Open in app

Sign in

Write

Sign in

Security with OAuth2, OpenID Connect, and JWT in .NET Microservices: Product and Order Services

DotNet Full Stack Dev
3 min readAug 5, 2024

--

In microservices architecture, securing communication between services and clients is crucial. OAuth2, OpenID Connect, and JWT (JSON Web Token) are commonly used standards to ensure secure authentication and authorization. This blog explains how to implement these standards in a .NET microservices environment, focusing on Product and Order services.

Embark on a journey of continuous learning and exploration with DotNet-FullStack-Dev. Uncover more by visiting our https://dotnet-fullstack-dev.blogspot.com reach out for further information.

Introduction to OAuth2, OpenID Connect, and JWT

OAuth2: An authorization framework that allows third-party services to exchange user credentials for an access token. This token can be used to access protected resources.

OpenID Connect (OIDC): An authentication layer built on top of OAuth2, providing identity verification in addition to authorization.

JWT: A compact, URL-safe means of representing claims between two parties. In OAuth2 and OIDC, JWTs are often used as access tokens, encapsulating claims and metadata.

Architecture Overview

Components:

  • OAuth2 Authorization Server: Issues access tokens.
  • OpenID Connect Provider: Extends OAuth2 to include authentication.
  • Product Service: A protected resource requiring a valid token.
  • Order Service: Another protected resource requiring a valid token.
  • Client: Consumes the Product and Order services.

Setting Up OAuth2 Authorization Server

The OAuth2 Authorization Server handles user authentication and issues access tokens. For this example, we’ll use IdentityServer4 as the Authorization Server.

IdentityServer4 Configuration:

Install NuGet Packages:

dotnet add package IdentityServer4
dotnet add package IdentityServer4.AspNetIdentity

Configure IdentityServer in Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    services.AddIdentityServer()
        .AddInMemoryClients(Clients)
        .AddInMemoryIdentityResources(IdentityResources)
        .AddInMemoryApiResources(ApiResources)
        .AddInMemoryApiScopes(ApiScopes)
        .AddDeveloperSigningCredential();

    services.AddControllersWithViews();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseIdentityServer();
}

private static IEnumerable<Client> Clients =>
    new List<Client>
    {
        new Client
        {
            ClientId = "product-client",
            ClientSecrets = { new Secret("secret".Sha256()) },
            AllowedGrantTypes = GrantTypes.ClientCredentials,
            AllowedScopes = { "product.read", "order.read" }
        }
    };

private static IEnumerable<ApiScope> ApiScopes =>
    new List<ApiScope>
    {
        new ApiScope("product.read"),
        new ApiScope("order.read")
    };

private static IEnumerable<ApiResource> ApiResources =>
    new List<ApiResource>
    {
        new ApiResource("product-api") { Scopes = { "product.read" } },
        new ApiResource("order-api") { Scopes = { "order.read" } }
    };

private static IEnumerable<IdentityResource> IdentityResources =>
    new List<IdentityResource>
    {
        new IdentityResources.OpenId(),
        new IdentityResources.Profile()
    };

Implementing Product and Order Services

Product Service:

Install NuGet Packages:

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Configure Authentication in Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication("Bearer")
        .AddJwtBearer("Bearer", options =>
        {
            options.Authority = "https://localhost:5001";
            options.Audience = "product-api";
        });

    services.AddControllers();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    app.UseRouting();
    app.UseAuthentication();
    app.UseAuthorization();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

Secure Controller:

[ApiController]
[Route("[controller]")]
public class ProductController : ControllerBase
{
    [HttpGet]
    [Authorize]
    public IActionResult Get()
    {
        return Ok(new { Product = "Product details" });
    }
}

Order Service: The configuration for the Order service is similar to the Product service, with changes specific to the Order API.

OpenID Connect Integration

To use OpenID Connect for authentication, configure the Authorization Server with OpenID Connect endpoints. IdentityServer4 automatically sets up these endpoints.

Client Configuration: To authenticate users and obtain user information, configure the client to use the Authorization Code flow with OpenID Connect.

private static IEnumerable<Client> Clients =>
   new List<Client>
   {
       new Client
       {
           ClientId = "mvc-client",
           ClientSecrets = { new Secret("secret".Sha256()) },
           AllowedGrantTypes = GrantTypes.Code,
           RedirectUris = { "https://localhost:5002/signin-oidc" },
           PostLogoutRedirectUris = { "https://localhost:5002/signout-callback-oidc" },
           AllowedScopes = new List<string>
           {
               IdentityServerConstants.StandardScopes.OpenId,
               IdentityServerConstants.StandardScopes.Profile,
               "product.read"
           }
       }
   };

JWT Tokens

In this setup, JWT tokens are issued by the IdentityServer and consumed by the Product and Order services. The tokens contain claims, such as the user’s identity and the scopes of the token, which the services validate.

Token Validation: The Product and Order services validate incoming JWT tokens to ensure they are signed by the Authorization Server and contain the necessary claims.

Testing and Deployment

Start IdentityServer4 (OAuth2 and OpenID Connect provider).

Start Product and Order Services.

Obtain a JWT Token:

  • Request a token using the client credentials or authorization code flow.
  • Example request:
curl -X POST "https://localhost:5001/connect/token" \
-d "client_id=product-client&client_secret=secret&grant_type=client_credentials&scope=product.read"

Access Protected Resources:

  • Use the obtained JWT token to access the Product and Order services.
  • Example request:
curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" "https://localhost:5003/product"

Conclusion

In this blog, we explored securing .NET microservices using OAuth2, OpenID Connect, and JWT. By implementing IdentityServer4 as the Authorization Server, we achieved a robust security layer that supports both authentication and authorization. The Product and Order services were secured by validating JWT tokens, ensuring only authorized clients could access the resources.

This setup provides a flexible and scalable way to manage security in microservices, allowing for easy integration with various identity providers and support for different types of clients (web, mobile, etc.). It also centralizes user authentication and authorization, simplifying the management of user identities and access control policies across the microservices architecture.

Oauth2
Openid
Jwt Token
Microservices
Dotnet

--

--

DotNet Full Stack Dev
DotNet Full Stack Dev

Written by DotNet Full Stack Dev

688 Followers
0 Following

Join me to master .NET Full Stack Development & boost your skills by 1% daily with insights, examples, and techniques! https://dotnet-fullstack-dev.blogspot.com

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams