Multi-Factor Authentication Design with IdentityServer4 and ASP.NET Core 2.0 (3)

4 min readNov 17, 2018


Chapter 3

This is the last chapter of the Multi-Factor Authentication with IdentityServer4 and ASP.NET Core 2.0 series, which will discuss the implementation of the system we designed in Chapter 1 / 2.

Project Repository : SampleMFA


Start by creating an ASP.NET Core Web Application Empty Project.


install packages with Package Manager Console

PM> Install-Package IdentityServer4 -Version 2.2.0PM> Install-Package Newtonsoft.Json -Version 11.0.2

Interesting feature of ASP.NET Core is that it hosts itself without the need for IIS, but uses an event-driven, asynchronous I / O based server called Kestrel.

To use Kestrel as a web server, we will update the launch setting profile by selecting the project profile, ie SampleMFA.IdentityServer, and then modify the setting like this.

SampleMFA.IdentityServer launch setting

Modify Program.cs to use Kestrel as a web server, and specify URL as http://localhost: 5000.

Line 18 is the content resource path, such as config files. In this case IdentityServer4 will generate the file tempkey.rsa to use as a Signing-Certificates Key.

Line 19 is enabled integration with IIS. When we host the application through IIS, the ASP.NET Core Module generates a dynamic port for our application, which is hosted by Kestrel.

Listen / Process operate by Kestrel web server. The ASP.NET Core Module is a link between IIS and Kestrel. By the way, the IIS respond for page request then forward to the port which is binding at ASP.NET Core Module. The request is forwarded and process by Kestrel which mapped with the dynamic port. You can read the great explanation here.

Run the project with SampleMFA.IdentityServer profile. Kestrel will open up as Console Application Mode.

Let’s make web server to be Identity Server

Open Startup.cs. Add configuration to change service to be Identity Server. Use Developer Signing Credential as Signing JWT Token.

Add a Web API using for connect with the Identity Server by specifying name and description. The registered Web API can use the same access token generated by the Identity Server.

Finally, add a client to use as a channel for making authentication It can be set for each Web API by AllowedScopes property.

We will use Entity Framework Core as the tool for making Sample Accounts.

Modeling and Creating a DB Context with Entity Framework Core

Since EF Core is Code-First, we started by creating a model by creating a Class Account and ApplicationDbContext.


Then create. IAccountRepository, AccountRepository as Data Access Layer.

Above coding of Data Access Layer is used for demonstration purposes only. Do not use it. I do not have secure password hashing.

Added a configuration service in Startup.cs to register in the memory database for the ApplicationDbContext, do the dependency injection in the AccountRepository.

Now we have prepared environment that ready for assemblies in the Controller.

  • AuthorityController is provided as an endpoint for testing the sign-in account.

In the article, I will detail only the AuthorityController to see how it works.

Start by creating an AuthorityModel to store Payload and Token from the Client.

Create the AuthorityController class by initializing the Issuer named “owner”, then initialize the Authority Pipeline and register AccountAuthority and OTPAuthority.

Define remaining method that working with the Issuer which manages the Payload / Token in order of Authority.

Account(string authority, [FromBody] AuthorityModel model)

After everything done, let’s try it out by running a project and the Postman.

Invoke service with above settings.

Now, when you press send, we will get OTP from the console log, we will take OTP and verify_token as input.

By pressing send in the confirmation process, we will get OTP and the auth_token to sign with AuthenticationGrant.

The last step will be access_token with refresh_token for authenticate with the API.

Many of code not included in this article. GitHub repository is included all of code in this article with project SampleMFA for anyone interested in implementation details.

This article was created to prove the concept. The application of Identity Server can be different. There are more security, configuration, database topic not included in this article.

Others Chapter




Arts, Science and Technologies