Skip to content

mjarosie/SaturnWithIdentityServerClientCredentials

BranchesTags

Repository files navigation

How to build this application

  1. Make sure you have installed the version of .Net SDK defined in global.json
  2. Trust the ASP.NET Core HTTPS development certificate by invoking dotnet dev-certs https --trust (see the documentation, you might have to do something else if you're not running Windows/macOS)
  3. Run dotnet tool restore to restore all necessary tools
  4. Run dotnet fake build -t Run to start the application in watch mode (automatic recompilation and restart at file save)

How to test the Client Credentials flow

You can do it from your command line by running cURL commands:

# Send a request to the public, unprotected endpoint:
curl --request GET --url 'https://localhost:8085/api/hello/'

# Send a request to the protected endpoint without attaching the access token (in Authorization header).
# You should get 401 Unauthorized:
curl --request GET --url 'https://localhost:8085/api/hello/test'

# Retrieve an access token:
curl --request POST --url 'https://localhost:5001/connect/token' `
--header 'content-type: application/x-www-form-urlencoded' `
--data 'grant_type=client_credentials&client_id=client&client_secret=secret&scope=api1'

# Send a request to the protected endpoint with the access token attached:
curl --request GET --url 'https://localhost:8085/api/hello/test' `
--header 'Authorization: Bearer <paste the access token here>'

You can make your life easier by extracting the access token with jq into a variable:

Powershell:

# Retrieve an access token and store it into a variable:
$access_token = curl --request POST --url 'https://localhost:5001/connect/token' `
--header 'content-type: application/x-www-form-urlencoded' `
--data 'grant_type=client_credentials&client_id=client&client_secret=secret&scope=api1' `
| jq .access_token

# Send a request to the protected endpoint with the access token attached:
curl --request GET --url 'https://localhost:8085/api/hello/test' `
--header "Authorization: Bearer $access_token"

Bash:

# Retrieve an access token and store it into a variable:
access_token=$(curl --request POST --url 'https://localhost:5001/connect/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data 'grant_type=client_credentials&client_id=client&client_secret=secret&scope=api1' \
| jq .access_token)

# Send a request to the protected endpoint with the access token attached:
curl --request GET --url 'https://localhost:8085/api/hello/test' \
--header "Authorization: Bearer ${access_token}"

About

A demo of securing an API written in Saturn Framework with Client Credentials Flow and IdentityServer4

mjarosie.github.io/dev/2020/09/24/securing-saturn-framework-api-with-identityserver4-client-credentials.html

Topics

fsharp identityserver4 saturn-framework client-credentials-flow

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Languages