How to create facebook like own native SSO app?

问题

First of all, sorry for possible duplication, I'm sure this question was asked many times in many forms but I can't find clear answer or direction how to start.

What I am trying to do is sso for our organization apps on android and I want it with native experience(without browser).

I have oidc built on identityserver4 and it's already in production with web and mobile clients.

I'm not asking for implementation details here, just some reference, good example for how to create app which will be responsible for authentication and session managment instead of browser. Then I could create sdk, install it in all app and they will share authentication logic through this native sso app. Like facebook does e.g.

回答1:

What you describe as native experience is called Resource Owner Credentials Grant.

To implement it in IdentityServer4 you need to implement the IResourceOwnerPasswordValidator interface.

public class CustomResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{
    public Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
    {
        //Validate user's username and password. Insert your logic here.
        if(context.UserName == "admin" && context.Password == "admin@123")  
        context.Result = new GrantValidationResult("123", OidcConstants.AuthenticationMethods.Password);

        return Task.FromResult(0);
    }
}

Then configure IdentityServer4 to use it.

Add below code in Startup.cs

            var builder = services.AddIdentityServer()
            .AddInMemoryIdentityResources(Config.Ids)
            .AddInMemoryApiResources(Config.Apis)
            .AddInMemoryClients(Config.Clients)
            .AddResourceOwnerValidator<CustomResourceOwnerPasswordValidator>();

And configure a client to use Resource Owner Credentials Grant.

            new Client
            {
                ClientId = "resourceownerclient",

                AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
                AccessTokenType = AccessTokenType.Jwt,
                AccessTokenLifetime = 3600,
                IdentityTokenLifetime = 3600,
                UpdateAccessTokenClaimsOnRefresh = true,
                SlidingRefreshTokenLifetime = 30,
                AllowOfflineAccess = true,
                RefreshTokenExpiration = TokenExpiration.Absolute,
                RefreshTokenUsage = TokenUsage.OneTimeOnly,
                AlwaysSendClientClaims = true,
                Enabled = true,
                ClientSecrets=  new List<Secret> { new Secret("dataEventRecordsSecret".Sha256()) },
                AllowedScopes = {
                    IdentityServerConstants.StandardScopes.OpenId, 
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Email,
                    IdentityServerConstants.StandardScopes.OfflineAccess,
                    "dataEventRecords"
                }
            }

Note the AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials line.

Here is the link to probably IdentityServer's implementation with Microsoft Identity Core.

And here is the demo repository and blog.

来源：https://stackoverflow.com/questions/62118792/how-to-create-facebook-like-own-native-sso-app