7dd-01e5-46c1-b131-16349c249343" alt="Create Web API Project"></a></p> <ul> <li> <p><strong>Install Required Packages</strong>:</p> <ul> <li>Open the Package Manager Console (PMC) from Visual Studio.</li> <li>Install the following packages using PMC:</li> </ul> <pre class="highlight shell"><code> Install-Package Microsoft.EntityFrameworkCore <span class="nt">-Version</span> 8.0.6 Install-Package Microsoft.EntityFrameworkCore.Design <span class="nt">-Version</span> 8.0.6 Install-Package Microsoft.EntityFrameworkCore.Tools <span class="nt">-Version</span> 8.0.6 Install-Package Microsoft.EntityFrameworkCore.SqlServer <span class="nt">-Version</span> 8.0.6 Install-Package Microsoft.AspNetCore.Identity.EntityFrameworkCore <span class="nt">-Version</span> 8.0.6 Install-Package System.Linq.Async <span class="nt">-Version</span> 6.0.1 // OpenID Connect packages Install-Package OpenIddict <span class="nt">-Version</span> 5.7.0 Install-Package OpenIddict.Core <span class="nt">-Version</span> 5.7.0 Install-Package OpenIddict.Server.AspNetCore <span class="nt">-Version</span> 5.7.0 Install-Package OpenIddict.Abstractions <span class="nt">-Version</span> 5.7.0 Install-Package OpenIddict.EntityFrameworkCore <span class="nt">-Version</span> 5.7.0 </code></pre> </li> <li> <p><strong>Create ApplicationDbContext</strong>:</p> <ul> <li>Add a new class named <code>ApplicationDbContext.cs</code> under the <code>Data</code> folder of your project.</li> <li>Implement the <code>ApplicationDbContext</code> class as shown below. Ensure to configure the connection string appropriately.</li> </ul> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">class</span> <span class="nc">ApplicationDbContext</span> <span class="p">:</span> <span class="n">IdentityDbContext</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="p">{</span> <span class="k">public</span> <span class="nf">ApplicationDbContext</span><span class="p">()</span> <span class="p">{</span> <span class="p">}</span> <span class="k">public</span> <span class="nf">ApplicationDbContext</span><span class="p">(</span><span class="n">DbContextOptions</span><span class="p">&lt;</span><span class="n">ApplicationDbContext</span><span class="p">&gt;</span> <span class="n">options</span><span class="p">)</span> <span class="p">:</span> <span class="k">base</span><span class="p">(</span><span class="n">options</span><span class="p">)</span> <span class="p">{</span> <span class="p">}</span> <span class="k">protected</span> <span class="k">override</span> <span class="k">void</span> <span class="nf">OnConfiguring</span><span class="p">(</span><span class="n">DbContextOptionsBuilder</span> <span class="n">optionsBuilder</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="n">optionsBuilder</span><span class="p">.</span><span class="nf">UseSqlServer</span><span class="p">(</span><span class="s">"Name=ConnectionStrings:DefaultConnection"</span><span class="p">);</span> <span class="k">protected</span> <span class="k">override</span> <span class="k">void</span> <span class="nf">OnModelCreating</span><span class="p">(</span><span class="n">ModelBuilder</span> <span class="n">modelBuilder</span><span class="p">)</span> <span class="p">{</span> <span class="k">base</span><span class="p">.</span><span class="nf">OnModelCreating</span><span class="p">(</span><span class="n">modelBuilder</span><span class="p">);</span> <span class="c1">// Customize your identity models here, if needed.</span> <span class="nf">OnModelCreatingPartial</span><span class="p">(</span><span class="n">modelBuilder</span><span class="p">);</span> <span class="p">}</span> <span class="k">partial</span> <span class="k">void</span> <span class="nf">OnModelCreatingPartial</span><span class="p">(</span><span class="n">ModelBuilder</span> <span class="n">modelBuilder</span><span class="p">);</span> <span class="p">}</span> </code></pre> </li> <li> <p><strong>Configure DbContext in Program.cs</strong>:</p> <ul> <li>Open <code>Program.cs</code> and configure the DbContext in the <code>CreateHostBuilder</code> method as follows:</li> </ul> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">static</span> <span class="n">IHostBuilder</span> <span class="nf">CreateHostBuilder</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="n">Host</span><span class="p">.</span><span class="nf">CreateDefaultBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="p">.</span><span class="nf">ConfigureWebHostDefaults</span><span class="p">(</span><span class="n">webBuilder</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">webBuilder</span><span class="p">.</span><span class="n">UseStartup</span><span class="p">&lt;</span><span class="n">Startup</span><span class="p">&gt;();</span> <span class="p">})</span> <span class="p">.</span><span class="nf">ConfigureServices</span><span class="p">((</span><span class="n">hostContext</span><span class="p">,</span> <span class="n">services</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">services</span><span class="p">.</span><span class="n">AddDbContext</span><span class="p">&lt;</span><span class="n">ApplicationDbContext</span><span class="p">&gt;(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">UseSqlServer</span><span class="p">(</span><span class="n">hostContext</span><span class="p">.</span><span class="n">Configuration</span><span class="p">.</span><span class="nf">GetConnectionString</span><span class="p">(</span><span class="s">"DefaultConnection"</span><span class="p">));</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </li> <li> <p><strong>Configure Identity</strong>:</p> <ul> <li>Still in <code>Program.cs</code>, configure ASP.NET Core Identity within the <code>ConfigureServices</code> method:</li> </ul> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">static</span> <span class="n">IHostBuilder</span> <span class="nf">CreateHostBuilder</span><span class="p">(</span><span class="kt">string</span><span class="p">[]</span> <span class="n">args</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="n">Host</span><span class="p">.</span><span class="nf">CreateDefaultBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">)</span> <span class="p">.</span><span class="nf">ConfigureWebHostDefaults</span><span class="p">(</span><span class="n">webBuilder</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">webBuilder</span><span class="p">.</span><span class="n">UseStartup</span><span class="p">&lt;</span><span class="n">Startup</span><span class="p">&gt;();</span> <span class="p">})</span> <span class="p">.</span><span class="nf">ConfigureServices</span><span class="p">((</span><span class="n">hostContext</span><span class="p">,</span> <span class="n">services</span><span class="p">)</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">services</span><span class="p">.</span><span class="n">AddDbContext</span><span class="p">&lt;</span><span class="n">ApplicationDbContext</span><span class="p">&gt;(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">UseSqlServer</span><span class="p">(</span><span class="n">hostContext</span><span class="p">.</span><span class="n">Configuration</span><span class="p">.</span><span class="nf">GetConnectionString</span><span class="p">(</span><span class="s">"DefaultConnection"</span><span class="p">));</span> <span class="p">});</span> <span class="n">services</span><span class="p">.</span><span class="n">AddIdentity</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">,</span> <span class="n">IdentityRole</span><span class="p">&gt;()</span> <span class="p">.</span><span class="n">AddEntityFrameworkStores</span><span class="p">&lt;</span><span class="n">ApplicationDbContext</span><span class="p">&gt;()</span> <span class="p">.</span><span class="nf">AddDefaultTokenProviders</span><span class="p">();</span> <span class="p">});</span> </code></pre> </li> <li> <p><strong>Add Initial Migration</strong>:</p> <ul> <li>Now, add an initial migration to create the necessary Identity models in your database.</li> </ul> <pre class="highlight shell"><code> Add-Migration Initial <span class="nt">-Context</span> ApplicationDbContext </code></pre> </li> <li> <p><strong>Update Database</strong>:</p> <ul> <li>Update the database to apply the migration.</li> </ul> <pre class="highlight shell"><code> Update-Database </code></pre> </li> </ul> <p>This will create the necessary tables in your database, including tables for users, roles, and other Identity-related entities.</p> <ul> <li> <p><strong>Confirm Database Tables</strong>:</p> <ul> <li>Verify that the following tables have been created in your database:</li> </ul> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgist.github.com%2Fassets%2F73548959%2F0e8e9238-c964-418b-a627-66dbf9ab4269" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgist.github.com%2Fassets%2F73548959%2F0e8e9238-c964-418b-a627-66dbf9ab4269" alt="Database Tables"></a></p> </li> </ul> <p>These tables are essential for managing users and roles within your authentication system.</p> <h3> πŸ”’ Add OpenIddict To Auth Server </h3> <p>Now we are ready to configure OpenIddict in our project.