Identity Server 4 ClientCredentials with POSTMAN

This tutorial will demonstrate how to set up security within microservices using Identity Server 4 with OpenID. This will use a Client and Secret for microservice to microservice (machine-to-machine) communication that way a compromised microservice can’t interact with resources it’s not authorized to. I will also demonstrate how to use POSTMAN to get tokens, inspect tokens and verify things are set up correctly.

GitHub

GitHub: Identity Server 4 OpenID POSTMAN

What is OpenID Connect (OIDC)?

OpenID is a protocol that standardized OAuth and added certain capabilities to make authentication easier and more universal. OAuth is still responsible for handling authorization while OpenID is an extension that specifically standardizes authentication by providing login and profile information through a token known as the JWT token.

Setting Up the Identity Server

This section will walk through creating the Identity Server 4 project and how to configure it for OpenID Connect.

Creating the Project

First you’ll need to install the Identity Server 4 templates.

dotnet new -i identityserver4.templates

After the templates are installed you can create an Identity Server project using dotnet new. If you want to use OAuth for authenticating users you can also add the UI which will include MVC controllers and views. This is not necessary for this tutorial.

Setting up API Resources, Clients in the Config.cs

Startup.cs

Under the ConfigureService() method you will also need to add the Config.ApiResources to register them with the Identity Server.

Add this line of code .AddInMemoryApiResources(Config.ApiResources).

Microservice API

The goal here is to protect a microservice API from internal abuse within the cluster by configuring JWT bearer verification. The general idea of protecting microservice-to-microservice (machine-to-machine) communication is to limit the amount of damage a bad actor could do if they hypothetically gained access to the cluster. This could be a hacker compromising a container and attempting to interact with other microservices in an effort to pivot or gain information.

Install NuGet Package

Microsoft.AspNetCore.Authentication.JwtBearer

Configuring JWT Bearer Verification

There are several ways to set up JWT validation through .NET. I will demonstrate how to do this using the ASP.NET middleware libraries.

Startup.cs – ConfigureServices()

To apply authentication to the entire API it’s easiest to create an Authorization Policy and apply it as an AuthorizeFilter.

Startup.cs – Configure()

Add in the code below to the Configure() method. If you skip this step or comment this out the Identity Server will create a valid JWT token but it will still return unauthorized when using that valid token against the API service.

Using POSTMAN to Verify OpenID/OAuth Works

POSTMAN is a great tool for interacting with APIs and has full support for OpenID/OAuth.

Creating a GET Request

We will first need to set the URL to GET to https://localhost:5011/WeatherForecast You may need to update the ports here but this is the port for the microservice and can be found in the Properties of the project. This should fail with a 401 Unauthorized HTTP status response. This is as expected.

(401 Unauthorized)

Getting a Token

In order to get a JWT token (Bearer Token), you will need to select the Authorization Tab and set it to OAuth 2 and configure it with the settings below. You may have to scroll down on the right to get to this section but look for “Configure New Token”. Be sure to set the Client ID, Secret, and Scopes requested.

The next window that will popup displays that the token has been generated and authorization with the Identity Server was successful. Click “proceed” or just wait…

On the next screen you should copy the JWT Token so you can inspect it at jwt.io.

Great Success!

At this point the Bearer Token (JWT) is being sent along with the request to get WeatherForecasts and is successfully authenticating.

Inspecting Tokens

Inspecting the JWT Token is easy. Hop over to jwt.io and paste in the JWT Token and you can see the properties passed with it.

https://jwt.io/

Reserved Claims

These are the reserved claims that are used for OpenID to process and authenticate JWT tokens.

  • iss – Issuer of the JWT
  • sub – Subject of the JWT
  • aud – Audience (Defined under ApiResources in Identity Server)
  • exp – Expiration time in Epoch time.
  • nbf – Not before time
  • iat – Issued at time
  • jti – Unique identifier for the JWT Token (JWT ID).

Further Reading

https://developer.okta.com/blog/2019/10/21/illustrated-guide-to-oauth-and-oidc
https://openid.net/
https://auth0.com/docs/tokens/json-web-tokens/json-web-token-claims