Protecting .NET framework 4.x web API with Identity server 4 in

6.6k views Asked by At

I am working with identity server 4, and I know it is now on ASP.NET Core, and it is fine.

But I have a Web API application that is on .NET 4.6.2. I wonder how is possible to protect these APIs. Or is it possible at all? Or I should change my web API to ASP.NET Core?

I searched everywhere, but all samples are with ASP.NET Core.

1

There are 1 answers

3
Danny van der Kraan On BEST ANSWER

Identity Server 4 doesn't care what the client is. You can test ID4 with a console application if you want, right?

You see, when it comes down to it all ID4 is basically is a REST Web API itself with some well known endpoints using the Open ID Connect/oAuth2 protocol on top of the HTTP protocol. Just look at the samples with console clients here to gain more understanding of how you'd like to set up your client: https://github.com/IdentityServer/IdentityServer4.Samples/tree/dev/Clients.

So, that your client happens to be a Web API net462 does not matter. All you have to do is send requests to the urls of a hosted ID4. Maybe look into Katana's Open ID Connect middleware to make things easier for you: https://leastprivilege.com/2014/06/12/using-discovery-and-katana-middleware-to-write-an-openid-connect-web-client/. That is by the way a link to the blog of 1 of the creators of Identity Server. I suggest you browse through his blog to find more usefull information.

Update token validation

For token validation you'd want the token endpoint: http://docs.identityserver.io/en/release/endpoints/token.html. I suggest to read into JWT tokens, because you could for instance look at Katana JWT middleware: http://odetocode.com/blogs/scott/archive/2015/01/15/using-json-web-tokens-with-katana-and-webapi.aspx.