Search code examples
c#asp.net-core.net-6.0openid-connectopeniddict

Integrating Internal Identity Provider (PingID) with ASP.NET Core Identity Server and Angular App

I have a system architecture comprising three applications: a web API developed in ASP.NET Core, an Identity Server, and an Angular app as the UI. The Identity Server is implemented using ASP.NET Core Identity and OpenIddict, supporting sign-ins through various providers like Okta and Azure AD, and it works seamlessly.

The current user sign-in flow is straightforward:

  1. The user opens the Angular app.
  2. They are redirected to the Identity Server, where they can choose to log in using username/password or external providers like Okta or Azure AD.
  3. Upon successful authentication, they are redirected back to the Angular app with the access token.

Now, the client has requested the addition of a new internal provider called PingID. This provider is internal, meaning it is not accessible on the internet, and our Identity Server cannot directly access it. The client has already configured our Identity Server application in their internal PingID to use the Authorization Code Flow, and we have the client ID, client secret, and token/user ID endpoints.

However, we are facing challenges in completing the flow, as our Identity Server cannot access the internal PingID IdP's at all and for security reasons they cannot make it public:

  1. I am seeking guidance on how to implement this. Any suggestions or insights on how to integrate an internal provider like PingID into our existing architecture would be greatly appreciated.

  2. I'm curious if implementing client-side authentication using oidc-client.js is a viable solution and worth exploring in our scenario. Additionally, I'm unsure about how to streamline this approach with our existing Identity Server, especially considering the current authentication flow.

  3. Does OpenIddict provide any mechanisms or features to enable our Identity Server to access the internal IdP (PingID)? Is it worth looking at OpenIddict WebProviders

Thank you!

Solution

  • Does OpenIddict provide any mechanisms or features to enable our Identity Server to access the internal IdP (PingID)? Is it worth looking at OpenIddict WebProviders

    Your scenario will sadly never work.

    Authentication delegation using an interactive flow like the code flow requires redirecting the user to the external identity provider: if it's not accessible by either the end user (for the actual user login and consent parts) or by your authorization server itself (for the token request/response part), it just won't work, independently of the client stack you're going to use.

    You'll need to convince your partner to make it public. It doesn't have to be directly accessible: a reverse proxy or web application firewall can be added in front of that server, if necessary.