Styjun

Where are the "shires" in the UK?

How to pass query parameters in URL in Salesforce Summer 19 Release?

All superlinear runtime algorithms are asymptotically equivalent to convex function?

Why are the capacitors necessary for a quartz crystal?

Why did the Apollo 13 crew extend the LM landing gear?

Is disk brake effectiveness mitigated by tyres losing traction under strong braking?

What was the first story to feature the plot "the monsters were human all along"?

Determine if a grid contains another grid

How do I, as a DM, handle a party that decides to set up an ambush in a dungeon?

Sci-fi/fantasy book - ships on steel runners skating across ice sheets

Why would a military not separate its forces into different branches?

How can a hefty sand storm happen in a thin atmosphere like Martian?

Install Firefox without updates

Hostile Divisor Numbers

Krull dimension of the ring of global sections

What to do when scriptures go against conscience?

Is there an age requirement to play in Adventurers League?

As black, how should one respond to 4. Qe2 by white in the Russian Game, Damiano Variation?

The Adventures of a Chocolate Cookie

Would a small hole in a Faraday cage drastically reduce its effectiveness at blocking interference?

Madam I m Adam..please don’t get mad..you will no longer be prime

Is 'contemporary' ambiguous and if so is there a better word?

Constitutional limitation of criminalizing behavior in US law?

Which US defense organization would respond to an invasion like this?

Protect a single api resource with multiple IDServers

IdentityServer, ASP.NET Core and Web APIProtecting Web API 2.2 with IdentityServer4How to us openid connect hybrid flow to call an Api on behalf of user (IdentityServer4 Asp.Net Core 2.0)?InvalidOperationException when signing in to IdentityServer4 via oidc-clientAccessing protected API on IdentityServer4 with Bearer TokenProtect web API without identity serverAccess an API protected by Azure AD from a web client using IdentityServer4IdentityServer4: get access token from Azure ADIdentityServer4 Role Based Authorization for Web API with ASP.NET Core IdentityProtect IdentityServer4 Api with itself

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

0

So I have a .Net Core web api, lets call it "CMS" and its currently protected by an IdentityServer4 server as an api resource. I have configured the ID4 server to have the IDP Claim of MyIDP.

For business reasons, I need to give a client their own IdentityServer but they would also like to have their users access the same api "CMS" .

Is this possible?
In the StartUp.cs of my CMS api it currently looks like this

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "http://www.idserver1.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 );

so to add protection for another id server I assume i could just duplicate the AddAuthentication but change the scheme name from Bearer to something else but that seems wrong?

The reason I think this should be possible because I have been able to add multiple external providers to my Web Application in this manner . But this is for s sign in flow and not for an api.

If this is possible how do I go about this?

identityserver4

share|improve this question

asked Mar 23 at 2:43

drowhunterdrowhunter

10815

add a comment | 

0

So I have a .Net Core web api, lets call it "CMS" and its currently protected by an IdentityServer4 server as an api resource. I have configured the ID4 server to have the IDP Claim of MyIDP.

For business reasons, I need to give a client their own IdentityServer but they would also like to have their users access the same api "CMS" .

Is this possible?
In the StartUp.cs of my CMS api it currently looks like this

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "http://www.idserver1.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 );

so to add protection for another id server I assume i could just duplicate the AddAuthentication but change the scheme name from Bearer to something else but that seems wrong?

The reason I think this should be possible because I have been able to add multiple external providers to my Web Application in this manner . But this is for s sign in flow and not for an api.

If this is possible how do I go about this?

identityserver4

share|improve this question

asked Mar 23 at 2:43

drowhunterdrowhunter

10815

add a comment | 

So I have a .Net Core web api, lets call it "CMS" and its currently protected by an IdentityServer4 server as an api resource. I have configured the ID4 server to have the IDP Claim of MyIDP.

For business reasons, I need to give a client their own IdentityServer but they would also like to have their users access the same api "CMS" .

