OAuth2 and Open ID Connect – Part 2

Demo Project Walkthrough

In part 1 we looked at how to use OpenID Connect and OAuth2 with Thinktecture’s Identity Server and how to use an access token to access a protected resource.  In this part we’ll have a look at the code and explain how it works and hopefully you’ll then be in a position to integrate the approach with your own applications.

The demo projects are available on github:


The repository contains three solutions. The first project you’ll need is the Identity Server itself. The readme on the github page explains how to get the server up and running so no need to repeat that information here. This is a copy of the thinktecture repo taken at the time of writing.  The only change we’ve made is to add an additional client with the id ‘net2client’.

The host project contains a config folder which defines some scopes, clients and users.  You can leave these as they are for now, we’ll be logging in as ‘bob’.

As we mentioned in part 1 we’re trying to integrate an asp.net 2.0 application with OAuth2.  There are no libraries for handling tokens, specifically json web tokens (JWT) for .net 2.0 and we’re not cleared to use javascript yet.  However, it’s not a problem to obtain tokens from .net 2.0 as all we need to do is issue our request to the identity server authorization endpoint and the AspNet20OAuth2 project in the repo does just that.

There is a page called SignIn which has a button marked ‘Sign In On Identity Server’.  This performs the redirect to the identity server.  It specifies the page SignInCallback as the redirect url for the identity server to use once authorization is complete.  To sign in we must ensure that the identity server is running.  In the .net 2.0 project we specify the client id ‘net2client’ and as mentioned above our copy of the identity server repo has added that additional client to those already configured which support the samples repo.  The client section also specifies a redirectUris property where redirects can be registered and so we have registered the callback page.

RedirectUris = new List
//site specifies this url as the return url when it
//writes the redirect url in the query string
//of the authorization url
new Uri("http://localhost:58276/SignInCallback.aspx")

We also need to ensure that the OAuthHelperApi is running.  This is part of the MyReallyUsefulWebApi solution (though it would probably sit better within the AspNet20OAuth2 solution as this is where it is used).  The OAuthHelperApi has a controller called ValidateController which is used to validate the id token because .Net 2.0 lacks libraries that can handle JWTs. So, with both the identity server and the OAuthHelperApi running the AspNet20OAuth2 application is able to authenticate and obtain authorization.

The callback page displays the tokens once they have been validated.  Validating and decrypting the access_token is done via the identity server’s access token validation endpoint:

string authorizeUrl =

This functionality is built in to identity server.  The resource server hosting your protected API should validate the access token but I’ve done it in the client just so we can see what it contains.

We must validate the id token as this is proof of authentication and allows the client to trust the access token.  We’ve shamelessly plundered the identity server samples for the id token validation and because it uses .net 4.5 JWT libraries we’ve provided the OAuthHelperApi.  Token validation is then very straightforward and conforms to the OpenID Connect spec, section  ID Token Validation:

private List ValidateToken(string token, string nonce)
var parameters = new TokenValidationParameters
ValidAudience = "net2client",
ValidIssuer = "https://idsrv3.com",
IssuerSigningToken = new X509SecurityToken(X509.LocalMachine
.Find("CN=idsrv3test", false)

SecurityToken jwt;
var id = new JwtSecurityTokenHandler()
.ValidateToken(token, parameters, out jwt);

if (id.FindFirst("nonce").Value != nonce)
throw new InvalidOperationException("Invalid nonce");

return id.Claims.ToList();

This article has explained where the demo projects can be found and what they do.  We have an identity server, a client web application which redirects the user to the identity server to authenticate and grant authorization and finally a webapi which exists to validate the id_token as the web application uses asp.net 2.0.  In the next article we’ll look at how to use the access token to access a protected resource.


About maz100

I'm interested in the music called jazz, photography, my wife and two daughters, food, wine, software design and furniture...to name but a few.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s