Implement an OAuth 2.0 Server (Part 01)

Welcome to the first part of a series of posts where we will implement an OAuth 2 Server using AspNet.Security.OpenIdConnectServer.

The creator of the library, Kevin Chalet, has an excellent series of blog posts, that you are encouraged to read for more information, with less of a hands-on approach.

The final product is available here on GitHub, and at the end of each step the project as completed up to that point will be available on its respective branch.

For a live demonstration of this application - visit the hosted version on Azure, where you can do everything we’ll describe.

Tutorial Table of Contents

  1. Introduction
  2. Project Setup and Dependency Downloads
  3. SQLite and Initial Migration
  4. Public API Barebones Setup
  5. Adding Models
  6. OAuth Client CRUD - Controller and ViewModels
  7. OAuth Client CRUD - Views
  8. Adding Client Scopes
  9. Authorization Provider - Authorize Methods
  10. Authorization Provider - Token Methods
  11. Services
  12. Authorization Request Accept/Deny View
  13. Claims, Identity, Authentication Tickets
  14. Adding OAuth Token Validation
  15. Scope Authorization with Policies, Requirements and Handlers
  16. Token Revocation
  17. Rate Limiting - Models and Provider Changes
  18. Rate Limiting - Attribute Creation
  19. Pushing to Azure

Concepts

Along the way you’ll be exposed to these concepts:

  1. Beginner Concepts:
    1. curl
    2. CRUD
    3. REST APIs
  2. Intermediate Concepts
    1. Razor Pages 2.0
    2. Authentication
    3. OAuth 2
    4. Entity Framework Core
    5. Rate Limiting
  3. Advanced Concepts
    1. Identity
    2. Claims
    3. Authentication Schemes

Libraries

We’ll be using the following libraries in our application:

  1. AspNet.Security.OpenIdConnect.Extensions
  2. AspNet.Security.OpenIdConnect.Primitives
  3. AspNet.Security.OpenIdConnect.Server
  4. AspNet.Security.OAuth.Introspection
  5. AspNet.Security.OAuth.Validation

What the application will be able to do

At a high level, our final application will be able to do these things:

  • Users will be able to register and login on the website, with persisted login sessions via cookie authentication.
  • Users will be able to create/delete OAuth Client Applications, give them a name, a description, and a list of redirect URIs.
  • Users will also be able to edit the description and regenerate the client secret.
  • Our server will support issuing OAuth 2.0 access tokens to those applications with the three major flows:
    • Client Credentials
    • Implicit
    • Authorization Code
  • Our server will have a small authenticated-access API that utilizes OAuth Scopes
  • Finally, we’ll support rate limiting of our endpoints

Public API

We’ll have a small public API that supports the following unauthenticated, authenticated, unscoped, and scoped endpoints:

  • Unauthenticated Methods
    • GET api/v1/hello
      • Returns "Hello" in the body.
  • Authenticated Methods
    • Unscoped Methods
      1. GET api/v1/clientcount
        • Returns number of clients you've registered in the body
    • Scoped Methods
      1. GET api/v1/birthdate
        • Returns the user's birthdate in the body
      2. GET api/v1/email
        • Returns the user's email
      3. PUT api/v1/email
        • Changes the user's email
      4. PUT api/v1/birthdate
        • Changes the user's birthdate
      5. GET api/v1/me
        • gets the user object, requires no scopes but additional information is returned if more scopes are present.

Moving On

In the next section we’ll set up the basic project structure and download our libraries.

Next

Posts in this series

SecurityIdentityAuthenticationAuthorization OAuth2.0OpenIdConnectTutorialCSharp.NET Core