I had been playing around with the OpenIddict library for a small side project of mine, where I want to make use of the OAuth 2.0 Authorization Code flow + PKCE. In addition to this, I also went with following the "backend for frontend" design.
I was happy to learn the author of the library wrote a blog post pertaining to the new OpenIddict client. I went with registering my client on my backend-for-frontend app (which is a confidential client with both a secret and client id) https://kevinchalet.com/2022/02/25/introducing-the-openiddict-client/
My question is, if you have registered an OpenIddict client, which has multiple RedirectUri's, how do you add those redirectUri's, when you register your clients on the consuming app (i.e.: the backend for fronend)?
On my authorization server, I make use of a hosted service to create the OpenIddict client, which is persisted to my database. Below is a snippet of that code:
public async Task StartAsync(CancellationToken cancellationToken)
{
using var scope = _serviceProvider.CreateScope();
var dbContext = scope.ServiceProvider.GetRequiredService<DbContext>();
var authClientsCache = scope.ServiceProvider.GetRequiredService<IAuthClientCache>();
await dbContext.Database.EnsureCreatedAsync(cancellationToken).ConfigureAwait(false);
await authClientsCache.Clear().ConfigureAwait(false);
var appManager = scope.ServiceProvider.GetRequiredService<IOpenIddictApplicationManager>();
if (await appManager.FindByClientIdAsync(DevClientConstants.ClientId, cancellationToken)
.ConfigureAwait(false) == null)
{
var devSettings = _appConfiguration.Create(SettingNames.DevSettings);
var devBff = new OpenIddictApplicationDescriptor
{
ClientId = DevClientConstants.ClientId,
ClientSecret = DevClientConstants.ClientSecret,
ConsentType = OpenIddictConstants.ConsentTypes.Implicit,
Type = OpenIddictConstants.ClientTypes.Confidential,
RedirectUris =
{
new Uri($"{devSettings.BaseUrl}/Account/LoginCallback"),
new Uri($"{devSettings.BaseUrl}/Account/LoginAdminCallback"),
},
DisplayName = "Dev BFF (Backend for Frontend)",
Permissions =
{
OpenIddictConstants.Permissions.Endpoints.Authorization,
OpenIddictConstants.Permissions.Endpoints.Token,
OpenIddictConstants.Permissions.Endpoints.Logout,
OpenIddictConstants.Permissions.Endpoints.Introspection,
OpenIddictConstants.Permissions.GrantTypes.ClientCredentials,
OpenIddictConstants.Permissions.GrantTypes.RefreshToken,
OpenIddictConstants.Permissions.GrantTypes.AuthorizationCode,
OpenIddictConstants.Permissions.ResponseTypes.Code,
OpenIddictConstants.Permissions.Scopes.Profile,
OpenIddictConstants.Permissions.Scopes.Email,
OpenIddictConstants.Permissions.Scopes.Roles
},
};
}
}
Then, on my backend (backend for frontend), I register my client:
public static void ConfigureOpenIddictClient(this IServiceCollection serviceCollection,
IConfiguration configuration, bool isDevelopment)
{
var appConfig = configuration.GetSection(SettingNames.DevSetting).Get<DevSetting>();
serviceCollection.AddOpenIddict()
.AddCore(config => { config.UseEntityFrameworkCore().UseDbContext<DbContext>(); })
.AddClient(config =>
{
config.AllowPasswordFlow();
config.AllowAuthorizationCodeFlow();
config.AllowRefreshTokenFlow();
config.AllowClientCredentialsFlow();
config.AddEncryptionCertificate(SecurityCertificateHelper.GetEncryptionCertificate())
.AddSigningCertificate(SecurityCertificateHelper.GetSigningCertificate())
.AddSigningKey(new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(EncryptionConstants
.TokenSigningKey)));
config.UseAspNetCore().EnableStatusCodePagesIntegration().EnableRedirectionEndpointPassthrough()
.EnablePostLogoutRedirectionEndpointPassthrough();
config.UseSystemNetHttp()
.SetProductInformation(typeof(Program).Assembly);
config.AddRegistration(new OpenIddictClientRegistration
{
ClientId = DevClientConstants.ClientId,
ClientSecret = DevClientConstants.ClientSecret,
RedirectUri = new Uri($"{appConfig!.BaseUrl}/Account/LoginCallback"),
ProviderName = "Local",
Issuer = new Uri(appConfig!.AuthorizationServerBaseUrl),
Scopes =
{
OpenIddictConstants.Scopes.Email,
OpenIddictConstants.Scopes.Profile,
OpenIddictConstants.Scopes.Roles,
OpenIddictConstants.Scopes.OfflineAccess
}
});
});
}
Upon inspecting the documentation provided for the RedirectUri property on the OpenIddictClientRegistration class, I see it makes mention of another class where redirect urls are appended to some list:
/// <summary>
/// Gets or sets the URI of the redirection endpoint that will handle the callback.
/// </summary>
/// <remarks>
/// Note: this value is automatically added to
/// <see cref="OpenIddictClientOptions.RedirectionEndpointUris"/>.
/// </remarks>
Is the above comment a clue to solving my issue? How does one register a client which has multiple RedirectUri's?
I am currently using OpenIddict v4.3.0.
Thanks!
After thinking & reasoning about things a little bit more, I went with creating a separate backend app to support each frontend app individually. (User App -> User App Backend, and Admin App -> Admin App Backend). In each backend app, I use the OpenIddict Client middleware to register the respective client app.
Each of these backend apps are registered as private, confidential clients on OpenIddict, in the Authorization server app.