# OpenIddict
### The OpenID Connect server you'll be addicted to.
[](https://ci.appveyor.com/project/openiddict/openiddict-core)
[](https://travis-ci.org/openiddict/openiddict-core)
### What's OpenIddict?
OpenIddict aims at providing a **simple and easy-to-use solution** to implement an **OpenID Connect server in any ASP.NET Core application**.
### Why an OpenID Connect server?
Adding an OpenID Connect server to your application **allows you to support token authentication**.
It also allows you to manage all your users using local password or an external identity provider
(e.g. Facebook or Google) for all your applications in one central place,
with the power to control who can access your API and the information that is exposed to each client.
### How does it work?
OpenIddict is based on **[ASP.NET Core Identity](https://github.com/aspnet/Identity)** (for user management) and relies on
**[AspNet.Security.OpenIdConnect.Server (codenamed ASOS)](https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Server)** to control the OpenID Connect authentication flow.
OpenIddict fully supports the **code/implicit/hybrid flows** and the **client credentials/resource owner password grants**. For more information about these terms, please visit the **[OpenID website](http://openid.net/specs/openid-connect-core-1_0.html)** and read the **[OAuth2 specification](https://tools.ietf.org/html/rfc6749)**.
Note: OpenIddict uses **[Entity Framework Core](https://github.com/aspnet/EntityFramework)** by default, but you can also provide your own store.
--------------
## Getting started
To use OpenIddict, you need to:
- **Install the latest [.NET Core tooling](https://www.microsoft.com/net/download) and update your packages to reference the RC2 final packages**.
- **Have an existing project or create a new one**: when creating a new project using Visual Studio's default ASP.NET Core template, using **individual user accounts authentication** is strongly recommended. When updating an existing project, you must provide your own `AccountController` to handle the registration process and the authentication flow.
- **Add the appropriate MyGet repositories to your NuGet sources**. This can be done by adding a new `NuGet.Config` file at the root of your solution:
```xml
```
- **Update your `project.json`** to reference `AspNet.Security.OAuth.Validation` and `OpenIddict`:
```json
"dependencies": {
"AspNet.Security.OAuth.Validation": "1.0.0-alpha2-final",
"OpenIddict": "1.0.0-*"
}
```
- **Configure the OpenIddict services** in `Startup.ConfigureServices`:
```csharp
public void ConfigureServices(IServiceCollection services) {
services.AddMvc();
services.AddDbContext(options =>
options.UseSqlServer(Configuration["Data:DefaultConnection:ConnectionString"]));
// Register the Identity services.
services.AddIdentity()
.AddEntityFrameworkStores()
.AddDefaultTokenProviders();
// Register the OpenIddict services, including the default Entity Framework stores.
services.AddOpenIddict()
// Enable the token endpoint (required to use the password flow).
.EnableTokenEndpoint("/connect/token")
// Allow client applications to use the grant_type=password flow.
.AllowPasswordFlow()
// During development, you can disable the HTTPS requirement.
.DisableHttpsRequirement();
}
```
> **Note:** for more information about the different options and configurations available, check out
[Configuration and options](https://github.com/openiddict/core/wiki/Configuration-and-options)
in the project wiki.
- **Add OpenIddict and the OAuth2 token validation middleware in your ASP.NET Core pipeline** by calling `app.UseOAuthValidation()` and `app.UseOpenIddict()` after `app.UseIdentity()` and before `app.UseMvc()`:
```csharp
public void Configure(IApplicationBuilder app) {
app.UseIdentity();
app.UseOAuthValidation();
app.UseOpenIddict();
app.UseMvc();
}
```
> **Note:** `UseOpenIddict()` must be registered ***after*** `app.UseIdentity()` and the external social providers.
- **Update your `ApplicationUser` entity model to inherit from `OpenIddictUser`**:
```csharp
public class ApplicationUser : OpenIddictUser { }
```
- **Update your Entity Framework context to inherit from `OpenIddictDbContext`**:
```csharp
public class ApplicationDbContext : OpenIddictDbContext {
public ApplicationDbContext(DbContextOptions options)
: base(options) {
}
}
```
> **Note:** although recommended, inheriting from `OpenIddictDbContext` is not mandatory. Alternatively, you can also create your own context and manually add the entity sets needed by OpenIddict:
```csharp
public class ApplicationDbContext : IdentityDbContext {
public ApplicationDbContext(DbContextOptions options)
: base(options) {
}
public DbSet Applications { get; set; }
public DbSet Authorizations { get; set; }
public DbSet Scopes { get; set; }
public DbSet Tokens { get; set; }
}
```
> **Note:** if you change the default entity primary key (e.g. to `int` or `Guid` instead of `string`), make sure to register your Entity Framework context using the overload accepting a `TKey` generic argument:
```csharp
services.AddOpenIddict, ApplicationDbContext, int>()
```
## Enabling interactive flows support
- **Create your own authorization controller and your own views**:
To **enable authorization code/implicit flows support, you must create your own controller** and your own views/view models. The Mvc.Server sample comes with an [`AuthorizationController` that you can easily reuse in your application](https://github.com/openiddict/openiddict-core/blob/dev/samples/Mvc.Server/Controllers/AuthorizationController.cs).
- **Enable the corresponding flows in the OpenIddict options**:
```csharp
public void ConfigureServices(IServiceCollection services) {
// Register the OpenIddict services, including the default Entity Framework stores.
services.AddOpenIddict()
// Enable the authorization and token endpoints (required to use the code flow).
.EnableAuthorizationEndpoint("/connect/authorize")
.EnableTokenEndpoint("/connect/token")
// Allow client applications to use the code flow.
.AllowAuthorizationCodeFlow()
// During development, you can disable the HTTPS requirement.
.DisableHttpsRequirement();
}
```
- **Register your client application**:
```csharp
using (var context = new ApplicationDbContext(
app.ApplicationServices.GetRequiredService>())) {
context.Database.EnsureCreated();
if (!context.Applications.Any()) {
context.Applications.Add(new OpenIddictApplication {
// Assign a unique identifier to your client app:
Id = "48BF1BC3-CE01-4787-BBF2-0426EAD21342",
// Assign a display named used in the consent form page:
DisplayName = "MVC Core client application",
// Register the appropriate redirect_uri and post_logout_redirect_uri:
RedirectUri = "http://localhost:53507/signin-oidc",
LogoutRedirectUri = "http://localhost:53507/",
// Generate a new derived key from the client secret:
Secret = Crypto.HashPassword("secret_secret_secret"),
// Note: use "public" for JS/mobile/desktop applications
// and "confidential" for server-side applications.
Type = OpenIddictConstants.ClientTypes.Confidential
});
context.SaveChanges();
}
}
```
## Support
**Need help or wanna share your thoughts? Don't hesitate to join our dedicated chat rooms:**
- **JabbR: [https://jabbr.net/#/rooms/aspnet-contrib](https://jabbr.net/#/rooms/aspnet-contrib)**
- **Gitter: [https://gitter.im/openiddict/openiddict-core](https://gitter.im/openiddict/openiddict-core)**
## Contributors
**OpenIddict** is actively maintained by **[Kévin Chalet](https://github.com/PinpointTownes)**. Contributions are welcome and can be submitted using pull requests.
## License
This project is licensed under the **Apache License**. This means that you can use, modify and distribute it freely. See [http://www.apache.org/licenses/LICENSE-2.0.html](http://www.apache.org/licenses/LICENSE-2.0.html) for more details.