Using Identity Server as Security Token Provider

It has come to a point where authentication is needed for my application to ensure the users are who they claim to be and restrict certain resources from users according to their permission level. The flow should start by users inputting username and password on client (web application), which are sent to the security token service where the verification process undergoes. Successful identity verification returns an access token to the client. The access token is then included in the subsequent (whenever necessary) HTTP requests to the API resources. This flow is straightforward and can be achieved a step at a time.

Identity Service, the security token service

It is natural for .NET developers to choose Identity Server for its powerful features. Spinning it up doesn’t take much of the effort as there are various starting templates to choose from. I have decided to go with the OAuth 2.0 Password Grant since I have total control of the web application.

Once the security token service (I named it Identity Service) is created, a couple of configurations had to set, including the identity and API resources this service covers, the users, and more importantly, the clients this service can recognise:

new Client()
  ClientId = "vue",
  AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
  ClientSecrets =
    new Secret("secret".Sha256())
  AllowedScopes = new List<string>()
    IdentityServerConstants.StandardScopes.OpenId, "basicInfo", "apigateway.web"
  AllowedCorsOrigins = {"http://localhost:8080"},
  AllowAccessTokensViaBrowser = true,
  RequireConsent = false

The ClientId and ClientSecret are used by the Identity Service to link itself with the client that requests for access token. For the matching to succeed, the client has to include the same value in the request:

const param = {
  client_id: "vue",
  client_secret: "secret",
  grant_type: "password",
  username: "some user name",
  password: "some password"

const config = {
  headers: {
    "Content-Type": "application/x-www-form-urlencoded"
};"http://localhost:5100/connect/token", qs.stringify(param), config);

A couple of things happened here. First the set of parameters had to include at least the client and user credentials. It was then stringified using the qs library before sending to the Identity Service via a POST request.

Finally, successful verification produces a unique JWT access token which can the be used for subsequent requests to API resources.

What’s next?

The basic authentication flow is done but there’s a lot more work for improvement. Up to this point, the users are still not able to perform CRUD operations which allows for creation, modification, and removal of users. Persistence should also be done to allow data to be stored in database.

Since I use a single page application for my front-end and it is a trusted client, I chose the password grant type and relies on my application to send the user credentials on user’s behalf to the token service.

2 thoughts on “Using Identity Server as Security Token Provider”

  1. Long time supporter, and thought I’d drop a comment.

    Your wordpress site is very sleek – hope you don’t mind me asking what theme you’re using?
    (and don’t mind if I steal it? :P)

    I just launched my site –also built in wordpress like yours– but the theme slows (!)
    the site down quite a bit.

    In case you have a minute, you can find it by searching for “royal cbd”
    on Google (would appreciate any feedback) – it’s still in the works.

    Keep up the good work– and hope you all take care of yourself during the coronavirus scare!


    1. Hi Justin,

      I use Independent Publisher 2 for my theme.

      Your website looks really great and it is not slow to me. Keep up teh good work!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s