IdentityServer4 in ASP.NET Core - Ultimate Beginner's Guide

IdentityServer4 in ASP.NET Core - Ultimate Beginner's Guide

Learning about IdentityServer4 in ASP.NET Core and ways to integrate it to build secure solutions. IdentityServer4 is a FREE, Open Source OpenID Connect and OAuth 2.0 framework for ASP.NET Core.

In this article, we will start learning about IdentityServer4 in ASP.NET Core and ways to integrate it to build secure solutions. We will be creating a Working Solution up from scratch taking you across various concepts and implementations of this awesome OpenID Framework. This is Part 1 of the IdentityServer4 in ASP.NET Core Series. You can find the complete source code of the implementation here.

Table of Contents

  • What is IdentityServer4?
    • Identity Server Concept
    • Responsibilities of IdentityServer4
  • IdentityServer4 Templates
  • What we will be Build?
  • Getting Started with IdentityServer4 in ASP.NET Core
  • Installing IdentityServer4 Package to ASP.NET Core Project
  • Adding In-Memory Configuration
    • Test Users
    • Identity Resources
    • API Scopes
    • API Resources
    • Clients
  • Registering IdentityServer4 in ASP.NET Core
    • In-Memory configuration stores
    • Signing Credentials
  • Running IdentityServer4
  • OpenID Discovery Document
    • Fetching Access Tokens with POSTMAN
    • Understanding the Token
  • Securing an ASP.NET Core WebAPI with IdentityServer4
    • Fetching the Token
    • Accessing the API with Access Token
  • Building a Web Client to access the Secured API
  • Summary

What is IdentityServer4?

IdentityServer4 is a FREE, Open Source OpenID Connect and OAuth 2.0 framework for ASP.NET Core. In other words, it is an Authentication Provider for your Solutions. It is a framework that is built on top of OpenID Connect and OAuth 2.0 for ASP.NET Core. The main idea is to centralize the authentication provider. Let’s say you have 5 APIS / Microservices. You really don’t have to define the Authentication Logics in each and every Application. Rather, with IdentityServer4 you get to centralize the Access Control so that each and every APIs are secured by the Central IdentityServer.

Another cool feature is when a client (Web Application) wants to access a secured API, IdentityServer4 generates access tokens seamlessly to make this possible. We will talk about this further in the article.

Identity Server Concept

The idea is quite simple and straight forward. Users use the Clients (Let’s say ASP.NET Core MVC) to access the data. Users will be authenticated by IdentityServer to use the client. Once the users are authenticated to use the Client, the client sends in a request to the API Resource. Remember that both the Client and API Resources are protected by a single entity, the IdentityServer. Client requests for an access token with which it can access the API Responses. This way we are centralizing the Authentication Mechanism to a single server. Quite Interesting, yeah?

Here is a flow as described by IdentityServer documentation.


Responsibilities of IdentityServer4

Identity Server is an all in one Security Solution for your Projects. Here are it’s major features and responsibilities.

  • protect your resources
  • authenticate users using a local account store or via an external identity provider
  • provide session management and single sign-on
  • manage and authenticate clients
  • issue identity and access tokens to clients
  • validate tokens

IdentityServer4 Templates

There are a couple of ways to fire up IdentityServer4 Projects. The most commonly used one is Templates. This is more of a quick start solution where you install the IdentityServer4 templates using your CLI and select a template that automatically creates an implemented project for you.

PS – We will NOT be using this approach in our article, as it hides most of the complexity and you end up not knowing what actually happens behind the scene. We will implement the Server from scratch. Once you are familiar with it’s working, you are ready to use these templates.

Open your Powershell / Command Prompt on a working directory and run the following command which installs the IdentityServer4 templates globally for you.

dotnet new -i identityserver4.templates

identityserver templates

You can see the installed IdentityServer4 templates. Now, to create a new project based off a template, run the following.

dotnet new is4inmem

This creates an implementation of IdentityServer4 in ASP.NET Core using In-Memory User and Configurations. But there will be a lot of code we will not need / understand for our learning purpose. Thus, let’s create it all from scratch so that we understand each and every part of IdentityServer4 implementation.

What we will be Build?

  1. Create an IdentityServer4 Host Project with In-Memory Users & Stores (For Test Purposes)
  2. Build an ASP.NET Core API (This is the Resource to be protected by IdentityServer4)
  3. Build a Web Client that consumes the AP

Getting Started with IdentityServer4 in ASP.NET Core

Let’s start by creating a Blank Solution in Visual Studio 2019 Community.

new solution

Now, into the blank solution add in a new ASP.NET Core Empty Project. Ensure that you have selected the Empty Template. This is project which will host the actual IdentityServer.

new server

new server empty

Installing IdentityServer4 Package to ASP.NET Core Project

To the newly created project, let’s install the IdentityServer4 Package. Run the following command on the Package Manager Console.

Install-Package IdentityServer4

Adding In-Memory Configuration

We will be adding all the Configuration within our code for demonstration purposes. Note that this will not be the case when you integrate IdentityServer4 in production. This is an easier way to understand each and every component. To the root of the IdentityServer Project, add a new class and name it IdentityConfiguration.cs

public class IdentityConfiguration

Test Users

Let’s add a test user to our Configuration File. For demonstration purposes, we will define the user data in code. In another article, we will learn how to integrate Entity Framework and ASP.NET Core Identity to manage users over a database. But for now let’s keep things simple and understand the contexts.

Add in the following to the IdentityConfiguration class. This snippet returns a TestUser with some specific JWT Claims.

public static List<TestUser> TestUsers =>
    new List<TestUser>
        new TestUser
            SubjectId = "1144",
            Username = "mukesh",
            Password = "mukesh",
            Claims =
                new Claim(JwtClaimTypes.Name, "Mukesh Murugan"),
                new Claim(JwtClaimTypes.GivenName, "Mukesh"),
                new Claim(JwtClaimTypes.FamilyName, "Murugan"),
                new Claim(JwtClaimTypes.WebSite, ""),

aspdotnet programming developer

Bootstrap 5 Complete Course with Examples

Bootstrap 5 Tutorial - Bootstrap 5 Crash Course for Beginners

Nest.JS Tutorial for Beginners

Hello Vue 3: A First Look at Vue 3 and the Composition API

Building a simple Applications with Vue 3

Deno Crash Course: Explore Deno and Create a full REST API with Deno

How to Build a Real-time Chat App with Deno and WebSockets

Convert HTML to Markdown Online

HTML entity encoder decoder Online

How long does it take to develop/build an app?

This article covers A-Z about the mobile and web app development process and answers your question on how long does it take to develop/build an app.

Developer Career Path: To Become a Team Lead or Stay a Developer?

For a developer, becoming a team leader can be a trap or open up opportunities for creating software. Two years ago, when I was a developer, ... by Oleg Sklyarov, Fullstack Developer at Skyeng company

Tracking a Developer’s Journey From Documentation Visit

Measuring website activity provides only half the story. See how to best track the developer's journey and what funnel stages makes sense for API-first products

Offshore Software Development - Best Practices

To make the most out of the benefits of offshore software development, you should understand the crucial factors that affect offshore development.

Hire Ruby on Rails Developer | Hire RoR Developer

#1 Ruby on Rails development company. Hire Ruby on rails developer or a team to build secure, scalable and complex web solutions with a quick turnaround time.