Identity as a Service (IDaaS) — ASP Net Core API & Okta

This is the third article in a series on Identity as a Service — Identity-As-A-Service. In this article, we are going to see how to configure an ASP Net Core API to validate the identities of the users using Okta.

For this example, we need the app that we developed in the previous article — Identity as a service (IDaaS) — Okta & ASP Net Core. In addition, we will continue using Visual Studio 2017 Community Edition.

All code for this example is available on GitHub.

Protecting API Access

The objective of these examples is to add the necessary validations in the API developed in ASP Net Core to allow only invocations from apps that have a valid user connected.

This example uses Web Apps but it is very simple to do the same for Single Page App using JavaScript or from a Mobile app. The important thing is the propagation of the token from the client to the API, which will validate it before returning the result of the invocation.

This is one of the best aspects of the OAuth2.0 and OIDC model. Each layer of our apps do not have to trust whoever contacts them, there is only a relationship of trust with the identity provider. The key element of the model are the JWT — JSON Web Token

This relationship of trust is achieved through the publication of configuration parameters that are public for any service that wants to use them. New services and layers can be added to our ecosystem without modifying existing services.

Something to keep in mind when we create or modify an API Controller in ASP Net Core is that the [Authorize] attribute can be applied to a particular method or to the whole class. When applied to the entire class, then all methods will require you to meet the access criteria before responding.

Thanks for reading!!!

The complete article is available in DZone Security
Artículo en español

Todas las opiniones expresadas son mías y no representan opiniones de ninguna entidad con la que he estado, estoy o estaré afiliado.

All views expressed are my own and do not represent opinions of any entity whatsoever with which I have been, am now, or will be affiliated