ServiceStack and Authentication in the 5.5 era

Greetings,

We are overhauling our authentication and authorization strategy for a large application over the next few months. Version 5.5 seems to bring a lot of new options to ServiceStack. Besides our internal credentials based authentication, we need to support using our clients identity providers for SSO, ie. being a service provider for SAML SSO (via ADFS and 3rd party SSO providers that our clients use).

Our current plan for authentication is to create a SAML authentication plugin for ServiceStack (via ComponentOne) tools and then use ServiceStack to generate a JWT for use by our client applications [ Winforms, Mobile (Xamarin), and JS SPA ] when calling the SS API. We’ll create custom authorization services in ServiceStack as well for the fine grained, dynamic permission system we need.

But I’m reading about the new Microsoft Identity integration and IdentityServer integrations in ServiceStack as well. I’m having trouble figuring out if these new features would be of use for us. Any reason to use these over ServiceStack’s built in authentication system? Would either of these approaches get us SAML SSO at lower cost than ComponentOne or without having to roll our own SS authentication provider?

I appreciate any advice.

I’d recommend asking for Microsoft identity solutions on StackOverflow as you’re more likely find devs with experience with Microsoft Auth to answer.

Sounds like the important part you need to find out is the best/easiest way to achieve what you need with Microsoft Auth, v5.5’s NetCoreIdentityAuthProvider provides an adapter that will let you convert ASP .NET’s Claims Identity Auth into a ServiceStack Session to authenticate ServiceStack Services.

I think a new AuthProvider plugin will work better for us as we don’t have an MVC or EF Core dependency right now and aren’t eager to add them. Is there a way I can get at the underlying HttpRequest / HttpResponse before ServiceStack processing in my AuthProvider? ComponentSpace is recommending implementing my own classes for IHttpRequest, IHTTPResponse that expose the request/response through ServiceStack for their handler functions to access. See: https://www.componentspace.com/Forums/10040/RE-Using-ComponentSpace-SAML-with-ServiceStack#bm10044

If successful, I’d like to make the new AuthProvider available if it would be useful to anyone else. (It will, of course, have a dependency on the commercial ComponentSpace product).

You can access the Request/Response objects via all the available custom hooks in the Request Pipeline but you’re not going to be able to substitute them out.

I don’t know what their 2nd option entails but you can use .NET Core middleware the same as any other .NET Core Application so IMO that would be the cleanest approach:

The third option is to use our SAML authentication handler middleware. However, I’m not sure if ASP.NET Core authentication handlers are supported in ServiceStack.

ServiceStack itself is just another middleware in a .NET Core Application which is what you’re doing when you register ServiceStack in your .NET Core App. i.e:

app.UseServiceStack(new AppHost { 
    AppSettings = new NetCoreAppSettings(Configuration)
}); 

So you can register any other middleware before ServiceStack to have it run before a ServiceStack request.