</p> <ul> <li><strong>Configure OpenIddict in Program.cs</strong></li> </ul> <p>In your <code>Program.cs</code>, add the following configuration to integrate OpenIddict:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="c1">// Cionfigure OpenIddict</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddOpenIddict</span><span class="p">()</span> <span class="p">.</span><span class="nf">AddCore</span><span class="p">(</span><span class="n">coreOptions</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">coreOptions</span><span class="p">.</span><span class="nf">UseEntityFrameworkCore</span><span class="p">()</span> <span class="p">.</span><span class="n">UseDbContext</span><span class="p">&lt;</span><span class="n">ApplicationDbContext</span><span class="p">&gt;();</span> <span class="p">})</span> <span class="p">.</span><span class="nf">AddServer</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">AllowClientCredentialsFlow</span><span class="p">().</span><span class="nf">AllowRefreshTokenFlow</span><span class="p">();</span> <span class="n">options</span><span class="p">.</span><span class="nf">AllowPasswordFlow</span><span class="p">().</span><span class="nf">AllowRefreshTokenFlow</span><span class="p">();</span> <span class="c1">// Encryption and signing of tokens</span> <span class="n">options</span> <span class="p">.</span><span class="nf">AddDevelopmentEncryptionCertificate</span><span class="p">()</span> <span class="p">.</span><span class="nf">AddDevelopmentSigningCertificate</span><span class="p">()</span> <span class="p">.</span><span class="nf">DisableAccessTokenEncryption</span><span class="p">();</span> <span class="c1">// Register the ASP.NET Core host and configure the ASP.NET Core options.</span> <span class="n">options</span><span class="p">.</span><span class="nf">UseAspNetCore</span><span class="p">()</span> <span class="p">.</span><span class="nf">EnableTokenEndpointPassthrough</span><span class="p">()</span> <span class="p">.</span><span class="nf">EnableAuthorizationEndpointPassthrough</span><span class="p">()</span> <span class="p">.</span><span class="nf">EnableLogoutEndpointPassthrough</span><span class="p">()</span> <span class="p">.</span><span class="nf">DisableTransportSecurityRequirement</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p>This configuration enables both the Client Credentials flow and Password flow, with Refresh Token flow enabled for both to obtain refresh tokens.</p> <ul> <li><strong>Add OpenIddict To DbContext Options</strong></li> </ul> <p>Ensure OpenIddict is added to your DbContext options within Program.cs:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="n">AddDbContext</span><span class="p">&lt;</span><span class="n">ApplicationDbContext</span><span class="p">&gt;(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="nf">UseSqlServer</span><span class="p">(</span><span class="n">_config</span><span class="p">.</span><span class="nf">GetConnectionString</span><span class="p">(</span><span class="s">"DefaultConnection"</span><span class="p">));</span> <span class="c1">// Add Openiddict</span> <span class="n">options</span><span class="p">.</span><span class="nf">UseOpenIddict</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <ul> <li> <strong>Add Migration for OpenIddict Tables</strong> To incorporate OpenIddict tables into your database, add a migration:</li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> Add-Migration openIddict <span class="nt">-Context</span> ApplicationDbContext </code></pre> </div> <ul> <li><strong>Update Database</strong></li> </ul> <p>Update the database to apply the migration:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> Update-Database </code></pre> </div> <p>Following tables will be added for openiddict</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgist.github.com%2Fassets%2F73548959%2F4e84f995-5b7c-40e4-a61b-24cffd218b97" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgist.github.com%2Fassets%2F73548959%2F4e84f995-5b7c-40e4-a61b-24cffd218b97" alt="image"></a></p> <p>In open iddict AddErver options, set token url</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="n">options</span><span class="p">.</span><span class="nf">SetTokenEndpointUris</span><span class="p">(</span><span class="s">"connect/token"</span><span class="p">);</span> </code></pre> </div> <h3> πŸ“ Registering New User </h3> <p>To enable user registration and utilize it for token creation, follow these steps:</p> <ul> <li><strong>Add ViewModel for User Registration</strong></li> </ul> <p>Create a RegisterViewModel in the ViewModels directory to handle user registration inputs:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">public</span> <span class="k">class</span> <span class="nc">RegisterViewModel</span> <span class="p">{</span> <span class="p">[</span><span class="n">Required</span><span class="p">]</span> <span class="p">[</span><span class="n">EmailAddress</span><span class="p">]</span> <span class="p">[</span><span class="nf">Display</span><span class="p">(</span><span class="n">Name</span> <span class="p">=</span> <span class="s">"Email"</span><span class="p">)]</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Email</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="n">Required</span><span class="p">]</span> <span class="p">[</span><span class="nf">Display</span><span class="p">(</span><span class="n">Name</span> <span class="p">=</span> <span class="s">"UserName"</span><span class="p">)]</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">UserName</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="n">Required</span><span class="p">]</span> <span class="p">[</span><span class="nf">StringLength</span><span class="p">(</span><span class="m">100</span><span class="p">,</span> <span class="n">ErrorMessage</span> <span class="p">=</span> <span class="s">"The {0} must be at least {2} characters long."</span><span class="p">,</span> <span class="n">MinimumLength</span> <span class="p">=</span> <span class="m">6</span><span class="p">)]</span> <span class="p">[</span><span class="nf">DataType</span><span class="p">(</span><span class="n">DataType</span><span class="p">.</span><span class="n">Password</span><span class="p">)]</span> <span class="p">[</span><span class="nf">Display</span><span class="p">(</span><span class="n">Name</span> <span class="p">=</span> <span class="s">"Password"</span><span class="p">)]</span> <span class="k">public</span> <span class="kt">string</span> <span class="n">Password</span> <span class="p">{</span> <span class="k">get</span><span class="p">;</span> <span class="k">set</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li><strong>Implement RegistrationController</strong></li> </ul> <p>Create a RegistrationController in your Controllers directory to handle user registration:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">namespace</span> <span class="nn">AuthServer.Controllers</span> <span class="p">{</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"api/[controller]"</span><span class="p">)]</span> <span class="p">[</span><span class="n">ApiController</span><span class="p">]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">RegisterationController</span> <span class="p">:</span> <span class="n">ControllerBase</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">UserManager</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="n">_userManager</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">ApplicationDbContext</span> <span class="n">_applicationDbContext</span><span class="p">;</span> <span class="k">private</span> <span class="k">static</span> <span class="kt">bool</span> <span class="n">_databaseChecked</span><span class="p">;</span> <span class="k">public</span> <span class="nf">RegisterationController</span><span class="p">(</span> <span class="n">UserManager</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="n">userManager</span><span class="p">,</span> <span class="n">ApplicationDbContext</span> <span class="n">applicationDbContext</span><span class="p">)</span> <span class="p">{</span> <span class="n">_userManager</span> <span class="p">=</span> <span class="n">userManager</span><span class="p">;</span> <span class="n">_applicationDbContext</span> <span class="p">=</span> <span class="n">applicationDbContext</span><span class="p">;</span> <span class="p">}</span> <span class="c1">//</span> <span class="c1">// POST: /Account/Register</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="p">[</span><span class="n">AllowAnonymous</span><span class="p">]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">Register</span><span class="p">([</span><span class="n">FromBody</span><span class="p">]</span> <span class="n">RegisterViewModel</span> <span class="n">model</span><span class="p">)</span> <span class="p">{</span> <span class="nf">EnsureDatabaseCreated</span><span class="p">(</span><span class="n">_applicationDbContext</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">ModelState</span><span class="p">.</span><span class="n">IsValid</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">user</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_userManager</span><span class="p">.</span><span class="nf">FindByNameAsync</span><span class="p">(</span><span class="n">model</span><span class="p">.</span><span class="n">Email</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">user</span> <span class="p">!=</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">StatusCode</span><span class="p">(</span><span class="n">StatusCodes</span><span class="p">.</span><span class="n">Status409Conflict</span><span class="p">);</span> <span class="p">}</span> <span class="n">user</span> <span class="p">=</span> <span class="k">new</span> <span class="n">IdentityUser</span> <span class="p">{</span> <span class="n">UserName</span> <span class="p">=</span> <span class="n">model</span><span class="p">.</span><span class="n">Email</span><span class="p">,</span> <span class="n">Email</span> <span class="p">=</span> <span class="n">model</span><span class="p">.</span><span class="n">Email</span> <span class="p">};</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_userManager</span><span class="p">.</span><span class="nf">CreateAsync</span><span class="p">(</span><span class="n">user</span><span class="p">,</span> <span class="n">model</span><span class="p">.</span><span class="n">Password</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">Succeeded</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">();</span> <span class="p">}</span> <span class="nf">AddErrors</span><span class="p">(</span><span class="n">result</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// If we got this far, something failed.</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="n">ModelState</span><span class="p">);</span> <span class="p">}</span> <span class="err">#</span><span class="n">region</span> <span class="n">Helpers</span> <span class="c1">// The following code creates the database and schema if they don't exist.</span> <span class="c1">// This is a temporary workaround since deploying database through EF migrations is</span> <span class="c1">// not yet supported in this release.</span> <span class="c1">// Please see this http://go.microsoft.com/fwlink/?LinkID=615859 for more information on how to do deploy the database</span> <span class="c1">// when publishing your application.</span> <span class="k">private</span> <span class="k">static</span> <span class="k">void</span> <span class="nf">EnsureDatabaseCreated</span><span class="p">(</span><span class="n">ApplicationDbContext</span> <span class="n">context</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(!</span><span class="n">_databaseChecked</span><span class="p">)</span> <span class="p">{</span> <span class="n">_databaseChecked</span> <span class="p">=</span> <span class="k">true</span><span class="p">;</span> <span class="n">context</span><span class="p">.</span><span class="n">Database</span><span class="p">.</span><span class="nf">EnsureCreated</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="k">private</span> <span class="k">void</span> <span class="nf">AddErrors</span><span class="p">(</span><span class="n">IdentityResult</span> <span class="n">result</span><span class="p">)</span> <span class="p">{</span> <span class="k">foreach</span> <span class="p">(</span><span class="kt">var</span> <span class="n">error</span> <span class="k">in</span> <span class="n">result</span><span class="p">.</span><span class="n">Errors</span><span class="p">)</span> <span class="p">{</span> <span class="n">ModelState</span><span class="p">.</span><span class="nf">AddModelError</span><span class="p">(</span><span class="kt">string</span><span class="p">.</span><span class="n">Empty</span><span class="p">,</span> <span class="n">error</span><span class="p">.</span><span class="n">Description</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="err">#</span><span class="n">endregion</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> πŸ”‘ Implementing the Password Flow </h3> <p>Now, let's implement the connect/token endpoint in the AuthorizeController to handle the password flow.</p> <ul> <li><strong>Create AuthorizeController</strong></li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="p">[</span><span class="n">ApiController</span><span class="p">]</span> <span class="k">public</span> <span class="k">class</span> <span class="nc">AuthorizeController</span> <span class="p">:</span> <span class="n">ControllerBase</span> <span class="p">{</span> <span class="k">private</span> <span class="k">static</span> <span class="n">ClaimsIdentity</span> <span class="n">Identity</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ClaimsIdentity</span><span class="p">();</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IOpenIddictApplicationManager</span> <span class="n">_applicationManager</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IOpenIddictAuthorizationManager</span> <span class="n">_authorizationManager</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IOpenIddictScopeManager</span> <span class="n">_scopeManager</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">SignInManager</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="n">_signInManager</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">UserManager</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="n">_userManager</span><span class="p">;</span> <span class="k">public</span> <span class="nf">AuthorizeController</span><span class="p">(</span><span class="n">IOpenIddictApplicationManager</span> <span class="n">applicationManager</span><span class="p">,</span> <span class="n">IOpenIddictAuthorizationManager</span> <span class="n">authorizationManager</span><span class="p">,</span> <span class="n">IOpenIddictScopeManager</span> <span class="n">scopeManager</span><span class="p">,</span> <span class="n">SignInManager</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="n">signInManager</span><span class="p">,</span> <span class="n">UserManager</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="n">userManager</span><span class="p">)</span> <span class="p">{</span> <span class="n">_applicationManager</span> <span class="p">=</span> <span class="n">applicationManager</span><span class="p">;</span> <span class="n">_authorizationManager</span> <span class="p">=</span> <span class="n">authorizationManager</span><span class="p">;</span> <span class="n">_scopeManager</span> <span class="p">=</span> <span class="n">scopeManager</span><span class="p">;</span> <span class="n">_signInManager</span> <span class="p">=</span> <span class="n">signInManager</span><span class="p">;</span> <span class="n">_userManager</span> <span class="p">=</span> <span class="n">userManager</span><span class="p">;</span> <span class="p">}</span> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"connect/token"</span><span class="p">)]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">ConnectToken</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">openIdConnectRequest</span> <span class="p">=</span> <span class="n">HttpContext</span><span class="p">.</span><span class="nf">GetOpenIddictServerRequest</span><span class="p">()</span> <span class="p">??</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">InvalidOperationException</span><span class="p">(</span><span class="s">"The OpenID Connect request cannot be retrieved."</span><span class="p">);</span> <span class="n">Identity</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">ClaimsIdentity</span><span class="p">(</span><span class="n">OpenIddictServerAspNetCoreDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">,</span> <span class="n">Claims</span><span class="p">.</span><span class="n">Name</span><span class="p">,</span> <span class="n">Claims</span><span class="p">.</span><span class="n">Role</span><span class="p">);</span> <span class="n">IdentityUser</span><span class="p">?</span> <span class="n">user</span> <span class="p">=</span> <span class="k">null</span><span class="p">;</span> <span class="n">AuthenticationProperties</span> <span class="n">properties</span> <span class="p">=</span> <span class="k">new</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="nf">IsClientCredentialsGrantType</span><span class="p">())</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">NotImplementedException</span><span class="p">();</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="nf">IsPasswordGrantType</span><span class="p">())</span> <span class="p">{</span> <span class="n">user</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_userManager</span><span class="p">.</span><span class="nf">FindByNameAsync</span><span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="n">Username</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">user</span> <span class="p">==</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictResponse</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">InvalidGrant</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="s">"User does not exist"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Check that the user can sign in and is not locked out.</span> <span class="c1">// If two-factor authentication is supported, it would also be appropriate to check that 2FA is enabled for the user</span> <span class="k">if</span> <span class="p">(!</span><span class="k">await</span> <span class="n">_signInManager</span><span class="p">.</span><span class="nf">CanSignInAsync</span><span class="p">(</span><span class="n">user</span><span class="p">)</span> <span class="p">||</span> <span class="p">(</span><span class="n">_userManager</span><span class="p">.</span><span class="n">SupportsUserLockout</span> <span class="p">&amp;&amp;</span> <span class="k">await</span> <span class="n">_userManager</span><span class="p">.</span><span class="nf">IsLockedOutAsync</span><span class="p">(</span><span class="n">user</span><span class="p">)))</span> <span class="p">{</span> <span class="c1">// Return bad request is the user can't sign in</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictResponse</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Errors</span><span class="p">.</span><span class="n">InvalidGrant</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="s">"The specified user cannot sign in."</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Validate the username/password parameters and ensure the account is not locked out.</span> <span class="kt">var</span> <span class="n">result</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_signInManager</span><span class="p">.</span><span class="nf">PasswordSignInAsync</span><span class="p">(</span><span class="n">user</span><span class="p">.</span><span class="n">UserName</span><span class="p">,</span> <span class="n">openIdConnectRequest</span><span class="p">.</span><span class="n">Password</span><span class="p">,</span> <span class="k">false</span><span class="p">,</span> <span class="n">lockoutOnFailure</span><span class="p">:</span> <span class="k">false</span><span class="p">);</span> <span class="k">if</span> <span class="p">(!</span><span class="n">result</span><span class="p">.</span><span class="n">Succeeded</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">IsNotAllowed</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictResponse</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">InvalidGrant</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="s">"User not allowed to login. Please confirm your email"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">RequiresTwoFactor</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictResponse</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">InvalidGrant</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="s">"User requires 2F authentication"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">IsLockedOut</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictResponse</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">InvalidGrant</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="s">"User is locked out"</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictResponse</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">InvalidGrant</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="s">"Username or password is incorrect"</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// The user is now validated, so reset lockout counts, if necessary</span> <span class="k">if</span> <span class="p">(</span><span class="n">_userManager</span><span class="p">.</span><span class="n">SupportsUserLockout</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="n">_userManager</span><span class="p">.</span><span class="nf">ResetAccessFailedCountAsync</span><span class="p">(</span><span class="n">user</span><span class="p">);</span> <span class="p">}</span> <span class="c1">//// Getting scopes from user parameters (TokenViewModel) and adding in Identity </span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetScopes</span><span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="nf">GetScopes</span><span class="p">());</span> <span class="c1">// Getting scopes from user parameters (TokenViewModel)</span> <span class="c1">// Checking in OpenIddictScopes tables for matching resources</span> <span class="c1">// Adding in Identity</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetResources</span><span class="p">(</span><span class="k">await</span> <span class="n">_scopeManager</span><span class="p">.</span><span class="nf">ListResourcesAsync</span><span class="p">(</span><span class="n">Identity</span><span class="p">.</span><span class="nf">GetScopes</span><span class="p">()).</span><span class="nf">ToListAsync</span><span class="p">());</span> <span class="c1">// Add Custom claims</span> <span class="c1">// sub claims is mendatory</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">AddClaim</span><span class="p">(</span><span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">Claims</span><span class="p">.</span><span class="n">Subject</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="n">Id</span><span class="p">));</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">AddClaim</span><span class="p">(</span><span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">Claims</span><span class="p">.</span><span class="n">Audience</span><span class="p">,</span> <span class="s">"Resourse"</span><span class="p">));</span> <span class="c1">// Setting destinations of claims i.e. identity token or access token</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetDestinations</span><span class="p">(</span><span class="n">GetDestinations</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="nf">IsRefreshTokenGrantType</span><span class="p">())</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nf">NotImplementedException</span><span class="p">();</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="p">{</span> <span class="n">error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">UnsupportedGrantType</span><span class="p">,</span> <span class="n">error_description</span> <span class="p">=</span> <span class="s">"The specified grant type is not supported."</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Returning a SignInResult will ask OpenIddict to issue the appropriate access/identity tokens.</span> <span class="kt">var</span> <span class="n">signInResult</span> <span class="p">=</span> <span class="nf">SignIn</span><span class="p">(</span><span class="k">new</span> <span class="nf">ClaimsPrincipal</span><span class="p">(</span><span class="n">Identity</span><span class="p">),</span> <span class="n">properties</span><span class="p">,</span> <span class="n">OpenIddictServerAspNetCoreDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">);</span> <span class="k">return</span> <span class="n">signInResult</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">Exception</span> <span class="n">ex</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="nf">OpenIddictResponse</span><span class="p">()</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">ServerError</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="s">"Invalid login attempt"</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="err">#</span><span class="n">region</span> <span class="n">Private</span> <span class="n">Methods</span> <span class="k">private</span> <span class="k">static</span> <span class="n">IEnumerable</span><span class="p">&lt;</span><span class="kt">string</span><span class="p">&gt;</span> <span class="nf">GetDestinations</span><span class="p">(</span><span class="n">Claim</span> <span class="n">claim</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Note: by default, claims are NOT automatically included in the access and identity tokens.</span> <span class="c1">// To allow OpenIddict to serialize them, you must attach them a destination, that specifies</span> <span class="c1">// whether they should be included in access tokens, in identity tokens or in both.</span> <span class="k">return</span> <span class="n">claim</span><span class="p">.</span><span class="n">Type</span> <span class="k">switch</span> <span class="p">{</span> <span class="n">Claims</span><span class="p">.</span><span class="n">Name</span> <span class="k">or</span> <span class="n">Claims</span><span class="p">.</span><span class="n">Subject</span> <span class="p">=&gt;</span> <span class="k">new</span><span class="p">[]</span> <span class="p">{</span> <span class="n">Destinations</span><span class="p">.</span><span class="n">AccessToken</span><span class="p">,</span> <span class="n">Destinations</span><span class="p">.</span><span class="n">IdentityToken</span> <span class="p">},</span> <span class="n">_</span> <span class="p">=&gt;</span> <span class="k">new</span><span class="p">[]</span> <span class="p">{</span> <span class="n">Destinations</span><span class="p">.</span><span class="n">AccessToken</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="err">#</span><span class="n">endregion</span> <span class="p">}</span> </code></pre> </div> <p>Remember to add subject and audience claim in token. Those are required to cmmunicate to webapi.