-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introducing the OpenIddict-powered providers #694
Comments
Hi @kevinchalet, I am a bit lost in confusion what you mention OpenIDConnect in comparison to OAuth handlers Isn't OAuth just for granting authorization tokens for resources? how would one use OAuth protocol when he needs Authentication which works via OpenIdConnect protocol only. as far as I understand OpenIDConnect was invented on top of OAuth for the purpose of authentication. How can same thing be achieved via the OAuth and OpenIdConnect protocols? |
Hey,
While it's true that the OAuth 2.0 standard itself is an authorization-only protocol, in practice almost all OAuth 2.0 servers also provide a custom API endpoint that provides information about the user represented by an access token, which serves the same exact purpose as the standard "userinfo endpoint" in the OpenID Connect specification. Just like the Facebook, Microsoft Account or Google providers developed by Microsoft and based on For the extremely rare cases where no user information is available, the OpenIddict client can still be used for pure authorization (i.e performing actions on behalf of the user), but in this case, no |
Update: a majority of providers have been ported to OpenIddict: openiddict/openiddict-core#1801. If you're interested in helping port the remaining services (that I can't port myself due to the painful registration process they all require), feel free to chime in. |
I updated the OP to take the recent improvements made to the OpenIddict client and its web providers into account. Closing. |
Earlier today, the first OpenIddict 4.0 preview was pushed to NuGet.org.
As part of this release, a new client stack was introduced alongside an
OpenIddict.Client.WebIntegration
package that aims at offering an alternative to the aspnet-contrib providers offered in this repository (that will still be developed and maintained).As I suspect many users will wonder whether these new providers could be a nice fit for their applications, here's a list of things that differ between the aspnet-contrib providers and their equivalent in the OpenIddict world:
Instead of being built on top of the ASP.NET Core OAuth 2.0 base handler, these providers are based on the new OpenIddict client, which is a modern dual-protocol client stack that supports both OAuth 2.0 and OpenID Connect and thus is able to adapt its security checks to the protocol(s) supported by the provider (while we've accepted OpenID Connect providers in aspnet-contrib, not all the security checks normally required by the standard have been implemented).
The OpenIddict providers are compatible with more .NET environments than the aspnet-contrib providers: they don't just work on ASP.NET Core (2.1 on .NET Framework, 3.1 on .NET Core, 6.0 and 7.0 on .NET) but they are also natively compatible with OWIN/Katana so they can be used in legacy ASP.NET >= 4.6.1 applications. Starting in OpenIddict 4.1, all the offered providers can also be used in desktop Linux and Windows applications thanks to the
OpenIddict.Client.SystemIntegration
package. For more information, read Introducing system integration support for the OpenIddict client.Unlike the aspnet-contrib providers, most of the code behind the OpenIddict providers is generated using Roslyn Source Generators (e.g the settings, the builder methods, the environments, etc.), which makes them much easier to maintain and will eventually allow supporting more providers while greatly reducing the maintainance burden.
Unlike the ASP.NET Core OAuth 2.0 base handler, the OpenIddict client fully supports OpenID Connect discovery/OAuth 2.0 authorization server metadata, which allows discovering endpoint URLs dynamically, making the OpenIddict-based providers that support discovery more resilient to arbitrary endpoint changes.
The OpenIddict client is - by default - a stateful client that requires configuring a database for two reasons (note: if you already use the server feature, you can share the same DB):
state
size limits enforced by some services (like Twitter).The OpenIddict providers use a
System.Net.Http
integration that relies onIHttpClientFactory
and integrates Polly by default to automatically retry failed HTTP requests based on a built-in policy and thus be less prone to transient network errors.The aspnet-contrib providers use an authentication scheme per provider, which means you can do.[Authorize(AuthenticationSchemes = "Facebook")]
to trigger an authentication dance. In contrast, the OpenIddict client uses a single authentication scheme and requires setting the issuer as an AuthenticationProperties item if multiple providers are registeredFor the same reason, the providers registered via the OpenIddict client are not listed by Identity's.SignInManager.GetExternalAuthenticationSchemesAsync()
and so don't appear in the "external providers" list returned by the default Identity UI. In practice, many users will prefer customizing this part to be more user-friendly, for instance by using localized provider names or logos, which is not something you can natively do withSignInManager.GetExternalAuthenticationSchemesAsync()
anywayThe OpenIddict client doesn't have the "delegate that
ClaimsPrincipal
instance to the cookie handler so it can create an authentication cookie based on it" logic you have in the aspnet-contrib handlers. Instead, you're encouraged to handle the external authentication data -> local authentication cookie creation in your own code, which gives you full control over what's stored exactly in the final authentication cookie:The OpenIddict client doesn't do any claims mapping: all the claims resolved from the identity token/userinfo response are flowed exactly as they were returned and it's up to the user to implement a custom mapping if necessary.The OpenIddict client supports token refreshing so you can easily get new access tokens via
OpenIddictClientService
for providers that enabledgrant_type=refresh_token
:If you're interested in giving the OpenIddict providers a try, feel free to take a look at the sample in the OpenIddict repository.
The following providers will be available in OpenIddict 4.0, but if you'd like to see additional providers supported, please don't hesitate to contribute to the effort 😄
Cheers!
The text was updated successfully, but these errors were encountered: