Previous month:
November 2012
Next month:
March 2013

January 2013

Ain’t no IIS: Self-hosting thinktecture IdentityServer v2 – a simple proof-of-concept

There have been a couple of people asking for a sample how to host the ‚non-visual' parts of thinktecture IdentityServer v2 outside of IIS & ASP.NET. E.g. in a Windows or a Console (no, not really…) application.

Here on GitHub you will find a very simple simple PoC which hosts the OAuth2 token endpoint. That said, it is obviously by no means feature complete.
This endpoint uses ASP.NET Web API and thus self-hosting is kinda piece of cake.

namespace SelfHostConsoleHost
{
    internal class SelfHostServer
    {
        private HttpSelfHostServer selfHost;

        [Import]
        public IConfigurationRepository ConfigurationRepository { get; set; }

        public async void Start(string baseAddress)
        {
            var httpConfig = new HttpSelfHostConfiguration(baseAddress);

            Database.SetInitializer(new ConfigurationDatabaseInitializer());

            Container.Current = new CompositionContainer(new RepositoryExportProvider());
            Container.Current.SatisfyImportsOnce(this);

            ProtocolConfig.RegisterProtocols(httpConfig, ConfigurationRepository);

            selfHost = new HttpSelfHostServer(httpConfig);

            await selfHost.OpenAsync();
        }

        public async void Stop()
        {
            if (selfHost != null)
            {
                await selfHost.CloseAsync();
            }
        }
    }
}

As said, it just offers one endpoint:

namespace SelfHostConsoleHost
{
    public class ProtocolConfig
    {
        public static void RegisterProtocols(HttpConfiguration httpConfiguration, IConfigurationRepository configuration)
        {
            // necessary hack for now - until the DI implementation has been changed
            var a = Assembly.Load("Thinktecture.IdentityServer.Protocols");
 
            var clientAuthConfig = CreateClientAuthConfig();

            httpConfiguration.MessageHandlers.Add(new RequireHttpsHandler());

            if (configuration.OAuth2.Enabled)
            {        
                httpConfiguration.Routes.MapHttpRoute(
                    name: "oauth2token",
                    routeTemplate: Thinktecture.IdentityServer.Endpoints.Paths.OAuth2Token,
                    defaults: new { controller = "OAuth2Token" },
                    constraints: null,
                    handler: new AuthenticationHandler(clientAuthConfig, httpConfiguration)
                );
            }
        }
 
        public static AuthenticationConfiguration CreateClientAuthConfig()
        {
            var authConfig = new AuthenticationConfiguration
            {
                InheritHostClientIdentity = false,
                DefaultAuthenticationScheme = "Basic",
            };

            // accept arbitrary credentials on basic auth header,
            // validation will be done in the protocol endpoint
            authConfig.AddBasicAuthentication((id, secret) => true, retainPassword: true);
 
            return authConfig;
        }
    }
}

Again: the code is here: Self-Hosted IdentityServer v2 PoC

Hope this helps.


Running thinktecture IdentityServer v2 in a Windows Azure Web Role – from zero to hero (a walkthrough)

OK, I think a couple of you guys already did it successfully – others just look for something written. Here we go.

Let's start right away by browsing to GitHub and clone the IdentityServer.v2 repo:

After cloning we have the following code structure in Windows Explorer:

Open Thinktecture.identityServer.sln as an elevated admin (for the Windows Azure Compute Emulator to work correctly). Build the entire solution.

No, choose Add… New project… and add a new Cloud project to the solution.

In the Cloud Service dialog do not choose any new project, just hit OK.

We now add the existing IdSrv WebSite project as a Web Role to the Windows Azure project, just like so:…

For now, the solution should look something like this:

Alright. On to some essential Cloud stuff now.

We need an SSL certificate. I am going to use an existing self-issued cert from my local machine. This of course needs to be a 'real' certificate if you deploy IdSrv as a production STS to Windows Azure – of course

Please head over to WebSite role configuration and the Certificates tab. Specify your desired certificate:

Based on this certificate we now create an SSL endpoint:

OK, this should be it for now.

Let's attack the database side of things. We need a SQL database for our identity configuration and data. I am going to create a new one via the Windows Azure management portal:

Please make a note of the connection string for your SQL database as we still need to change the connection strings inside IdentityServer's configuration files.

Then open up connectionString.config in the Configuration folder inside the WebSite project and adjust the connection strings to point to your SQL database in the Cloud:

 

<connectionStrings>
    <add name="IdentityServerConfiguration"
    connectionString="Server=tcp:….database.windows.net,1433;
    Database=idsrvcloud;User ID=christian@…;Password=...;
    Trusted_Connection=False;Encrypt=True;Connection Timeout=30;"
    providerName="System.Data.SqlClient" />

    <add name="ProviderDB"
    connectionString="Server=tcp:….database.windows.net,1433;
    Database=idsrvcloud;User ID=christian@…;Password=...;
    Trusted_Connection=False;Encrypt=True;Connection Timeout=30;"
    providerName="System.Data.SqlClient" />
</connectionStrings>

… drum roll …

F5 (with the Cloud project as the startup project) and pray …

Enter the basic setup information you need to enter and you should be good to go. This locally running instance inside Windows Azure Compute Emulator already uses the Cloud SQL database – just for the records.

Done… well almost … I am spilling the beans already now so that we can save some cycles.

There is an issue with the Membership hash algorithm type on Cloud VMs.

  • Locally: HMACSHA256
  • Azure Cloud Emulator: HMACSHA256
  • Published to Cloud Service: SHA1

So it looks like there must some machine.config setting in Cloud Service images – Microsoft is investigating this.

For us it means we need to set the keys explicitly in web.config (you can use a tool like this):

<system.web>
    <machineKey
        decryptionKey="46CD6B691..."
        validationKey="EC4752081..."
        decryption="AES"
        validation="HMACSHA256" />
...

OK.

After that we need to export the SSL cert, anyways, so that we can upload it to the Cloud Service , e.g. via the management portal.

And then, we finally can publish & deploy to Windows Azure:

After approx. 8 to 10 minutes we have our thinktecture IdentityServer v2 running up in the Cloud.

Hope this helps.