I have 2 API, 1 MVC Web App and IdentityServer App in my project.
Local ports :
IdentityServer : https://localhost:1000
API 1 : https://localhost:2000
API 2 : https://localhost:3000
Client : https://localhost:4000
In terms of MVC Web App, its Startup.cs Authentication service is like this;
services.AddAuthentication(_ =>
{
DefaultScheme = "...";
DefaultChallengeScheme = "oidc";
})
.AddCookie("...", options => options.AccessDeniedPath = "/home/accessdenied")
.AddOpenIdConnect("oidc", _ =>
{
_.SignInScheme = "...";
_.Authority = "https://localhost:1000";
_.ClientId = "...";
_.ClientSecret = "...";
_.ResponseType = "code id_token";
_.GetClaimsFromUserInfoEndpoint = true;
_.SaveTokens = true;
_.Scope.Add("offline_access");
_.Scope.Add("...");
_.Scope.Add("...");
_.Scope.Add("...");
});
In MVC Web app, there is a Controller like this;
[Authorize]
public async Task<IActionResult> PayMoney()
{
var authenticationProperties = (await HttpContext.AuthenticateAsync()).Properties.Items;
string accessToken = authenticationProperties.FirstOrDefault(x => x.Key == ".Token.access_token").Value;
HttpClient httpClient = new HttpClient();
httpClient.DefaultRequestHeaders.Add("Authorization", $"Bearer {accessToken}");
HttpResponseMessage responseMessage = await httpClient.GetAsync("https://localhost:2000/api/.....");
string total = await responseMessage.Content.ReadAsStringAsync();
return View();
}
at this point, I run the apps all together. After that I call PayMoney(above) and then project redirects me to IdentityServer Login Page (Account/Login) with ReturnUrl because I am not authenticated and authorized.
But I want to use the login page of MVC App instead of IdentityServer project's Quickstart.UI Login Page
Is it possible? And when I researched people say I should use 'Resource Owner Password' but it is not secure for my project...
Does anyone have any idea about this ??
CodePudding user response:
In OpenID Connect you are not supposed to let the client application see/touch the users username/password. Instead it is by design that the user should be redirected to the identity provider for authentication.
As a client, I would not trust to give my credentials to individual clients, instead you only want to do that to someone you as a user trusts.