Become an AceSign inSign up
IdentityServer/ IdentityServer4.AccessTokenValidation
C# Shell
View on GitHub
Need help with IdentityServer4.AccessTokenValidation?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

IdentityServer
481 Stars 159 Forks Apache License 2.0 156 Commits 0 Opened issues

Description

IdentityServer Access Token Validation for ASP.NET Core

Services available

!
?

Need anything else?

Contributors list

IdentityServer4.AccessTokenValidation

Important

This library is deprecated and not being maintained anymore.

Read this blog post about the reasoning and recommedations for a superior and more flexible approach:

https://leastprivilege.com/2020/07/06/flexible-access-token-validation-in-asp-net-core/

Description

Authentication handler for ASP.NET Core 2 that allows accepting both JWTs and reference tokens in the same API.

Technically this handler is a decorator over both the Microsoft JWT handler as well as our OAuth 2 introspection handler. If you only need to support one token type only, we recommend using the underlying handlers directly.

JWT Usage

Simply specify authority and API name (aka audience):

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(options =>
    {
        options.Authority = "https://demo.identityserver.io";
        options.ApiName = "api1";
    });

Enable reference tokens

Additionally specify the API secret for the introspection endpoint:

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(options =>
    {
        options.Authority = "https://demo.identityserver.io";
        options.ApiName = "api1";
        options.ApiSecret = "secret";
    });

Specifying the underlying handler options directly

In case you need access to a setting that the combined options don't expose, you can fallback to configuring the underlying handler directly.

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
    .AddIdentityServerAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme,
        jwtOptions =>
        {
            // jwt bearer options
        },
        referenceOptions =>
        {
            // oauth2 introspection options
        });

Scope validation

In addition to API name checking, you can do more fine-grained scope checks. This package includes some convenience helpers to do that.

Create a global authorization policy

services
    .AddMvcCore(options =>
    {
        // require scope1 or scope2
        var policy = ScopePolicy.Create("scope1", "scope2");
        options.Filters.Add(new AuthorizeFilter(policy));
    })
    .AddJsonFormatters()
    .AddAuthorization();

Composing a scope policy

services.AddAuthorization(options =>
{
    options.AddPolicy("myPolicy", builder =>
    {
        // require scope1
        builder.RequireScope("scope1");
        // and require scope2 or scope3
        builder.RequireScope("scope2", "scope3");
    });
});

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.