Share via

Create Identity Provider without Identity Server

Prathamesh Shende 421 Reputation points
2025-03-26T09:54:59.88+00:00

Hi,
I am learning something new and want to develop the identity provider similar to IdentityServer4.

I am making quite some progress.

The client project is Blazor OIDC, and Microsoft does it on Community Standup live.

Auth Server is IdentityProvider.

The current scenario is that the client app is authorized, so it will redirect to the auth server, but after the auth server is authorized and successfully logged in, it will not redirect to the client. And the client is still not authorized.

Help me to resolve this issue and get my client authorized.

I am sharing the my git repo
Here is the AuthServer name by Hoot "https://github.com/imprathamesh/Hoot.git" and this is client app "https://github.com/imprathamesh/BlazorOidc.git"

Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,672 questions
0 comments
Accepted answer
  1. Bruce (SqlWork.com) 75,051 Reputation points
    2025-03-26T23:01:57.36+00:00

    you don't appear to coded the flow correctly

    • the blazor app will redirect to the auth server passing a reply url (redirect_uri), scope, state and code challenge. the reply url is typically the client action that process the client authentication. in your code this is /authorize
    • the auth server validates the reply url, and displays a login page. you server redirects
    • the user fills in the login page and posts
    • on post if valid, the auth server redirects back to the passed reply url with a code
    • the client site uses the code to call back to the auth site to get the user credentials
    • if valid the client site creates a cookie and redirect to the client page that needed authentication. typically this information is passed as a query string on the reply url sent in step 1.

    your /authorize action has several issues.

    • you are creating the code and passing in the return url. but the code is a key to the login. your ValidateAuthorizationCode() is supported to convert the code to a user, when the client calls /TokenExchange with the code. but your code doesn't update the dictionary
    • after login you are supposed to return to the reply url passing the code. your code doesn't do this.

    as you are using razor page login, you probably want a new connection action that does this. it should require authorization and will use the httpcontext user (set by the razor login page). to get user information. if the action is called /authorize/postlogin then the return url would be something like:

     var returnUrl = $"/authorize/postlogin?state={state}&redirect_uri={redirect_uri}";
 var loginUrl = $"https://localhost:7098/account/login?returnurl={WebUtility.UrlEncode(returnUrl)}";

    then in the /authorize/postlogin action, you would generate the code and redirect to back to the client:

    [HttpGet("authorize/postlogin")]
public async Task<IActionResult> PostLogin(
        [FromQuery] string redirect_uri,
        [FromQuery] string state,
        [FromQuery] string code_challenge,
        [FromQuery] string code_challenge_method)
 {
    // create code from user & code_challenge and store for later TokenExchange call
    var code = ....;
    
    return Redirect($"{redirect_uri}{redirect_uri.Contains('?') ? "&" : "?"}code={code}&state={state}";
}

    the client would then call /TokenExchange with the code and the verification for the stored code_challenge.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 75,051 Reputation points
    2025-03-27T15:53:17.6833333+00:00

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.