IdentityServer Access Token Validation for ASP.NET Core
This library is deprecated and not being maintained anymore.
Read this blog post about the reasoning and recommedations for a superior and more flexible approach:
https://leastprivilege.com/2020/07/06/flexible-access-token-validation-in-asp-net-core/
Authentication handler for ASP.NET Core 2 that allows accepting both JWTs and reference tokens in the same API.
Technically this handler is a decorator over both the Microsoft JWT handler as well as our OAuth 2 introspection handler. If you only need to support one token type only, we recommend using the underlying handlers directly.
Simply specify authority and API name (aka audience):
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme) .AddIdentityServerAuthentication(options => { options.Authority = "https://demo.identityserver.io"; options.ApiName = "api1"; });
Additionally specify the API secret for the introspection endpoint:
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme) .AddIdentityServerAuthentication(options => { options.Authority = "https://demo.identityserver.io"; options.ApiName = "api1"; options.ApiSecret = "secret"; });
In case you need access to a setting that the combined options don't expose, you can fallback to configuring the underlying handler directly.
services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme) .AddIdentityServerAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme, jwtOptions => { // jwt bearer options }, referenceOptions => { // oauth2 introspection options });
In addition to API name checking, you can do more fine-grained scope checks. This package includes some convenience helpers to do that.
services .AddMvcCore(options => { // require scope1 or scope2 var policy = ScopePolicy.Create("scope1", "scope2"); options.Filters.Add(new AuthorizeFilter(policy)); }) .AddJsonFormatters() .AddAuthorization();
services.AddAuthorization(options => { options.AddPolicy("myPolicy", builder => { // require scope1 builder.RequireScope("scope1"); // and require scope2 or scope3 builder.RequireScope("scope2", "scope3"); }); });