How do I integrate an existing asp.net MVC application with IdentityServer?
You will have 4 applications are you stated.
The IdentityServer4 application for identity and access control. This will be the SSO service and the STS (security token service)- the authority. As of today you will build this in ASP.NET core 1.1. To be an SSO you will of course need to have a user database; using ASP.NET Identity works well and integrates nicely with IdentityServer.
Your Web API, which you say is running ASP.NET Core 1.1. This, in OAuth terms, is called an API Resource. You could sub divide this API into separately securable sections called API Scopes.
The existing MVC web application with your current user database in ASP.NET Identity. This will be a Client of the IdentityServer authority (#1 above). You could use the Authorization Code Flow (more secure) or opt for Implicit or Hybrid flow. An example of how to setup an ASP.NET MVC web application as a Client of an IdentityServer instance can be found in their official documentation: http://docs.identityserver.io/en/latest/quickstarts/3_interactive_login.html#creating-an-mvc-client.
Essentially, you
(a) register the client with IdentityServer, then
(b) add some startup code in the client app that will tell it to use IdentityServer for authentication- something like this...
app.UseOpenIdConnectAuthentication(new OpenIdConnectOptions
{
AuthenticationScheme = "oidc",
SignInScheme = "Cookies",
Authority = "http://localhost:5000",
RequireHttpsMetadata = false,
ClientId = "mvc",
SaveTokens = true
});
You could at that point use both the internal user database for logging in as well as the external IdentityServer- that is, you could log in to the MVC web app two different ways. The IdentityServer app could be considered an "external provider" to your MVC web app.
Are you going to migrate your existing usernames and passwords (and roles, etc.) to the new IdentityServer instance/database? This answer will have to be "yes" to achieve SSO and shared identities and access controls across applications.
SSO is only possible if the user logs in with the IdentityServer app. Though, you probably won't actually achieve SSO since they are using a browser on a desktop machine and a mobile app on a phone- not really able to share cookies or tokens across devices.
- The mobile client. This would be another Client like the MVC web app except using the Implicit Flow for sure. Again, register the client, and then code the app.
You build your Authentication application by using IdentityServer4. Treat each of your application as an identityServer4 client and API as ApiResources, so they all will have unique clientid, callback uri etc. You need to add IdentityServerAuthenticationOptions to API, and OpenIdConnectOptions to mvc application.
For example, an WebAPI startup.cs may have:
public void Configure(IApplicationBuilder app, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://localhost:5000",
RequireHttpsMetadata = false,
ApiName = "api1"
});
app.UseMvc();
}
Anyway, First you need to understand how IdentityServer works. And then you need to build the identityserver app what will access to your users context. You will achieve share authentication across three app by allowing same api scope.
And this is the best place to start