{"id":23055912,"url":"https://github.com/aklaus/transparent-auth-gateway","last_synced_at":"2025-08-15T05:32:31.402Z","repository":{"id":130584946,"uuid":"531778210","full_name":"AKlaus/Transparent-Auth-Gateway","owner":"AKlaus","description":"Implementations of a \"transparent\" Auth Gateway that links a third-party Identity Provider with own authorisation rules (scopes, roles, etc.)","archived":false,"fork":false,"pushed_at":"2024-11-04T08:27:38.000Z","size":94,"stargazers_count":18,"open_issues_count":2,"forks_count":3,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-11-04T09:27:33.965Z","etag":null,"topics":["azure-ad","identity","oauth2","oidc"],"latest_commit_sha":null,"homepage":"https://alex-klaus.com/transparent-auth-gateway-1","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AKlaus.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-09-02T04:15:58.000Z","updated_at":"2024-11-04T08:27:42.000Z","dependencies_parsed_at":"2024-11-04T09:23:30.392Z","dependency_job_id":"4cf1f515-9b38-41ad-8292-4f181e40c1ec","html_url":"https://github.com/AKlaus/Transparent-Auth-Gateway","commit_stats":null,"previous_names":[],"tags_count":4,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AKlaus%2FTransparent-Auth-Gateway","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AKlaus%2FTransparent-Auth-Gateway/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AKlaus%2FTransparent-Auth-Gateway/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AKlaus%2FTransparent-Auth-Gateway/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AKlaus","download_url":"https://codeload.github.com/AKlaus/Transparent-Auth-Gateway/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":229893858,"owners_count":18140620,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure-ad","identity","oauth2","oidc"],"created_at":"2024-12-16T01:13:58.711Z","updated_at":"2024-12-16T01:13:59.268Z","avatar_url":"https://github.com/AKlaus.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build](https://github.com/AKlaus/Transparent-Auth-Gateway/actions/workflows/build.yml/badge.svg)](https://github.com/AKlaus/Transparent-Auth-Gateway/actions/workflows/build.yml)\n\nCode samples for a series of articles about implementing Transparent Auth Gateway:\n1. [Needs and means](https://alex-klaus.com/transparent-auth-gateway-1). Requirements for enterprise apps and available off-the-shelf solutions.\n2. [Auth Flows](https://alex-klaus.com/transparent-auth-gateway-2). Relevant authentication/authorisation flows (OAuth2, OIDC) with sequence diagrams.\n3. [Writing the code in C#](https://alex-klaus.com/transparent-auth-gateway-3). Comments to the code in this repo – a _Transparent Auth Gateway_ in .NET.\n4. [Deploying to Azure](https://alex-klaus.com/transparent-auth-gateway-4). _App Registrations_ and Firewall settings (Azure _WAF_ / _Front Door_).\n\n# Transparent Auth Gateway for Enterprise apps\n\nA trusted authority for our enterprise application(s) that\n- transparently (without additional user interaction) confirms the identity with the linked _Identity Provider_ (an _Azure AD_ tenant in this case), supporting SSO;\n- conducts extra authentication checks (with a potential for own user management);\n- issues an _access token_ with app-specific attributes (user’s roles/groups/etc.);\n- is self-hosted without reliance on third-party services.\n\nThe code uses _Azure AD_ as the linked _Identity Provider_ (for the identity checks) and its own bespoke authorisation server. \n\n![Transparent Auth Gateway](./auth-gateway-enterprise-apps.png)\n\nThe implemented protocols:\n- OpenID Connect ([OIDC](https://openid.net/connect/)).\n- OAuth 2 [Authorisation Code Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow) ([RFC 6749](https://www.rfc-editor.org/rfc/rfc6749#section-4.1)) with [Proof Key for Code Exchange](https://www.oauth.com/oauth2-servers/pkce/) ([RFC 7636](https://www.rfc-editor.org/rfc/rfc7636)).\n- OAuth 2 [Client Credentials Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow).\n\n# Code structure\nThere are 3 projects:\n\n- [AzureADAuthClient](./AzureADAuthClient) – a quick way to ensure that _Azure AD_ authentication is configured. Uses Swagger UI to acquire a token and the standard `Microsoft.Identity` way to validate the token on WebAPI.\n- [OpenIdDict.Server](./OpenIdDict.Server) – a bespoke _Transparent Auth Gateway_ to confirm the user's identity from the linked provider and authorise the user (issue own _access token_) according to the bespoke rules:\n  - implements OAuth 2 flows to serve as the trusted authorization authority to other client apps:\n    - [Authorization Code Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow) with [PKCE](https://oauth.net/2/pkce/) for user authorization;\n    - [Client Credentials Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/client-credentials-flow) for API integration; \n  - for users authorization, it perform authentication from the linked _Identity Provider_ (a specified tenant of _Azure Entra ID_).\n- [OpenIdDict.Client.Api](./OpenIdDict.Client.Api) – A Web API app that validates the _access token_ issued by the Auth Gateway (`OpenIdDict.Server`). Contains:\n  - Swagger front-end to request the token and run HTTP requests;\n  - test API end-points.\n\n# How's it different?\nThe key differences:\n- Issues its own _access token_ based on internal rules and confirmed user's identity from an _Azure Entra ID_ tenant.\n- Requires no database.\n- Has minimum code and \"magical\" behaviour from the packages.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faklaus%2Ftransparent-auth-gateway","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faklaus%2Ftransparent-auth-gateway","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faklaus%2Ftransparent-auth-gateway/lists"}