Duende Software
OAuth Security on API Server #83
-
IdentityServer versionv7 .NET version8 DescriptionHi If we are trying to protect an API server with identity server and we want to allow clients to connect to this using an oauth flow where the user initiates the authorisation then must login to the login page to approve this. To do this do we need the Enterprise version then, as the clients are infinite ? We need a system where the user must login/approve and MFA the login before the API token is exchanged and the only way that I can tell is that each user must be setup as a client. Is this correct the way I understand the requirement and their versions? Reproduction stepsNo response Expected behaviorNo response LogsNo response Additional contextNo response |
Beta Was this translation helpful? Give feedback.
Replies: 9 comments
-
|
With a client we mean the configured clients. A client is the application the user is using. It doesn't matter how many users are involved and APIs are used. Example: you just have one application in your organization that needs authentication that has 1000 users and accesses 5 protected APIs. Then you only need 1 client. Standard edition should suffice if no Business or Enterprise specific features are needed. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for that. Do you have samples for this? I haven't seen anything where with an openid login where we can generate a client Id and secret and user can use their own redirect uris outside these clients? https://login.com/connect/authorize?response_type=code&client_id=YOURCLIENTID&redirect_uri=YOURREDIRECTURI&scope=openid profile email&state=123 |
Beta Was this translation helpful? Give feedback.
-
|
The redirect URI is used to do a callback on the client. There is no need to have a redirect URI per user. |
Beta Was this translation helpful? Give feedback.
-
|
The user in this case is an outside developer/ user trying to access an api via their application so redirect Uri would be required usually back to this site after login unless I'm missing something. |
Beta Was this translation helpful? Give feedback.
-
|
The first example has the client requesting tokens as follows // request token
var tokenResponse = await client.RequestClientCredentialsTokenAsync(new ClientCredentialsTokenRequest
{
Address = disco.TokenEndpoint,
ClientId = "client",
ClientSecret = "secret",
Scope = "api1"
});
if (tokenResponse.IsError)
{
Console.WriteLine(tokenResponse.Error);
Console.WriteLine(tokenResponse.ErrorDescription);
return 1;
}
Console.WriteLine(tokenResponse.AccessToken);Is this not a unique client that is limited to 5 ? |
Beta Was this translation helpful? Give feedback.
-
|
Yes it is because it requires a configured client in IdentityServer. You're using client credentials flow in this case. That flow doesn't involve a user who has to log in. It uses the token endpoint where the client credentials (id and secret) are sent and the token (just an access token) will be in the response. |
Beta Was this translation helpful? Give feedback.
-
|
I'm looking for that with a user interaction for credentials like this link its just an example of another app using the flow I'm after. I'm assuming but even though it has a user interaction it's considered m2m after? https://developer.myob.com/api/myob-business-api/api-overview/authentication/ |
Beta Was this translation helpful? Give feedback.
-
|
Unless im missing something an interactive login with the clients where the user requests an access token via their own application, then user logs in and gives consent, then the app gets the code. This sequence counts as a client and the LicenseUsageSummary clients used shows this as increasing so that would mean in this scenario we would need Enterprise, which I sort of get but at the same time for an API server this is way to expensive for this use case. |
Beta Was this translation helpful? Give feedback.
-
|
The flow you're describing in your last comment is Authorization Code flow. Here a user is involved and a client in this context means the application that is being used by the user. That count as 1 client for your license. It doesn't matter how many users are on that application or how many APIs are called by it. |
Beta Was this translation helpful? Give feedback.
The flow you're describing in your last comment is Authorization Code flow. Here a user is involved and a client in this context means the application that is being used by the user. That count as 1 client for your license. It doesn't matter how many users are on that application or how many APIs are called by it.
In your code example, you use client credentials flow. That is for m2m scenarios. Where an API or other app from the outside has to call an API protected by the identity provider for example. No user involved and each outside app counts as 1 client for your license.
Hope that clears things up for you.