In the age of the “personalized web experience”, authentication and user management is a given, and it’s easier than ever to tap into third-party authentication providers like Facebook, Twitter and Google. And it’s not just the wild, wild web that needs it. Businesses need ways to secure their APIs and identify users logged into their applications.
OpenID Connect is a protocol for authenticating users, built with the latest in security technologies. It is a specification by the OpenID Foundation describing the best way for the authentication “handshake” to happen. It lays out what am Identity Provider needs to provide in order to be considered “ OpenID Connect Certified ” and that makes it easier than ever to consume authentication as a service.
Why Not Use The Built-In Authentication Providers?
The authentication providers built into ASP.NET Core are outstanding, but there are some shortcomings. First, OAuth is NOT an authentication protocol . I know what you’re thinking: “What?!!?” But it’s not. It is an Authorization Specification, which many modern authentication protocols are built on.
Second, while OAuth does a great job of providing the necessary information for consumers to make authorization decisions, it says nothing about how that information will be exchanged securely. This led to every authentication provider having their own way of exchanging the OAuth information, which has led to a few well-publicized hacks. OpenID Connect fixes these problems by providing an authentication protocol that describes exactly how the exchange of authorization information happens between a subscriber and their provider.
So let’s see how this works.
Nothing Up My Sleeve
We’ll be using Visual Studio Code and the command line (don’t look at me like that, I like coding on my Mac). First, get the dotnet command-line program and Yeoman , then we can get a basic application started by using the Yeoman generator from OmniSharp . After running the yo aspnet command, it asks a couple of questions about the app we want to create.
The most important is to choose: Web Application Basic (without Membership and Authorization). We’re going to do those ourselves.
It should take a few seconds, and you’ll have a simple ASP.NET Core app ready to go. Just follow the instructions that Yeoman displays at the end of the creation to get the app up and running.
Getting an Identity Provider
Now we need an Identity Provider. We’re going to use Google , so we need to set up a client on Google’s Developer Dashboard . Once you’re logged in to your account, select the drop-down at the top right where your account information is and choose “Create a project…” from the bottom of the list.
Choose a name for the project (it could be the same as your ASP.NET project), click the create button and Google should start creating the new project for you.
When the project is created, you should see a Library page. We’ll be using the Google+ API in the Social APIs group. At the very top, click the “ENABLE” link and when it’s done, you should see a box show up right below the button.