Search code examples
identityserver4

Protect IdentityServer4 Api with itself

We are currently working on a identityserver4 implementation which will also have a few api calls.

Those api calls should only be available if a user is authorized(with the bearer token).

In the Startup.cs we have the services.AddIdentityServer() since this is the identityServer, and also added the AddAuthentication() call to make sure the authorized endpoints are only available for authorized connections.

Startup.cs => ConfigureServices():

services.AddIdentityServer();                
services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = "http://localhost:9000";
                    options.RequireHttpsMetadata = false;

                    options.ApiName = "identityserver4";
                });

Startup.cs => Configure():

        app.UseAuthentication();

        app.UseIdentityServer();

        //app.UseAuthentication();

using the UseAuthentication() before or after UseIdentityServer() does not change anything.

My api call within the identityserver is still avaialble to all. Currently using postman to test the calls.

Do i need to add something? Is there something i missed?

Kind regards,

Walter

edit 1: added controller and full startup.cs UserController.cs:

namespace Identity.Controllers
{
    [Authorize]
    [Route("[controller]")]

    public class UserController : ControllerBase
    {
        private readonly ILogger _logger;
        private readonly IUserBusinessLogic _userBusinessLogic;

        public UserController(ILogger<UserController> logger, IUserBusinessLogic userBusinessLogic)
            : base()
        {
            _logger = logger;
            _userBusinessLogic = userBusinessLogic;
        }

        [Route("")]
        [HttpGet]        
        public async Task<ActionResult<IList<UserDto>>> GetAllUsers()
        {
            var users = await _userBusinessLogic.GetAll();
            return users.ToList();
        }
    }
}

Startup.cs:

namespace Identity
{
    public class Startup
    {
        private readonly IConfiguration _configuration;
        private readonly ILogger _logger;

        public Startup(IConfiguration configuration, ILogger<Startup> logger)
            : base()
        {
            _configuration = configuration;
            _logger = logger;
        }

        // This method gets called by the runtime. Use this method to add services to the container.
        // For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=398940
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddMvcCore()
                .AddJsonFormatters()
                .SetCompatibilityVersion(CompatibilityVersion.Version_2_2)
                .AddRazorViewEngine(); 

            services.Configure<ApiBehaviorOptions>(options =>
            {
                options.InvalidModelStateResponseFactory = context => new ValidationProblemDetailsResult();
            });

            services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = "http://localhost:9000";
                    options.RequireHttpsMetadata = false;

                    options.ApiName = "identityserver4";
                });

            services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddPersistedGrantStore<PersistedGrantStoreBusinessLogic>()
            .AddResourceStore<ResourceBusinessLogic>()
            .AddClientStore<ClientBusinessLogic>()
            .AddProfileService<ProfileBusinessLogic>()
            .AddCorsPolicyService<CorsPolicyBusinessLogic>();

            services.AddCors(options =>
            {
                options.AddPolicy("default",
                    builder => builder.AllowAnyOrigin()
                    .AllowAnyMethod()
                    .AllowAnyHeader().Build());
            });

        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
        {
            app.UseAuthentication();

            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }
            else
            {
                app.UseExceptionHandler("/Home/Error");
            }

            app.UseCors("default");
            app.UseIdentityServer();
            app.UseStaticFiles();
            app.ConfigureExceptionHandler(_logger);
            app.UseMvcWithDefaultRoute();
        }
    }
}
Solution

  • Found my problem! in my startup i used services.AddMvcCore() when i should have used services.AddMvc() OR just add the services.AddAuthorization which is not added using services.AddMvcCore().

    I came upon this solution after doing some research for something else. In my research i came upon this page: https://offering.solutions/blog/articles/2017/02/07/difference-between-addmvc-addmvcore/

    It explains the differences between AddMvc() and AddMvcCore(). So after adding services.AddAuthorization() my problem was solved and the api within my identityserver where protected.

    Thank you to all who tried to help me!