</p> <ul> <li><strong>Generate Token</strong></li> </ul> <p>Start the project and register a test user using following curl:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-X</span> <span class="s1">'POST'</span> <span class="se">\</span> <span class="s1">'https://localhost:7249/api/Registeration'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'accept: */*'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "email": "user@example.com", "userName": "test", "password": "@Test.123" }'</span> </code></pre> </div> <p>Now to get token , hit this curl</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> curl --location 'https://localhost:7249/connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ --data-urlencode 'grant_type=password' \ --data-urlencode 'username=test' \ --data-urlencode 'password=@Test.123' </code></pre> </div> <p>Response:</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJhbGciOiJSUzI1NiIsImtpZCI6IkMwMzE4N0NGOERDOTMxQzQ5QjQ5RTg3MzlFODQ4RDU2MzlEM0Y1NTYiLCJ4NXQiOiJ3REdIejQzSk1jU2JTZWh6bm9TTlZqblQ5VlkiLCJ0eXAiOiJhdCtqd3QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo3MjQ5LyIsImV4cCI6MTcxOTkwNTQxNywiaWF0IjoxNzE5OTAxODE3LCJqdGkiOiI5ZWIzNmZjMS02ZDY1LTQ3OWQtOWJmZC1hZGZjNWVhNzc3Y2EiLCJzdWIiOiI2YmE0ODk1OC0yZjBhLTQ5ZTktYTg2OC1iZTMzNGQ4N2UxYjgiLCJhdWQiOiJSZXNvdXJzZSIsIm9pX3Rrbl9pZCI6ImJmNzA1M2YyLWZjZTgtNDg5YS1hYTgyLTliZmFmOGNlNGUxOSJ9.SYbM8ltyiftgqj6AFABJA_zbiXzlQtLJR2E4xt4W2y85AIlACSBzC3i4Ppg5nsMzgscFGbcO8MOYM3gB6EvViKugdV4BOL26x9UVWnEzOV_BC9p-TYx58EA0Ewx2m3KEqXlJfeLNaAg8H9MyXwIQkc9mbE89MDKhZ3udlI2qElWH2-JbF39mXjgpPHjiMP1UV2Dvp0slewNYeTlj04YY7iSnuEkawDrPAqfWVQPePEuefXVuS139eGLeNdnDxSa16l1tv6V08JcqrSRrRJpDo0yldt07WKCPz8e9lyCts6oiUvNSPSKnf5RE3RSl8jKoa2JnaxfAVyG106JyXacm2g"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expires_in"</span><span class="p">:</span><span class="w"> </span><span class="mi">3599</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li><strong>Debugging Token</strong></li> </ul> <p>To debug the generated token, visit <a href="https://token.dev/" rel="noopener noreferrer">https://token.dev/</a> and paste your token. The decoded token will appear as follows:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> <span class="o">{</span> <span class="s2">"iss"</span>: <span class="s2">"https://localhost:7249/"</span>, <span class="s2">"exp"</span>: 1719905417, <span class="s2">"iat"</span>: 1719901817, <span class="s2">"jti"</span>: <span class="s2">"9eb36fc1-6d65-479d-9bfd-adfc5ea777ca"</span>, <span class="s2">"sub"</span>: <span class="s2">"6ba48958-2f0a-49e9-a868-be334d87e1b8"</span>, <span class="s2">"aud"</span>: <span class="s2">"Resourse"</span>, <span class="s2">"oi_tkn_id"</span>: <span class="s2">"bf7053f2-fce8-489a-aa82-9bfaf8ce4e19"</span> <span class="o">}</span> </code></pre> </div> <p>All good till now, we are able to get an access token to use over our resourse controller. <br> To separate the resource server from the authentication server, create a separate API project to hold your resources. Use the access token generated by your authentication server to authenticate requests to this resource server. This ensures secure communication between the two servers.</p> <h3> πŸ’Ό Creating a Web API Project as a Resource Server </h3> <p>To set up a resource server using JWT authentication in Visual Studio, follow these steps:</p> <ul> <li><strong>Step 1: Create Web API Project</strong></li> </ul> <ol> <li>Open Visual Studio and navigate to your existing solution.</li> <li>Add a new project to the solution: <ul> <li>Select <strong>File -&gt; New -&gt; Project</strong>.</li> <li>Choose <strong>ASP.NET Core Web API</strong> as the project template.</li> </ul> </li> </ol> <ul> <li><strong>Step 2: Install JWT Authentication Package</strong></li> </ul> <p>Install the <code>Microsoft.AspNetCore.Authentication.JwtBearer</code> package using the NuGet Package Manager Console:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> NuGet<span class="se">\I</span>nstall-Package Microsoft.AspNetCore.Authentication.JwtBearer <span class="nt">-Version</span> 8.0.6 </code></pre> </div> <ul> <li><strong>Step 3: Configure Authentication in Program.cs</strong></li> </ul> <p>In the Program.cs file of your Web API project, configure authentication settings:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">using</span> <span class="nn">Microsoft.AspNetCore.Authentication.JwtBearer</span><span class="p">;</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="c1">// Add services to the container.</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddControllers</span><span class="p">();</span> <span class="c1">// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddEndpointsApiExplorer</span><span class="p">();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddSwaggerGen</span><span class="p">();</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddAuthentication</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">options</span><span class="p">.</span><span class="n">DefaultAuthenticateScheme</span> <span class="p">=</span> <span class="n">JwtBearerDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">DefaultChallengeScheme</span> <span class="p">=</span> <span class="n">JwtBearerDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">;</span> <span class="p">})</span> <span class="p">.</span><span class="nf">AddJwtBearer</span><span class="p">(</span><span class="n">options</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="c1">// base-address of Auth Server</span> <span class="n">options</span><span class="p">.</span><span class="n">Authority</span> <span class="p">=</span> <span class="s">"https://localhost:7249/"</span><span class="p">;</span> <span class="c1">// name of the API resource</span> <span class="n">options</span><span class="p">.</span><span class="n">Audience</span> <span class="p">=</span> <span class="s">"Resourse"</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">RequireHttpsMetadata</span> <span class="p">=</span> <span class="k">false</span><span class="p">;</span> <span class="c1">// Check preferred_username claim exists in the token. If it exists, .NET Core framework sets it to currently logged-in user name i-e User.Identity.Name</span> <span class="n">options</span><span class="p">.</span><span class="n">TokenValidationParameters</span><span class="p">.</span><span class="n">NameClaimType</span> <span class="p">=</span> <span class="s">"preferred_username"</span><span class="p">;</span> <span class="n">options</span><span class="p">.</span><span class="n">TokenValidationParameters</span><span class="p">.</span><span class="n">RoleClaimType</span> <span class="p">=</span> <span class="n">System</span><span class="p">.</span><span class="n">Security</span><span class="p">.</span><span class="n">Claims</span><span class="p">.</span><span class="n">ClaimTypes</span><span class="p">.</span><span class="n">Role</span><span class="p">;</span><span class="c1">// "role";</span> <span class="p">})</span> <span class="p">;</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="c1">// Configure the HTTP request pipeline.</span> <span class="k">if</span> <span class="p">(</span><span class="n">app</span><span class="p">.</span><span class="n">Environment</span><span class="p">.</span><span class="nf">IsDevelopment</span><span class="p">())</span> <span class="p">{</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwagger</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseSwaggerUI</span><span class="p">();</span> <span class="p">}</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseHttpsRedirection</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthentication</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">UseAuthorization</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapControllers</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <ul> <li><strong>Step 4: Secure Weather Controller with Authorization</strong></li> </ul> <p>Ensure that access to the WeatherForecast endpoint requires authentication by adding [Authorize] attribute:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="p">[</span><span class="n">Authorize</span><span class="p">]</span> <span class="p">[</span><span class="nf">HttpGet</span><span class="p">(</span><span class="n">Name</span> <span class="p">=</span> <span class="s">"GetWeatherForecast"</span><span class="p">)]</span> <span class="k">public</span> <span class="n">IEnumerable</span><span class="p">&lt;</span><span class="n">WeatherForecast</span><span class="p">&gt;</span> <span class="nf">Get</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="n">Enumerable</span><span class="p">.</span><span class="nf">Range</span><span class="p">(</span><span class="m">1</span><span class="p">,</span> <span class="m">5</span><span class="p">).</span><span class="nf">Select</span><span class="p">(</span><span class="n">index</span> <span class="p">=&gt;</span> <span class="k">new</span> <span class="n">WeatherForecast</span> <span class="p">{</span> <span class="n">Date</span> <span class="p">=</span> <span class="n">DateOnly</span><span class="p">.</span><span class="nf">FromDateTime</span><span class="p">(</span><span class="n">DateTime</span><span class="p">.</span><span class="n">Now</span><span class="p">.</span><span class="nf">AddDays</span><span class="p">(</span><span class="n">index</span><span class="p">)),</span> <span class="n">TemperatureC</span> <span class="p">=</span> <span class="n">Random</span><span class="p">.</span><span class="n">Shared</span><span class="p">.