IdentityServer4.AccessTokenValidation
IdentityServer4.AccessTokenValidation copied to clipboard
IdentityServer Access Token Validation for ASP.NET Core
IdentityServer4.AccessTokenValidation
Important
This library is deprecated and not being maintained anymore.
Read this blog post about the reasoning and recommedations for a superior and more flexible approach:
https://leastprivilege.com/2020/07/06/flexible-access-token-validation-in-asp-net-core/
Description
Authentication handler for ASP.NET Core 2 that allows accepting both JWTs and reference tokens in the same API.
Technically this handler is a decorator over both the Microsoft JWT handler as well as our OAuth 2 introspection handler. If you only need to support one token type only, we recommend using the underlying handlers directly.
JWT Usage
Simply specify authority and API name (aka audience):
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "https://demo.identityserver.io";
options.ApiName = "api1";
});
Enable reference tokens
Additionally specify the API secret for the introspection endpoint:
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = "https://demo.identityserver.io";
options.ApiName = "api1";
options.ApiSecret = "secret";
});
Specifying the underlying handler options directly
In case you need access to a setting that the combined options don't expose, you can fallback to configuring the underlying handler directly.
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme,
jwtOptions =>
{
// jwt bearer options
},
referenceOptions =>
{
// oauth2 introspection options
});
Scope validation
In addition to API name checking, you can do more fine-grained scope checks. This package includes some convenience helpers to do that.
Create a global authorization policy
services
.AddMvcCore(options =>
{
// require scope1 or scope2
var policy = ScopePolicy.Create("scope1", "scope2");
options.Filters.Add(new AuthorizeFilter(policy));
})
.AddJsonFormatters()
.AddAuthorization();
Composing a scope policy
services.AddAuthorization(options =>
{
options.AddPolicy("myPolicy", builder =>
{
// require scope1
builder.RequireScope("scope1");
// and require scope2 or scope3
builder.RequireScope("scope2", "scope3");
});
});