🔐 .NET 8 OAuth2/OpenID Connect Architecture

OAuth 2.0 is an open standard for authorization OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation.

A clean, modular authentication and authorization system built with .NET 8, featuring:

• ✅ IdentityServer as AuthServer with Duende and Login Page
• ✅ Razor Pages ClientApp with custom login flow
• ✅ Secure ApiServer with claim-based access
• ✅ Token-based authentication using OAuth2 & OpenID Connect

---

🧱 Architecture Overview

+-------------+        +----------------+        +----------------+
|  ClientApp  | <----> |  AuthServer    | <----> |   ApiServer    |
| (Razor UI)  |        | (IdentityServer)        | (Protected API)|
+-------------+        +----------------+        +----------------+

• ClientApp: Razor Pages app that authenticates users via AuthServer and consumes protected APIs.
• AuthServer: IdentityServer4 implementation with custom scopes, claims, and test users.
• ApiServer: ASP.NET Core Web API secured via JWT Bearer tokens and claim-based policies.

---

🚀 Features

• 🔐 OAuth2 & OpenID Connect with Duende IdentityServer with password and authorization_code flows
• 🧾 Custom scopes (api1, profile, offline_access) and claims (name, email)
• 🧠 Claim-based access control in ApiServer
• 🎨 Bootstrap-styled login UI
• 🧪 Token inspection endpoint for debugging

---

🔧 Configuration Highlights

✅ IdentityServer (AuthServer)

new ApiScope("api1", "My API", new[] { "name", "email" });

new IdentityResources.Profile(); // includes 'name', 'email', etc.

new TestUser
{
    Username = "mohammad",
    Password = "1234",
    Claims = new List<Claim>
    {
        new Claim("name", "Mohammad"),
        new Claim("email", "[email protected]")
    }
}

---

✅ ClientApp (Razor Pages)

• Uses HttpClient to request tokens
• Stores access token in cookie/session
• Sends token to ApiServer with each request

services.AddAuthentication(options => {
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies")
.AddOpenIdConnect("oidc", options => {
    options.Authority = "https://localhost:5001";
    options.ClientId = "clientapp";
    options.ResponseType = "code";
    options.Scope.Add("api1");
    options.Scope.Add("profile");
    options.Scope.Add("offline_access");
});

---

✅ ApiServer

• Secured with JWT Bearer
• Reads claims from token
• Example endpoint:

[Authorize]
[HttpGet]
public IActionResult Get()
{
    var claims = User.Claims.Select(c => new { c.Type, c.Value });
    return Ok(claims);
}

---

🧪 How to Run

1. Clone the repo
2. Run AuthServer, then ClientApp, then ApiServer
3. Navigate to ClientApp and login with test credentials
4. Access protected API and inspect token claims

---

📁 Folder Structure

/AuthServer
  - Config.cs
  - TestUsers.cs

/ClientApp
  - Pages/Login.cshtml
  - Startup.cs

/ApiServer
  - Controllers/SecureController.cs
  - Program.cs

---

📌 TODOs

• Add refresh token support
• Integrate real user database
• Add role-based authorization
• Deploy with HTTPS and Docker

---

🧑‍💻 Author

Mohammad — Minimalist creator, full-stack architect, and poetic brand builder.
Crafted with ❤️ and precision.

---

📜 License

MIT — feel free to use, modify, and share.