</span><span class="nf">Next</span><span class="p">(-</span><span class="m">20</span><span class="p">,</span> <span class="m">55</span><span class="p">),</span> <span class="n">Summary</span> <span class="p">=</span> <span class="n">Summaries</span><span class="p">[</span><span class="n">Random</span><span class="p">.</span><span class="n">Shared</span><span class="p">.</span><span class="nf">Next</span><span class="p">(</span><span class="n">Summaries</span><span class="p">.</span><span class="n">Length</span><span class="p">)]</span> <span class="p">})</span> <span class="p">.</span><span class="nf">ToArray</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <h3> πŸ§ͺ Testing Out Generated Tokens </h3> <p>To access the secured endpoint in Postman:</p> <ul> <li> <p><strong>Step 1: Import the following curl command into Postman:</strong></p> <pre class="highlight shell"><code> curl <span class="nt">--location</span> <span class="s1">'https://localhost:7023/WeatherForecast'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'accept: text/plain'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IkMwMzE4N0NGOERDOTMxQzQ5QjQ5RTg3MzlFODQ4RDU2MzlEM0Y1NTYiLCJ4NXQiOiJ3REdIejQzSk1jU2JTZWh6bm9TTlZqblQ5VlkiLCJ0eXAiOiJhdCtqd3QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo3MjQ5LyIsImV4cCI6MTcxOTkwNTQxNywiaWF0IjoxNzE5OTAxODE3LCJqdGkiOiI5ZWIzNmZjMS02ZDY1LTQ3OWQtOWJmZC1hZGZjNWVhNzc3Y2EiLCJzdWIiOiI2YmE0ODk1OC0yZjBhLTQ5ZTktYTg2OC1iZTMzNGQ4N2UxYjgiLCJhdWQiOiJSZXNvdXJzZSIsIm9pX3Rrbl9pZCI6ImJmNzA1M2YyLWZjZTgtNDg5YS1hYTgyLTliZmFmOGNlNGUxOSJ9.SYbM8ltyiftgqj6AFABJA_zbiXzlQtLJR2E4xt4W2y85AIlACSBzC3i4Ppg5nsMzgscFGbcO8MOYM3gB6EvViKugdV4BOL26x9UVWnEzOV_BC9p-TYx58EA0Ewx2m3KEqXlJfeLNaAg8H9MyXwIQkc9mbE89MDKhZ3udlI2qElWH2-JbF39mXjgpPHjiMP1UV2Dvp0slewNYeTlj04YY7iSnuEkawDrPAqfWVQPePEuefXVuS139eGLeNdnDxSa16l1tv6V08JcqrSRrRJpDo0yldt07WKCPz8e9lyCts6oiUvNSPSKnf5RE3RSl8jKoa2JnaxfAVyG106JyXacm2g'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Cookie: .AspNetCore.Identity.Application=CfDJ8JZb4jmttB5Fm2_VcJT682HD7u6NCaZ1Bsx8zeyVvdGELKkP4V0bm7gmUbj8vZje-KQsz7deOYJV0B3_HOZyxEPWVIxm-U8TBoGzJ7tr8p94NZd7Xm8Wrw1wwNd2RO8NiyiAie6ChKACzBeBzfHV8VinyMZfi4-b84Y0gg0hAqHjsJr-AB4dcRz2JUxzElPasqYjGELZHzlm--l7NSUBVh6BR_E5iKc3VCM94s6Xpzz-k05NwRrcjR-s6gARucAFWWsCgrI0aynw9LMzuvXxY0_6K7sgl0WezreSwlfvYdcqb8QivcDqrdKvQODdKIBEymlSmZfa2w0xz5ej9kS33rXFMRbRx4Zh5Ear1VrZARINVHspXsq7q7N65IORq3BzsNxxVkc76y6G22ug4oUZCW-KRBxU1SiffNP2XRPBmpnoQNk1lQ51iCnMDmjcmMTzQ3xbScyAh8WZfPBZoNSdmp8LORSprI2x6RpKDah4_y8_YE57TEPeSPZoFRbHxb0_tHBTVOcJJQ-VXXGj4JGpB4tilWeqtuuSTQuqIEWdpCB01QExwEsSM3iIkV8Sy4Yb8e-0sQl5RYp6PaAx-aPkNOxFf8aIj0SlzQODWlbJzZDhfSRaQFifJEGwZdicNpaS2lpI27rycBSoqkvbAmxCjp63ewlCLCVxg1lGrt8Ze-rvJ5Td0Yh1Ozb_1KlSCyfYid2tCiEI7V3HEB5vYMafMH4'</span> </code></pre> </li> <li> <p><strong>Step-2: In the Authorization tab of Postman, select Bearer Token and paste your token into the token field.</strong></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgist.github.com%2Fassets%2F73548959%2F398b5c66-a9f7-410c-975d-91ff21d7187c" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgist.github.com%2Fassets%2F73548959%2F398b5c66-a9f7-410c-975d-91ff21d7187c" alt="image"></a></p> </li> <li> <p><strong>Step-3: Hit the request to access the secured WeatherForecast endpoint.</strong></p> <p>This setup allows you to authenticate requests to the resource server using a bearer token issued by the authentication server. Adjust the endpoint URL (<a href="https://localhost:7023/WeatherForecast" rel="noopener noreferrer">https://localhost:7023/WeatherForecast</a>) and the token as per your specific configuration.</p> </li> </ul> <p>Till now , we are able to generate our token via password flow without client from our auth server and use this token to access the resource of webapi which is our resourse server. <br> Now its a basic flow for password. The token generated will be valid for one hour as mentioned in response like 3600 sec. You can get new token again or you can add refresh token flow to generate the refresh token and then use this token to get token again.</p> <h3> πŸ”„ Implementing the Refresh Token Flow </h3> <p>To implement the refresh token flow, follow these steps:</p> <ul> <li><strong>Step 1: Handle the Refresh Token Grant Type:</strong></li> </ul> <p>Update the code to handle the refresh token grant type within your authentication logic.</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="nf">IsRefreshTokenGrantType</span><span class="p">())</span> <span class="p">{</span> <span class="c1">// Retrieve the claims principal stored in the authorization code/refresh token.</span> <span class="kt">var</span> <span class="n">authenticateResult</span> <span class="p">=</span> <span class="k">await</span> <span class="n">HttpContext</span><span class="p">.</span><span class="nf">AuthenticateAsync</span><span class="p">(</span><span class="n">OpenIddictServerAspNetCoreDefaults</span><span class="p">.</span><span class="n">AuthenticationScheme</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="n">authenticateResult</span><span class="p">.</span><span class="n">Succeeded</span> <span class="p">&amp;&amp;</span> <span class="n">authenticateResult</span><span class="p">.</span><span class="n">Principal</span> <span class="p">!=</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Retrieve the user profile corresponding to the authorization code/refresh token.</span> <span class="n">user</span> <span class="p">=</span> <span class="k">await</span> <span class="n">_userManager</span><span class="p">.</span><span class="nf">FindByIdAsync</span><span class="p">(</span><span class="n">authenticateResult</span><span class="p">.</span><span class="n">Principal</span><span class="p">.</span><span class="nf">GetClaim</span><span class="p">(</span><span class="n">Claims</span><span class="p">.</span><span class="n">Subject</span><span class="p">));</span> <span class="k">if</span> <span class="p">(</span><span class="n">user</span> <span class="k">is</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictResponse</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">InvalidGrant</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="s">"The token is no longer valid."</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// You have to grant the 'offline_access' scope to allow</span> <span class="c1">// OpenIddict to return a refresh token to the caller.</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetScopes</span><span class="p">(</span><span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Scopes</span><span class="p">.</span><span class="n">OfflineAccess</span><span class="p">);</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">AddClaim</span><span class="p">(</span><span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">Claims</span><span class="p">.</span><span class="n">Subject</span><span class="p">,</span> <span class="n">user</span><span class="p">.</span><span class="n">Id</span><span class="p">));</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">AddClaim</span><span class="p">(</span><span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">Claims</span><span class="p">.</span><span class="n">Audience</span><span class="p">,</span> <span class="s">"Resourse"</span><span class="p">));</span> <span class="c1">// Getting scopes from user parameters (TokenViewModel)</span> <span class="c1">// Checking in OpenIddictScopes tables for matching resources</span> <span class="c1">// Adding in Identity</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetResources</span><span class="p">(</span><span class="k">await</span> <span class="n">_scopeManager</span><span class="p">.</span><span class="nf">ListResourcesAsync</span><span class="p">(</span><span class="n">Identity</span><span class="p">.</span><span class="nf">GetScopes</span><span class="p">()).</span><span class="nf">ToListAsync</span><span class="p">());</span> <span class="c1">// Setting destinations of claims i.e. identity token or access token</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetDestinations</span><span class="p">(</span><span class="n">GetDestinations</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="n">authenticateResult</span><span class="p">.</span><span class="n">Failure</span> <span class="k">is</span> <span class="k">not</span> <span class="k">null</span><span class="p">)</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">failureMessage</span> <span class="p">=</span> <span class="n">authenticateResult</span><span class="p">.</span><span class="n">Failure</span><span class="p">.</span><span class="n">Message</span><span class="p">;</span> <span class="kt">var</span> <span class="n">failureException</span> <span class="p">=</span> <span class="n">authenticateResult</span><span class="p">.</span><span class="n">Failure</span><span class="p">.</span><span class="n">InnerException</span><span class="p">;</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictResponse</span> <span class="p">{</span> <span class="n">Error</span> <span class="p">=</span> <span class="n">Errors</span><span class="p">.</span><span class="n">InvalidRequest</span><span class="p">,</span> <span class="n">ErrorDescription</span> <span class="p">=</span> <span class="n">failureMessage</span> <span class="p">+</span> <span class="n">failureException</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li><strong>Step 2: Grant Offline Access Scope in Password Flow:</strong></li> </ul> <p>Ensure the 'offline_access' scope is granted when generating tokens using the password flow.</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="c1">//// Getting scopes from user parameters (TokenViewModel) and adding in Identity </span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetScopes</span><span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="nf">GetScopes</span><span class="p">());</span> <span class="c1">//// You have to grant the 'offline_access' scope to allow</span> <span class="c1">//// OpenIddict to return a refresh token to the caller.</span> <span class="k">if</span> <span class="p">(!</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="n">Scope</span><span class="p">.</span><span class="nf">IsNullOrEmpty</span><span class="p">()</span> <span class="p">&amp;&amp;</span> <span class="n">openIdConnectRequest</span><span class="p">.</span><span class="n">Scope</span><span class="p">.</span><span class="nf">Split</span><span class="p">(</span><span class="sc">' '</span><span class="p">).</span><span class="nf">Contains</span><span class="p">(</span><span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Scopes</span><span class="p">.</span><span class="n">OfflineAccess</span><span class="p">))</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetScopes</span><span class="p">(</span><span class="n">OpenIddictConstants</span><span class="p">.</span><span class="n">Scopes</span><span class="p">.</span><span class="n">OfflineAccess</span><span class="p">);</span> </code></pre> </div> <ul> <li><strong>Step 3: Request a Token with Offline Access:</strong></li> </ul> <p>When requesting a token, include the 'offline_access' scope to receive a refresh token.</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--location</span> <span class="s1">'https://localhost:7249/connect/token'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'grant_type=password'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'username=test'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'password=@Test.123'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'scope=offline_access'</span> </code></pre> </div> <p>The response will contain both the access token and the refresh token.</p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"access_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJhbGciOiJSUzI1NiIsImtpZCI6IkMwMzE4N0NGOERDOTMxQzQ5QjQ5RTg3MzlFODQ4RDU2MzlEM0Y1NTYiLCJ4NXQiOiJ3REdIejQzSk1jU2JTZWh6bm9TTlZqblQ5VlkiLCJ0eXAiOiJhdCtqd3QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo3MjQ5LyIsImV4cCI6MTcxOTkwNjQxMCwiaWF0IjoxNzE5OTAyODEwLCJzY29wZSI6Im9mZmxpbmVfYWNjZXNzIiwianRpIjoiMWIwMTBlNzktNGIwOC00MTc2LTg2NjktZDExNjZkOGNjZTA2Iiwic3ViIjoiNmJhNDg5NTgtMmYwYS00OWU5LWE4NjgtYmUzMzRkODdlMWI4IiwiYXVkIjoiUmVzb3Vyc2UiLCJvaV9hdV9pZCI6IjRmYTc5YzdlLWRhZjEtNDMxMC04OWE1LWU0ZDMxMzRjNmI4NyIsIm9pX3Rrbl9pZCI6Ijc2ZjdlZjVjLTJlMjUtNDBkMC1hZDg0LTEyMmJiYTAxOWU0MSJ9.G175Tp4nIO0VqUdXXxB3iP55KarQe9JXGGlCF9us7uW-6337JbTfy6jQqcYZMxWDGFDFJTE5i7jLbchLt465r8NJPK8kHvgm5zA_ayBC12-q-BN9qjdiSovEmTBshnISsGr1-ix-WdcFjwdFxQKl-yNC9BZ1seyIbe7WUMhTAbXDguAH9Y1uhq1HUAF8xLDEe3_0hslZzyTuK4L-FHERPosy0hV5ekk3DGQFUGTnwawAZK9JyiBr0iXdnt4Hyt8dm0KZuacjE1G7ml7ECyVHnQQuESLbLfmGYTQl9qP1mqTxiZ1g_z5T_Mlr6W-PDSALWJsXzQ6XfoTFIgU2fYJUug"</span><span class="p">,</span><span class="w"> </span><span class="nl">"token_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"expires_in"</span><span class="p">:</span><span class="w"> </span><span class="mi">3600</span><span class="p">,</span><span class="w"> </span><span class="nl">"refresh_token"</span><span class="p">:</span><span class="w"> </span><span class="s2">"eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOiI1RUI3RUUwMTgzNTU2NENDRjhEQzhCMTQwRkQ0Rjg0QzczQzFERDM5IiwidHlwIjoib2lfcmVmdCtqd3QiLCJjdHkiOiJKV1QifQ.IGpB4Ncj3uBhpb3S8p7xctY8v7G6VOkG29108cYOO-R3BM4mwdO8jNnqgcYdIXoTJLxBEnlK7nGApyNf6oF8I3DVec1XDUncbaKcMKtGmH29xVatuYEGFOeAPmLQF74SLxaQ2lGWxOcsmR71eR3i4PswweQ7vaHwcIGr_URjJ7Yqw__iPmzyqZoxThCCLP9D69H_YiuGHZsrn-wGiBvy1XBGJiscpA331MtPrevxugpvrmfq5W05SNQb5GNQ6VNv4MO9POv4oQp08fMxedg2DWDh8yEVI08yn9TuyAxnUMvWPdnvSgjdEqqKXj-GKp09U8Nfz5663g3M6pbk_k0e2g.-Ytx-sYMH6S95Q5G8cr8TA.qTxPLELewogr3PBnYF8fxGD8QjOmTM-jqgxio2-Ju6_6r_1c71bjylwaCfQYycTNjLMAHLwM6pC6POSr5YX1tz3Rwgp5j22Fk0ybXXHCKnfnKUuMA9_DHPYS5icgvEnGG-l67Orpqcoli5gjmVSpXss3_luvDWj9rsyxENHrgnw47oyQQ_KurFHtBKnPDkWeIe7ZIPjz2SCR0RQ1vH3dzAhs9GnmwGhNDdovQifIfeQ04ShDW9__EKbVxRPSFoamyqTVBppx42IHPM30geFP5XUm6K5K9yKEWQgoJW-aOvxCKO9xgzQaqzyo3NP_djau6P8mp_FpAR9I6B-naeIHQgM9c9TudSoP8a4VLZ3HoUsdmqMv6itZVSA-hwURTNgyjMDyOakJzgm9O-ZNE4qMXHbyxQoH4ObkAAlN_xx1RLW_YRJalRnMZZLiT5bqe-aP0oWpZ17MymaOiA8kWW2429rS586NAX80JkKAlk1qqgc5KS8shOOv6hia8Zlh76tjH_cWZkQeQoB_wmUpHvr2j50D5mgHYNOmK6bAiJHcDrQ5J1mxn3_Mx6B3UKFUXMokETfueHiF36ehB9rgoqEPgB2KUr93v_I5ZPygtpbFnSHUUFEehAPGxZZLcc4lwtkn8i7Rk7JNjGhTVTcnTMHOfiVN5LOMOMETusjV6-ZDtUH1ktRsFweAWOC7MiEECilwMO6posZOpaNggX3YKrMsKJ0Eq83Glpkn3LyRADQG4XumK8XbSiO75Ucy3aZaxeVgovjRjhJqWTjRW5TjNpHv-GfLl4soJEQgwVzEtJKkZaUcMZIp10szRqROrdU9iqo_QAnDqW9cf6QMjxWEKSRKqM1eA6q_c2Bi_vhZa5Vm7gOQQNpK9PhENRpUoJ7kHcpgTY89qwyMQcpKeefHBg62cZKK9vGbuoabjNkYx7BI4UhDczhjWQ0Azhp3i05GNHCB2Ts9RAxwlPDZfVhJNnFfN7djJ4wSzjSxRwQUHylNl1hrtvwKnEx5hYr9D-cYSkLuLcsU6WOeYsFJupRXxKsaACRx_2a7-RFD876H1tDYlv7ZNlhsS8z9VlFTY-29_cl4LNxYNvSdekz3lvd1baKztvJgbXQYRLzszpN2rP7zi0gY3fbg5gTN97ZxCifCN4o09IGSU5u_rDNa5l2dnvk9lgnDC45FOlM3T4gb1o06pcztuJVynBM1ZTK2doZi43a_2kbtVcdxz963QJdbAY__YuilKEg5GwDqBk0YRIrVtMexUI3a6fCzNSKYcW2T2NvXxwKEG2jA5H7qtPFNHYaDTg2LdzH8FBDoa4U16gtfW1k.c4FGZ57S5sVqMupJItF7PmixWyqfwV5vqCNCezuJAb8"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <ul> <li><strong>Step 4: Refreshing the Token:</strong></li> </ul> <p>When the token expires, you can use the refresh token to obtain a new token by executing the following command:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--location</span> <span class="s1">'https://localhost:7249/connect/token'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'grant_type=refresh_token'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'refresh_token=eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOiI1RUI3RUUwMTgzNTU2NENDRjhEQzhCMTQwRkQ0Rjg0QzczQzFERDM5IiwidHlwIjoib2lfcmVmdCtqd3QiLCJjdHkiOiJKV1QifQ.IGpB4Ncj3uBhpb3S8p7xctY8v7G6VOkG29108cYOO-R3BM4mwdO8jNnqgcYdIXoTJLxBEnlK7nGApyNf6oF8I3DVec1XDUncbaKcMKtGmH29xVatuYEGFOeAPmLQF74SLxaQ2lGWxOcsmR71eR3i4PswweQ7vaHwcIGr_URjJ7Yqw__iPmzyqZoxThCCLP9D69H_YiuGHZsrn-wGiBvy1XBGJiscpA331MtPrevxugpvrmfq5W05SNQb5GNQ6VNv4MO9POv4oQp08fMxedg2DWDh8yEVI08yn9TuyAxnUMvWPdnvSgjdEqqKXj-GKp09U8Nfz5663g3M6pbk_k0e2g.-Ytx-sYMH6S95Q5G8cr8TA.qTxPLELewogr3PBnYF8fxGD8QjOmTM-jqgxio2-Ju6_6r_1c71bjylwaCfQYycTNjLMAHLwM6pC6POSr5YX1tz3Rwgp5j22Fk0ybXXHCKnfnKUuMA9_DHPYS5icgvEnGG-l67Orpqcoli5gjmVSpXss3_luvDWj9rsyxENHrgnw47oyQQ_KurFHtBKnPDkWeIe7ZIPjz2SCR0RQ1vH3dzAhs9GnmwGhNDdovQifIfeQ04ShDW9__EKbVxRPSFoamyqTVBppx42IHPM30geFP5XUm6K5K9yKEWQgoJW-aOvxCKO9xgzQaqzyo3NP_djau6P8mp_FpAR9I6B-naeIHQgM9c9TudSoP8a4VLZ3HoUsdmqMv6itZVSA-hwURTNgyjMDyOakJzgm9O-ZNE4qMXHbyxQoH4ObkAAlN_xx1RLW_YRJalRnMZZLiT5bqe-aP0oWpZ17MymaOiA8kWW2429rS586NAX80JkKAlk1qqgc5KS8shOOv6hia8Zlh76tjH_cWZkQeQoB_wmUpHvr2j50D5mgHYNOmK6bAiJHcDrQ5J1mxn3_Mx6B3UKFUXMokETfueHiF36ehB9rgoqEPgB2KUr93v_I5ZPygtpbFnSHUUFEehAPGxZZLcc4lwtkn8i7Rk7JNjGhTVTcnTMHOfiVN5LOMOMETusjV6-ZDtUH1ktRsFweAWOC7MiEECilwMO6posZOpaNggX3YKrMsKJ0Eq83Glpkn3LyRADQG4XumK8XbSiO75Ucy3aZaxeVgovjRjhJqWTjRW5TjNpHv-GfLl4soJEQgwVzEtJKkZaUcMZIp10szRqROrdU9iqo_QAnDqW9cf6QMjxWEKSRKqM1eA6q_c2Bi_vhZa5Vm7gOQQNpK9PhENRpUoJ7kHcpgTY89qwyMQcpKeefHBg62cZKK9vGbuoabjNkYx7BI4UhDczhjWQ0Azhp3i05GNHCB2Ts9RAxwlPDZfVhJNnFfN7djJ4wSzjSxRwQUHylNl1hrtvwKnEx5hYr9D-cYSkLuLcsU6WOeYsFJupRXxKsaACRx_2a7-RFD876H1tDYlv7ZNlhsS8z9VlFTY-29_cl4LNxYNvSdekz3lvd1baKztvJgbXQYRLzszpN2rP7zi0gY3fbg5gTN97ZxCifCN4o09IGSU5u_rDNa5l2dnvk9lgnDC45FOlM3T4gb1o06pcztuJVynBM1ZTK2doZi43a_2kbtVcdxz963QJdbAY__YuilKEg5GwDqBk0YRIrVtMexUI3a6fCzNSKYcW2T2NvXxwKEG2jA5H7qtPFNHYaDTg2LdzH8FBDoa4U16gtfW1k.c4FGZ57S5sVqMupJItF7PmixWyqfwV5vqCNCezuJAb8'</span> </code></pre> </div> <p>Replace the refresh_token value with your actual refresh token. This request will return a new access token and a new refresh token without needing to provide the username and password again.</p> <p>If you only need to support the password flow, the existing implementation is sufficient. However, if your requirements include setting up the client credentials flow as well, follow the steps below to implement it. Before proceeding, we need to register a new client.</p> <h3> πŸ” Implementing the Client Credentials Flow </h3> <p>If you only need to support the password flow, the existing implementation is sufficient. However, if your requirements include setting up the client credentials flow as well, follow the steps below to implement it. Before proceeding, we need to register a new client.