identityserver3

In my identityserver app that use idsv4 and run on port "5000" have a client new Client { ClientId = "client", // no interactive user, use the clientid/secret for authentication AllowedGrantTypes = GrantTypes.ClientCredentials, // secret for authentication ClientSecrets = { new Secret("secret".Sha256()) }, // scopes that client has access to AllowedScopes = { "api1" } }` and in my .Net Framework Api's startup class that use port no "7001" : app.UseIdentityServerBearerTokenAuthentication( new IdentityServerBearerTokenAuthenticationOptions { Authority = "http://localhost:5000", ValidationMode =

We are using IdentityServer3 to authenticate our users. We run it on a separate web application to the main application API. There is a hierarchy of claims - for example, sites, factories and equipment. It is possible for a user to have a claim for a piece of equipment that is at a factory, but not have a claim for the entire factory, or the site. The distribution of claims is handled by means of a background job. When a user creates a site, factory or equipment a claim is created for them, this may have also been distributed to other users. When a request comes into the engine API we need to

I'm writing an Html/Angular app and am authenticating with IdentityServer3 using the implicit flow. I have that setup and working, but what I'm concerned about is allowing users to register. I know I can inject a register link into the login flow, but that's not what I'm interested in. I would like users to register, then send them a confirmation email, etc. Here is my current setup: 1) xyz.com (angular frontend) 2) api.xyz.com (webapi backend) 3) accounts.xyz.com (identityserver) I know I can do user registration by calling an api endpoint, but I'm worried that it might not be secure. At that

When using any of the standard identity providers (Google, Facebook) after logging in and consent they redirect to my primary Identity Server and let it redirect to implicit client registered within it. How can I achieve the same behavior with another Identity Server serving as external identity provider? My security architecture consists of two Identity Servers, primary one (v3) using the other (v4) as an external identity provider. The implicit client opens a popup with primary IdentityServer. I have trouble with following flow: Identity Server acting as external IdP gets stuck on endpoint:

In my application I have integrated Identity server 3 with openid-connect . On our production server our website is behind a reverse proxy which is causing problems; When the user logs in and is redirected back by identity server, our application wants to redirect the user to his original location (the page with the AuthorizeAttribute ). The problem here is that the user is redirected to the hidden url instead of the public url used by the reverse proxy . How can I redirect the user to the public url? After a long search this is the fix: The OWIN middleware UseOpenIdConnectAuthentication has a

I am trying to implement an architecture that follows the OAUTH2/OIDC protocol. In order to do that, I have STS(Identity Server v3 by leastprivilege), ASP.NET WebApi and ASP.NET MVC application for a client. My goal was to have the STS and REST service hosted on Azure so different clients can use them as public services. So far so good. Everything seemed to work smoothly and perfectly before I decided to add a new client that uses one of the redirection flows - Authorization Code flow. I wanted to take advantage of the refresh token option that it offers. I wanted to serve short life access

I'm struggling with the correct way to secure a multi-tenant Web API with Identity Server. Let me explain. We have a multi-tenant Web API that serves a ASP.NET MVC application. Each new customer is assigned a new TenantId. A customer can have multiple subscriptions of the application. Its the same as saying that the app manages multiple databases per customer (that he can access from the same base URL). Each user belongs to a single customer (tenant) and will have access to all that customer's subscriptions. The API is set in a way that every endpoint includes both the tenant id and the