Is this possible?
In the StartUp.cs of my CMS api it currently looks like this

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "http://www.idserver1.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 );

so to add protection for another id server I assume i could just duplicate the AddAuthentication but change the scheme name from Bearer to something else but that seems wrong?

The reason I think this should be possible because I have been able to add multiple external providers to my Web Application in this manner . But this is for s sign in flow and not for an api.

If this is possible how do I go about this?

identityserver4

share|improve this question

asked Mar 23 at 2:43

drowhunterdrowhunter

10815

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "http://www.idserver1.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 );

share|improve this question

asked Mar 23 at 2:43

drowhunterdrowhunter

10815

share|improve this question

asked Mar 23 at 2:43

drowhunterdrowhunter

10815

asked Mar 23 at 2:43

drowhunterdrowhunter

10815

asked Mar 23 at 2:43

drowhunterdrowhunter

10815

1 Answer
1

active

oldest

votes

0

This can be achieved quite simply. Suppose you want to issue a separate subdomain for each of your clients: auth0.yourdomain.com, auth1.yourdomain.com and you want an api resource to respect the token from either of those identity providers.

Assuming that the signing key is the same, you can configure a shared issuer uri on the identity server side in Startup.cs->ConfigureServices(...):

 var builder = services.AddIdentityServer(options => 
 options.IssuerUri = "auth.yourdomain.com";
 )
 ...

And then on the api side you can respect the single issuer uri without having to duplicate authentication schemes:

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "auth.yourdomain.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 ); 

One thing I can't remember is if the request scheme (http/https) is inferred for the issuer uri or not so you might need to specify that as well (https:\auth.yourdomain.com). Other than that, this sort of implementation should be quite seamless as far as your clients are concerned.

share|improve this answer

answered Mar 23 at 13:08

Vidmantas BlazeviciusVidmantas Blazevicius

2,6532419

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So 1. auth0.yourdomain.com and auth1.yourdomain.com are two different idserver4 deployments 2. They use the same signing cert 3. Each has issuerUri to auth.yourdomain.com 4. On the cmsapi Authority = auth.yourdomain.com In step 4 , as I understand it On Startup the cmsapi calls https://auth.yourdomain.com to get a public cert so that it can validate the tokens sent to it when an api call is made. So does that mean that i need to have auth.yourdomain.com set up some where as a third dedicated Issuer Identity Server ?
  
  – drowhunter
  Mar 24 at 14:37
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @drowhunter Ah yeah, I was just checking our implementation and yeah, we just have auth.yourdomain.com hosted as well.
  
  – Vidmantas Blazevicius
  Mar 24 at 16:59
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55310112%2fprotect-a-single-api-resource-with-multiple-idservers%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

This can be achieved quite simply. Suppose you want to issue a separate subdomain for each of your clients: auth0.yourdomain.com, auth1.yourdomain.com and you want an api resource to respect the token from either of those identity providers.

Assuming that the signing key is the same, you can configure a shared issuer uri on the identity server side in Startup.cs->ConfigureServices(...):

 var builder = services.AddIdentityServer(options => 
 options.IssuerUri = "auth.yourdomain.com";
 )
 ...

And then on the api side you can respect the single issuer uri without having to duplicate authentication schemes:

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "auth.yourdomain.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 ); 

One thing I can't remember is if the request scheme (http/https) is inferred for the issuer uri or not so you might need to specify that as well (https:\auth.yourdomain.com). Other than that, this sort of implementation should be quite seamless as far as your clients are concerned.

share|improve this answer

answered Mar 23 at 13:08

Vidmantas BlazeviciusVidmantas Blazevicius

2,6532419

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So 1. auth0.yourdomain.com and auth1.yourdomain.com are two different idserver4 deployments 2. They use the same signing cert 3. Each has issuerUri to auth.yourdomain.com 4. On the cmsapi Authority = auth.yourdomain.com In step 4 , as I understand it On Startup the cmsapi calls https://auth.yourdomain.com to get a public cert so that it can validate the tokens sent to it when an api call is made. So does that mean that i need to have auth.yourdomain.com set up some where as a third dedicated Issuer Identity Server ?
  
