This post is the third part of a series of blog posts entitled Creating your own OpenID Connect server with ASOS:
- Choosing the right flow(s)
- Registering the middleware in the ASP.NET Core pipeline
- Creating your own authorization provider
- Implementing the resource owner password credentials grant
- Implementing the authorization code and implicit flows
- Adding custom claims and granting scopes
- Testing your authorization server with Postman
In the previous post (Choosing the right flow(s)), we saw the differences between the various OAuth2/OpenID Connect flows. In this one, we'll see how to reference the ASOS package and how to register it in the ASP.NET Core pipeline.
This post was updated to reflect the latest changes introduced in the 1.0.0 RTM version of ASOS.
To reference ASOS, simply add
"AspNet.Security.OpenIdConnect.Server": "1.0.0" under the
dependencies node of your
You'll also need to add the validation middleware, in charge of verifying/decrypting the tokens produced by ASOS and protecting your API endpoints:
The validation middleware is similar to the JWT bearer middleware developed by the ASP.NET team but was specifically designed to use the encrypted tokens issued by ASOS and to offer a much easier experience (it doesn't require any explicit configuration by default).
Starting with ASOS beta5, JWT is no longer the default format for access tokens, but is still supported natively. To use JWT tokens instead of opaque/encrypted tokens, follow the steps below:
- Remove the reference to
- Remove the validation middleware registration (
- Reference the
- Register the JWT middleware using
options.AccessTokenHandler = new JwtSecurityTokenHandler()to override the default format.
For ASOS to work properly, you need to register the authentication services in the DI container:
public class Startup
Make sure to always put the validation middleware at the top of your pipeline: if the validation middleware is not at the right place, requests won't be correctly authenticated when reaching the next middleware (e.g MVC).
The same remark applies to the OpenID Connect server middleware, that must be inserted before ASP.NET Core MVC to handle authorization and logout requests correctly.
public class Startup
Next part: Creating your own authorization provider.