OAuth introspection with dotNet

Introduction

This guide details how to get a dotNet core web API working with IBM Security Verify for validation of presented OAuth access tokens.

Instructions

Create a new dotnet core web API (i.e. dotnet new webapi).
Add the [IdentityModel.AspNetCore.OAuth2Introspection library]
(https://www.nuget.org/packages/IdentityModel.AspNetCore.OAuth2Introspection/).
Within Startups.cs add the following:

services.AddAuthentication(OAuth2IntrospectionDefaults.AuthenticationScheme)
        .AddOAuth2Introspection(options =>
         {
             options.ClientId = "xxx-xxxx-xxxx-xxxxxx";
             options.ClientSecret = "xxxxxxx";
             options.IntrospectionEndpoint = "https://{{tenant_url}}/v1.0/endpoint/default/introspect"
            });

If you want use scopes within your API. Define different policies, and assign them to the scopes you assign the API client in ISV. Below is an example of a Polcy named Read which is assigned if the bearer token has scope API:Read.

services.AddAuthorization(options => 
{
    options.AddPolicy("Read", policy => policy.RequireClaim("scope", "API:Read"));
});

Within the Configure() method, add app.UseAuthentication(); and app.UseAuthorization();:

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseHttpsRedirection();

    app.UseRouting();

    app.UseMiddleware<MyMiddleware>();

    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

On each endpoint you want to protect, add the [Authorize] tag, and specify the Policies you defined under Step 4. For example, if token as scope API:Read then it has policy Read which means it is authorised to use the endpoint defined below.

[HttpGet]
[Authorize(Policy = "Read")]
public ActionResult Get()
{
    return Ok();
}