</p> <ul> <li><strong>Step 1: Modify the DI Tree to Inject OpenIddict Application Manager</strong></li> </ul> <p>In the RegistrationController, modify the dependency injection (DI) tree to inject the OpenIddictApplicationManager:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">private</span> <span class="k">readonly</span> <span class="n">UserManager</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="n">_userManager</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">IOpenIddictApplicationManager</span> <span class="n">_applicationManager</span><span class="p">;</span> <span class="k">private</span> <span class="k">readonly</span> <span class="n">ApplicationDbContext</span> <span class="n">_applicationDbContext</span><span class="p">;</span> <span class="k">private</span> <span class="k">static</span> <span class="kt">bool</span> <span class="n">_databaseChecked</span><span class="p">;</span> <span class="k">public</span> <span class="nf">RegisterationController</span><span class="p">(</span> <span class="n">UserManager</span><span class="p">&lt;</span><span class="n">IdentityUser</span><span class="p">&gt;</span> <span class="n">userManager</span><span class="p">,</span> <span class="n">ApplicationDbContext</span> <span class="n">applicationDbContext</span><span class="p">,</span> <span class="n">IOpenIddictApplicationManager</span> <span class="n">applicationManager</span><span class="p">)</span> <span class="p">{</span> <span class="n">_userManager</span> <span class="p">=</span> <span class="n">userManager</span><span class="p">;</span> <span class="n">_applicationDbContext</span> <span class="p">=</span> <span class="n">applicationDbContext</span><span class="p">;</span> <span class="n">_applicationManager</span> <span class="p">=</span> <span class="n">applicationManager</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <ul> <li><strong>Step 2: Add API to Register Client</strong></li> </ul> <p>Add the following API to register a new client:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="p">[</span><span class="n">HttpPost</span><span class="p">]</span> <span class="p">[</span><span class="nf">Route</span><span class="p">(</span><span class="s">"RegisterClient"</span><span class="p">)]</span> <span class="p">[</span><span class="n">AllowAnonymous</span><span class="p">]</span> <span class="k">public</span> <span class="k">async</span> <span class="n">Task</span><span class="p">&lt;</span><span class="n">IActionResult</span><span class="p">&gt;</span> <span class="nf">RegisterClient</span><span class="p">([</span><span class="n">FromBody</span><span class="p">]</span> <span class="n">ClientRegistrationModel</span> <span class="n">model</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">EnsureDatabaseCreated</span><span class="p">(</span><span class="n">_applicationDbContext</span><span class="p">);</span> <span class="k">await</span> <span class="n">_applicationManager</span><span class="p">.</span><span class="nf">CreateAsync</span><span class="p">(</span><span class="k">new</span> <span class="n">OpenIddictApplicationDescriptor</span> <span class="p">{</span> <span class="n">ClientId</span> <span class="p">=</span> <span class="n">model</span><span class="p">.</span><span class="n">ClientId</span><span class="p">,</span> <span class="n">ClientSecret</span> <span class="p">=</span> <span class="n">model</span><span class="p">.</span><span class="n">ClientSecret</span><span class="p">,</span> <span class="n">DisplayName</span> <span class="p">=</span> <span class="n">model</span><span class="p">.</span><span class="n">ClientId</span><span class="p">,</span> <span class="n">Permissions</span> <span class="p">=</span> <span class="p">{</span> <span class="n">Permissions</span><span class="p">.</span><span class="n">Endpoints</span><span class="p">.</span><span class="n">Token</span><span class="p">,</span> <span class="n">Permissions</span><span class="p">.</span><span class="n">Endpoints</span><span class="p">.</span><span class="n">Authorization</span><span class="p">,</span> <span class="n">Permissions</span><span class="p">.</span><span class="n">GrantTypes</span><span class="p">.</span><span class="n">ClientCredentials</span><span class="p">,</span> <span class="n">Permissions</span><span class="p">.</span><span class="n">GrantTypes</span><span class="p">.</span><span class="n">RefreshToken</span><span class="p">,</span> <span class="n">Permissions</span><span class="p">.</span><span class="n">Prefixes</span><span class="p">.</span><span class="n">Scope</span> <span class="p">+</span> <span class="s">"Resourse"</span><span class="p">,</span> <span class="n">Permissions</span><span class="p">.</span><span class="n">Prefixes</span><span class="p">.</span><span class="n">Scope</span> <span class="p">+</span> <span class="n">Scopes</span><span class="p">.</span><span class="n">OfflineAccess</span><span class="p">,</span> <span class="p">}</span> <span class="p">});</span> <span class="k">return</span> <span class="nf">Ok</span><span class="p">(</span><span class="n">model</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="n">Exception</span> <span class="n">ex</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">BadRequest</span><span class="p">(</span><span class="n">ex</span><span class="p">.</span><span class="nf">ToString</span><span class="p">());</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <ul> <li><strong>Step 3: Register a New Client</strong></li> </ul> <p>Use the following curl command to register a new client:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">-X</span> <span class="s1">'POST'</span> <span class="se">\</span> <span class="s1">'https://localhost:7249/api/Registeration/RegisterClient'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'accept: */*'</span> <span class="se">\</span> <span class="nt">-H</span> <span class="s1">'Content-Type: application/json'</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{ "clientId": "webClient", "clientSecret": "supersecret" }'</span> </code></pre> </div> <ul> <li><strong>Step 4: Implement Client Credentials Flow in AuthorizeController</strong></li> </ul> <p>In the AuthorizeController, add the following code to handle the client credentials flow:</p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code> <span class="k">if</span> <span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="nf">IsClientCredentialsGrantType</span><span class="p">())</span> <span class="p">{</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetScopes</span><span class="p">(</span><span class="n">openIdConnectRequest</span><span class="p">.</span><span class="nf">GetScopes</span><span class="p">());</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetResources</span><span class="p">(</span><span class="k">await</span> <span class="n">_scopeManager</span><span class="p">.</span><span class="nf">ListResourcesAsync</span><span class="p">(</span><span class="n">Identity</span><span class="p">.</span><span class="nf">GetScopes</span><span class="p">()).</span><span class="nf">ToListAsync</span><span class="p">());</span> <span class="c1">// Add mandatory Claims</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">AddClaim</span><span class="p">(</span><span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">Claims</span><span class="p">.</span><span class="n">Subject</span><span class="p">,</span> <span class="n">openIdConnectRequest</span><span class="p">.</span><span class="n">ClientId</span><span class="p">));</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">AddClaim</span><span class="p">(</span><span class="k">new</span> <span class="nf">Claim</span><span class="p">(</span><span class="n">Claims</span><span class="p">.</span><span class="n">Audience</span><span class="p">,</span> <span class="s">"Resourse"</span><span class="p">));</span> <span class="n">Identity</span><span class="p">.</span><span class="nf">SetDestinations</span><span class="p">(</span><span class="n">GetDestinations</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <ul> <li><strong>Step 5: Generate Token via Client Credentials Flow</strong></li> </ul> <p>Use the following curl command to generate a token using the client credentials flow:</p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> curl <span class="nt">--location</span> <span class="s1">'https://localhost:7249/connect/token'</span> <span class="se">\</span> <span class="nt">--header</span> <span class="s1">'Content-Type: application/x-www-form-urlencoded'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'grant_type=client_credentials'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'client_id=webClient'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'client_secret=supersecret'</span> <span class="se">\</span> <span class="nt">--data-urlencode</span> <span class="s1">'scope=offline_access'</span> </code></pre> </div> <p>Awesome, now the Auth server is pretty mature to handle token generation for password flow, refesh token flow nad client credentials flow also. </p> <h3> πŸ’‘ Conclusion </h3> <p>By following these steps, you have successfully enhanced your authentication server to support various authentication flows, including the password flow, refresh token flow, and client credentials flow. This setup ensures robust security and flexibility, catering to a wide range of authentication requirements.</p> <p>I will be posting more about OpenIddict to cover other flows, customizations, custom grants, and scopes. Stay tuned for more updates!</p> openid openiddict authentication dotnet