Ivan Fioravanti - 378 - Nov 18, 2014

I need to perform authentication and authorization in ServiceStack using a custom OAuth 2 server. Any hint on how to deal with this?

It was asked earlier on: https://plus.google.com/106942440029912035091/posts/QM7e3sA1tEV

Don’t think anyone’s built an OAuth server with just SS so I think the best approach is to implement it in a hybrid MVC4 + SS web app.

Ivan Fioravanti:

I’ve seen it, the problem with that solution is that auth server is MVC4 based while I’d like to have everything SS4 based.

Right, although rather than spend effort trying to impl it with pure SS + DNOA, I’d treat as its own separate service and have clients authenticate it as if were a external 3rd party OAuth provider. We even did this at StackOverflow where we used a separate MVC instance to provide our own OAuth server option, even though all web apps were using MVC.

Carlos Mendes:

Ivan, I think you can also use Identity Server v3 as a standalone OAuth2 server: https://github.com/thinktecture/Thinktecture.IdentityServer.v3

+Demis Bellot do you have any plans to support OpenId Connect?

Jezz Santos:

Hi Ivan, I will jump in and offer my help, if either you need just guidance or code samples.
I also struggled through the process of deciding what to do and then how to build a standalone AuthZ server with SS +DNOA (no MVC) that turned out to be satisfactory.
I’d be happy to share with you, and save a ton of time crafting the necessary pieces. Just ping me back if you are interested.

Ivan Fioravanti:

wow Jezz, you did it without MVC? SS only? Super. We started to explore the MVC way, but if your solution work I prefer it a lot! If you can help us I’ll ping you directly. Thx!

+Jezz Santos Sweet, an example of pure SS + DNOA solution would be awesome - would love to add stand-alone example and host it as a Live Demo at :slight_smile: https://github.com/ServiceStackApps/LiveDemos

+Carlos Mendes No one’s been asking for it on: http://servicestack.uservoice.com/forums/176786-feature-requests - so it’s not on any roadmap, what auth providers would it enable?

Jezz Santos:

+Carlos Mendes I think the answer to your question is that it enables a custom AuthZ provider. So for example, we are a product company and we want to support oAuth2 (because we want to use oAuth as a technical solution to SSO), but we have learned that we also need to manage peoples credentials, not because we like to build custom software and it technically fun to do such a thing (believe me its not) , but because some of our customers prefer to  have a discrete login with us, that does not require them to cross-polinate their identity on other social sites (facebook, google etc). They of course also have that option if they want it, but nowadays some people just don’t want to tie their facebook/twitter/google account to some sensitive services.

Jezz Santos:

To the requests, I am happy to open source the SS+DNOA AuthZ solution. Might take some investment in time, must prioritize. Happy to engage in questions and guidance at all times though.

Jezz Santos:

+Ivan Fioravanti +Demis Bellot Guys, I have extracted the AuthZ server from our product, and intend to share on github, but I have one problem. We are using Azure and AzureTableStorage as our backend store for various bits of config for the server as well as the accounts and tokens.
For simplicity, I don’t think you want me to bring along all that baggage with the sample (far too complex for the sample).
Can you please suggest a persistence store/library I could use that instead to get this going? something that does not detract the person trying to understand the AuthZ part?
p.s. depending on what you recommend, I might need some of your guidance, if its not familiar to me. But lets see what you say first.

+Jezz Santos Cool, IMO the easiest approach you could extract the storage API behind a clean interface and just have ship with an in-memory impl - anyone wanting to use a different backend can implement their preferred data storage backend. 

Otherwise if it’s not much extra effort, you can use an OrmLite back-end that way the demo can use Sqlite in-memory provider so people can run the demo without any additional config or access to an existing RDBMS, whilst make it easier for them to configure to use against their preferred RDBMS when they want to use it.

Jezz Santos:

Yep, inMem should be easily done. Will look at OrmLite as alternative if needed