Search code examples
asp.net-coreldapidentityserver4

IdentityServer4 with LDAP/AD authentication without UI

I'm currently working on a project where I'm trying to set up a service based on IdentityServer4 (https://github.com/IdentityServer/IdentityServer4) that authenticates users by querying a local Active Directory via LDAP.

To achieve that, I also included the IdentityServer4.LdapExtension (https://github.com/Nordes/IdentityServer4.LdapExtension) in my project. The working example from the repository works fine (https://github.com/Nordes/IdentityServer4.LdapExtension/tree/master/Sample/IdentityServer) - but the custom logic is part of the UI, and I need my service to operate without any UI.

Simply adding 

.AddLdapUsers<ActiveDirectoryAppUser>(Conf.GetSection("ldap"), UserStore.InMemory)

as described in the documentation does not change the request pipeline, as the provided login/validation methods are never executed - they are only triggered with calls from the UI (AccountController). However, as I said, I don't want to integrate any UI in this service and rather use the interface which the Token-Endpoint already provides (POST request with client_id and client_secret, response with JWT).

Is there a way to integrate LDAP authentication without rewriting big parts that work out-of-the-box as desired?

Solution

  • From your question it sounds like you already have a username and password. Note client_id != username and client_secret != password. client_id is the identity for a client application.

    The grant type you are trying to use is called Resource Owner Password when using the authorize endpoint or password when using the token endpoint. This grant type is used to support legacy systems and is not recommended for new development.

    The code that you want to executed to authenticate a user is in LdapUserResourceOwnerPasswordValidator.cs and it should be executed if you pass the correct parameters to the token endpoint:

    POST /connect/token

    client_id=yourclientid&
client_secret=yourclientsecret&
grant_type=password&
username=yourusername&password=yourusernamespassword

    See token endpoint documentation: https://identityserver4.readthedocs.io/en/release/endpoints/token.html

    You can use Identity Model to help you make the token request:

    var response = await client.RequestPasswordTokenAsync(new PasswordTokenRequest
{
    Address = "https://demo.identityserver.io/connect/token",

    ClientId = "yourclientid",
    ClientSecret = "yourclientsecret",
    UserName = "yourusername",
    Password = "yourusernamespassword"
});

    This is documented here https://identitymodel.readthedocs.io/en/latest/client/token.html