IdentityServer Integration

Our integration packages provide a complete turn key solution for using IdentityServer4, making it very easy for you to provision a complete solution for OpenId Connect.

We have pre-built integration for using cloudscribe Core as the user management back end for IdentityServer4, including UI for managing the operational data for clients, api resources, and identity resources. What IdentityServer4 brings to the table is handling for OpenId Connect protocols and the ability to issue JWT tokens for authentication and authorization. JWT authentication can be used for SPA style (Single Page Application) web applications that talk to web APIs, and even for mobile app authentication.

Use of IdentityServer4 is a complex topic, to learn about it you should visit the excellent IdentityServer4 documentation.

To get started using cloudscribe with IdentityServer4, you should use our project template for Visual Studio or the .NET Core CLI as discussed in Introduction to cloudscribe, and check the box to include IdentityServer4 integration.

After you create your project see the readme.html file which has information about the login credentials and next steps. When you login as administrator a new Administration Menu item will appear. Most of what you see in the image below is standard menu items for cloudscribe Core, but there are 3 additional menu items under the Security Settings that are added for the IdentityServer4 integration. Specifically the API Resources, API Clients, and Identity Resources menu items are for creating and managing the operational data for IdentityServer4.

If you have any trouble getting your clients and apis working, you can take a look at the sample solution in our sample repo:

cloudscribe-idserver-nodb - this uses NoDb file system storage for data, I don't recommend using NoDb storage to start your own IdentityServer application because NoDb is meant for small sites and IdentityServer is more targeted for having lots of users. You should use one of the other 3 data storage options for production use. But this one makes a good demo because NoDb made it easy for me to create a demo with sample data already included. It is pre-configured with data and has working clients already set up for 2 tenants, so it demonstrates our multi-tenancy support. There is also a working Xamarin sample client in this repository, see the YouTube Video below for a guided tour. If you are having any trouble getting things working with your clients and APIs this can serve as a good reference for you to compare how you have things setup vs this working example.

Note that Social Authentication in cloudscribe Core integrates seamlessly with IdentityServer4, so if you setup social authentication, your client applications can also sign in using social authentication providers.

Note also that if you have configured cloudscribe to use LDAP authentication, then any requests for an access token made against cloudscribe's IdentityServer4 authentication endpoint will validate the supplied credentials by attempting to login both against the standard cloudscribe user tables and then (if that fails) against the configured LDAP domain settings.  #

Some notes on logging out

When logging your client application out, you should use the IdentityServer4 'endsession' endpoint (see documentation) as shown:

https://yoursite.com/connect/endsession?id_token_hint=[abc]&post_logout_redirect_uri=https://mycallback.com

where:
yoursite.com is the domain of your cloudscribe IdentityServer4 host,

[abc] is replaced by the lengthy id_token that will have been returned to your app following its earlier authorization request: Authorize Endpoint — IdentityServer4 documentation

and https://mycallback.com is replaced with the URL that you wish to return to after a successful logout (for example, this may be a callback to your client xamarin app).

The callback URL must have been registered for your client as a supported Post Logout Redirect Url, in the 'API Clients' section of the cloudscribe administration settings.

If all of the above is configured correctly, then the client will be automatically logged out of the IdentityServer4 session, and automatically re-routed to the callback URL.

If no valid Post Logout Redirect Url is provided, the user will be taken to cloudscribe's own /account/logout view, and prompted to logout manually.


To learn more about cloudscribe, please see the rest of our documentation

Comments