  – drowhunter
  Mar 24 at 14:37
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @drowhunter Ah yeah, I was just checking our implementation and yeah, we just have auth.yourdomain.com hosted as well.
  
  – Vidmantas Blazevicius
  Mar 24 at 16:59
  
  

  
  
  
  

add a comment | 

0

This can be achieved quite simply. Suppose you want to issue a separate subdomain for each of your clients: auth0.yourdomain.com, auth1.yourdomain.com and you want an api resource to respect the token from either of those identity providers.

Assuming that the signing key is the same, you can configure a shared issuer uri on the identity server side in Startup.cs->ConfigureServices(...):

 var builder = services.AddIdentityServer(options => 
 options.IssuerUri = "auth.yourdomain.com";
 )
 ...

And then on the api side you can respect the single issuer uri without having to duplicate authentication schemes:

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "auth.yourdomain.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 ); 

One thing I can't remember is if the request scheme (http/https) is inferred for the issuer uri or not so you might need to specify that as well (https:\auth.yourdomain.com). Other than that, this sort of implementation should be quite seamless as far as your clients are concerned.

share|improve this answer

answered Mar 23 at 13:08

Vidmantas BlazeviciusVidmantas Blazevicius

2,6532419

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So 1. auth0.yourdomain.com and auth1.yourdomain.com are two different idserver4 deployments 2. They use the same signing cert 3. Each has issuerUri to auth.yourdomain.com 4. On the cmsapi Authority = auth.yourdomain.com In step 4 , as I understand it On Startup the cmsapi calls https://auth.yourdomain.com to get a public cert so that it can validate the tokens sent to it when an api call is made. So does that mean that i need to have auth.yourdomain.com set up some where as a third dedicated Issuer Identity Server ?
  
  – drowhunter
  Mar 24 at 14:37
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @drowhunter Ah yeah, I was just checking our implementation and yeah, we just have auth.yourdomain.com hosted as well.
  
  – Vidmantas Blazevicius
  Mar 24 at 16:59
  
  

  
  
  
  

add a comment | 

This can be achieved quite simply. Suppose you want to issue a separate subdomain for each of your clients: auth0.yourdomain.com, auth1.yourdomain.com and you want an api resource to respect the token from either of those identity providers.

Assuming that the signing key is the same, you can configure a shared issuer uri on the identity server side in Startup.cs->ConfigureServices(...):

 var builder = services.AddIdentityServer(options => 
 options.IssuerUri = "auth.yourdomain.com";
 )
 ...

And then on the api side you can respect the single issuer uri without having to duplicate authentication schemes:

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "auth.yourdomain.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 ); 

One thing I can't remember is if the request scheme (http/https) is inferred for the issuer uri or not so you might need to specify that as well (https:\auth.yourdomain.com). Other than that, this sort of implementation should be quite seamless as far as your clients are concerned.

share|improve this answer

answered Mar 23 at 13:08

Vidmantas BlazeviciusVidmantas Blazevicius

2,6532419

 var builder = services.AddIdentityServer(options => 
 options.IssuerUri = "auth.yourdomain.com";
 )
 ...

services.AddAuthentication("Bearer")
 .AddIdentityServerAuthentication(options =>
 
 options.Authority = "auth.yourdomain.com"; 
 options.RequireHttpsMetadata = true; 
 options.ApiName = "cmsapi"; 
 ); 

share|improve this answer

answered Mar 23 at 13:08

Vidmantas BlazeviciusVidmantas Blazevicius

2,6532419

answered Mar 23 at 13:08

Vidmantas BlazeviciusVidmantas Blazevicius

2,6532419

answered Mar 23 at 13:08

Vidmantas BlazeviciusVidmantas Blazevicius

2,6532419