Search code examples
identityserver4openid

Is there a way to connect/disconnect external OpenId providers IdentityServer 4 "on the fly"


IdentityServer 4 documentation says: "To add support for OpenID Connect authentication to the MVC application, you first need... ...then add the following to ConfigureServices in Startup:

services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies")
    .AddOpenIdConnect("oidc", options =>
    {
        options.Authority = "https://localhost:5001";
        options.ClientId = "mvc";
        options.ClientSecret = "secret";
        options.ResponseType = "code";
        options.SaveTokens = true;
    });

"

This example shows, how to connect external providers on server runtime.

Is there a way to connect/disconnect it, when server already runs, like "on the fly"?

Thanks.


Solution

  • A better approach is to introduce an internal authentication service (like IdentityServer or OpenIDDict) like this:

    enter image description here

    My rule of thumb is that your internal clients and APIs should only have to trust one issuer of access tokens. This approach also allows you to standardize what the access and ID token look like internally in your architecture, like this:

    enter image description here

    Warning: I doubt it is a good idea to allow your end-users to be able to add any OpenID provider they like because then a hacker could impersonate any email in your system. As it is all based on trust!

    One approach to supporting dynamically multiple OIDC providers is to hook into the various events exposed by AddOpenIDConnect, dynamically route the authentication request to the correct OIDC server, and handle the response.