Hi,
We have Identity Server 4 and separate API. Both ASP.NET Core 3.1. There is some open endpoints used from IS4 during authentication to add additional claims, validate users etc. They are open with [AllowAnnonymous] attribute. And here the problem comes.
During authentication there is no tokens yet so I cannot protect them with [Authenticate], how can I best protect those endpoints? Or at least make it hard as possible.
In some situations there is a call from the API to IS4 during authentication as well (forced to do because one of the custom external provider), which endpoint is also open.
For now there is 2 cases of our solution to work, one hosted all applications as Azure App service and the other one is on premise windows server.
You could lock down IP ranges so only known servers could even access it. Or you could use something like a subscription key which your apps all know but no one else does.
C# devs
null reference exceptions