Auth Server Template

The template used for creating an Auth Server using the `add authserver` or `new domain` commands.

For more information on Duende and how to configure an auth server, please see their docs.

Add Auth Server Template Properties

NameRequiredDescriptionDefaultNotes
NameYesThe name of your auth serverNone
PortYesA 4 digit integer that designates your auth server port.None
ScopesNoA list of the api Scopes that you'd like to add to your auth server.None
ClientsNoA list of the various clients (applications) using your auth server.None
ApisNoA list of the apis that will be using your auth server. This would generally be a boundary scaffolded by an add bc commandNone

Scopes

NameRequiredDescriptionDefaultNotes
NameYesThe name of the api scope.None
DisplayNameYesThe user friendly name of this scope.None
UserClaimsNoThe claims you'd like to add for your user.None

Clients

NameRequiredDescriptionDefaultNotes
IdYesThe client id for this app.None
NameYesThe name of your clientNone
SecretsNoA list of secrets you'd like to add to your client.Random Guid
GrantTypeNoThe grant type to dictate which auth flow you want to configure. Can be set to ClientCredentials or Code. Case insensitive.Code
RedirectUrisYesA list of strings to determine your acceptable callback URIs. This is generally going to be your front end client.None
PostLogoutRedirectUrisYesA list of strings to determine your acceptable post logout URIs. Again, this is generally going to be your front end client.None
AllowedCorsOriginsYesA list of strings to determine the allowed origins to accommodate CORS.None
FrontChannelLogoutUriYesSpecifies logout URI at client for HTTP front-channel based logout.None
AllowOfflineAccessNoDetermines whether or not this client is accessible offline.true
RequirePkceNoSpecifies whether a proof key is required for authorization code based token requests.true
RequireClientSecretNoIf set to false, no client secret is needed to request tokens at the token endpoint.true
AllowedScopesNoSpecifies the api scopes that the client is allowed to request. If empty, the client can't access any scope.If Code grant, openid & profile, otherwise None

Apis

NameRequiredDescriptionDefaultNotes
NameYesThe name of the api.None
DisplayNameYesThe user friendly name of this api.None
ScopeNamesYesThe names of the scopes that this api cares about. This should match with values in the Name property of a Scope.None
SecretsNoA list of secrets you'd like to add to your api.Random Guid
UserClaimsNoThe claims you'd like to add for your api by default.openid profile

Add Auth Server Template Examples

Adding a Auth Server with Your Domain

In this example, I'm setting up an auth server on port 3385 with a single client for my swagger page. I also add the recipe management api since that will have protected endpoints configured for this auth server. Finally, we have read only and individual feature permissions for the features.

DomainName: CarbonKitchen
BoundedContexts:
  - ProjectName: RecipeManagement
    # db context info here
    Entities:
      - Name: Recipe
        Features:
          - Type: GetList
            IsProtected: true
            PermissionName: CanReadRecipes
          - Type: GetRecord
            IsProtected: true
            PermissionName: CanReadRecipes
          - Type: AddRecord
            IsProtected: true
          - Type: UpdateRecord
            IsProtected: true
          - Type: DeleteRecord
            IsProtected: true
        Properties:
          # entity properties here
    Environment:
      Authority: https://localhost:3385
      Audience: recipe_management
      AuthorizationUrl: https://localhost:3385/connect/authorize
      TokenUrl: https://localhost:3385/connect/token
      ClientId: recipemanagement.swagger
      ClientSecret: 974d6f71-d41b-4601-9a7a-a33081f80687
AuthServer:
  Name: CarbonAuthServer
  Port: 3385
  Clients:
    - Id: recipemanagement.swagger
      Name: RM Swagger
      Secrets:
        - 974d6f71-d41b-4601-9a7a-a33081f80687
      GrantType: Code
      RedirectUris:
        - "https://localhost:5375/swagger/oauth2-redirect.html"
      PostLogoutRedirectUris:
        - "http://localhost:5375/"
      AllowedCorsOrigins:
        - "https://localhost:5375"
      FrontChannelLogoutUri: "http://localhost:5375/signout-oidc"
      AllowOfflineAccess: true
      RequirePkce: true
      RequireClientSecret: true
      AllowPlainTextPkce: false
      AllowedScopes:
        - recipe_management
        - role
        - openid
        - profile
  Scopes:
    - Name: recipe_management
      DisplayName: Recipes Management - API Access
  Apis:
    - Name: recipe_management
      DisplayName: Recipe Management
      ScopeNames:
        - recipe_management
      Secrets:
        - 4653f605-2b36-43eb-bbef-a93480079f20
      UserClaims:
        - openid
        - profile
        - role

If you were configuring a Duende BFF, the clinet might look like this:

Clients:
  - Id: react.bff
    Name: React BFF
    Secrets:
      - b7449b67-f691-4200-a944-9787b02da60a
    GrantType: Code
    RedirectUris:
      - "https://localhost:bffPort/signin-oidc"
    PostLogoutRedirectUris:
      - "https://localhost:bffPort/signout-callback-oidc"
    AllowedCorsOrigins:
      - "https://localhost:apiPort"
      - "https://localhost:bffPort"
    FrontChannelLogoutUri: "https://localhost:bffPort/signout-oidc"
    AllowOfflineAccess: true
    RequirePkce: true
    RequireClientSecret: true
    AllowPlainTextPkce: false
    AllowedScopes:
      - recipemanagement.readonly
      - recipemangement.fullaccess
      - openid
      - profile

Adding a Auth Server to an Existing Project

If you've already created your Wrapt project and want to add an Auth Server after the fact, you can use the add authserver command to scaffold it out as well. This looks the same as above, you just need the auth server part:

AuthServer:
  Name: CarbonAuthServer
  Port: 3385
  Clients:
    - Id: recipemanagement.swagger
      Name: RM Swagger
      Secrets:
        - 974d6f71-d41b-4601-9a7a-a33081f80687
      GrantType: Code
      RedirectUris:
        - "https://localhost:5375/swagger/oauth2-redirect.html"
      PostLogoutRedirectUris:
        - "http://localhost:5375/"
      AllowedCorsOrigins:
        - "https://localhost:5375"
      FrontChannelLogoutUri: "http://localhost:5375/signout-oidc"
      AllowOfflineAccess: true
      RequirePkce: true
      RequireClientSecret: true
      AllowPlainTextPkce: false
      AllowedScopes:
        - recipemanagement.readonly
        - recipemangement.fullaccess
        - openid
        - profile
  Scopes:
    - Name: recipemanagement.readonly
      DisplayName: Recipes - Read Only
      UserClaims:
        - recipes.read
    - Name: recipemangement.fullaccess
      DisplayName: Recipes - Full Access
  Apis:
    - Name: recipe_management
      DisplayName: Recipe Management
      ScopeNames:
        - recipemanagement.readonly
        - recipemangement.fullaccess
      Secrets:
        - 4653f605-2b36-43eb-bbef-a93480079f20
      UserClaims:
        - openid
        - profile