You are right I implemented the first option. I created my own Identity Server and is acting as an external login provider. I am putting the code here maybe it will be of interest to anyone.
AuthenticationService.cs
public static class AuthenticationServices
{
public static void AddMyAuthentication(this IServiceCollection services, IConfiguration config)
{
var identityOptions = config.GetSection("identity").Get<MyIdentityOptions>();
var urlsOptions = config.GetSection("urls").Get<MyUrlsOptions>();
services.AddOidcStateDataFormatterCache();
services
.AddAuthentication()
.AddOpenIdConnect("oidc", options =>
{
options.SignInScheme = IdentityConstants.ExternalScheme; // This is very important
options.Authority = "http://localhost:5000";
options.ClientId = "my-client";
options.ClientSecret = Constants.InternalClientSecret;
options.RequireHttpsMetadata = identityOptions.RequiresHttps;
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add(Constants.ProfileScope);
options.Scope.Add(Constants.RoleScope);
options.Scope.Add("email");
options.ResponseType = OpenIdConnectResponseType.IdToken;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = ClaimTypes.Name,
RoleClaimType = ClaimTypes.Role,
};
})
.AddCookie()
.AddMyGoogleAuthentication(identityOptions)
.AddMyMicrosoftAuthentication(identityOptions)
.AddMyIdentityServerAuthentication(identityOptions, config);
}
}
Client, Api Resources and Identity Resources on custom Identity Server
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource(ApiScope)
{
UserClaims = new List<string>
{
JwtClaimTypes.Email,
JwtClaimTypes.Role,
}
}
};
}
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new Client
{
ClientId = "my-client",
ClientName = "my-client",
ClientSecrets = new List<Secret> { new Secret(InternalClientSecret) },
RedirectUris = new List<string>
{
"http://localhost:50006/portal/signin-oidc",
"http://localhost:50006/orleans/signin-oidc",
"http://localhost:50006/identity-server/signin-oidc"
},
AccessTokenLifetime = (int)TimeSpan.FromDays(30).TotalSeconds,
AllowedGrantTypes = GrantTypes.ImplicitAndClientCredentials,
AllowAccessTokensViaBrowser = true,
AllowedCorsOrigins = { "http://localhost:50006" },
AllowedScopes = new List<string>
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
ApiScope,
ProfileScope,
RoleScope,
},
RequireConsent = false,
AlwaysSendClientClaims = true
}
};
}
public static IEnumerable<IdentityResource> GetIdentityResources()
{
return new List<IdentityResource>
{
new IdentityResources.OpenId(),
new IdentityResources.Profile(),
new IdentityResources.Email(),
new IdentityResource("role",
new[]
{
JwtClaimTypes.Role
}),
new IdentityResource("squidex-profile",
new[]
{
"urn:squidex:name",
"urn:squidex:picture"
})
};
}