Authentication & Authorization

This guide provides comprehensive instructions for securing your Elsa Workflows deployment with various authentication and authorization strategies. Whether you're integrating with existing identity providers, implementing API key authentication, or building custom authentication solutions, this guide covers everything you need to get started.

Overview

Elsa Workflows supports multiple authentication mechanisms to secure both the Elsa HTTP API and Elsa Studio:

• No Authentication - For development and testing environments

• Elsa.Identity - Built-in identity system with user management

• OpenID Connect (OIDC) - Integration with external identity providers (Azure AD, Auth0, Keycloak, etc.)

• API Keys - Token-based authentication for machine-to-machine communication

• Custom Authentication - Implement your own authentication provider

Table of Contents

• Prerequisites

• No Authentication (Development Only)

• Using Elsa.Identity

• OIDC Configuration

  • Azure AD Integration

  • Auth0 Integration

  • Generic OIDC Provider

• API Key Authentication

• Custom Authentication Provider

• Studio Authentication Configuration

• Troubleshooting

• Security Best Practices

• Production Considerations

Prerequisites

Before configuring authentication, ensure you have:

• Elsa Server project set up (see Elsa Server Setup)

• .NET 8.0 or later SDK installed

• Basic understanding of ASP.NET Core authentication

• Access to your identity provider (if using OIDC)

No Authentication (Development Only)

⚠️ Warning: This configuration should only be used in development environments. Never deploy to production without proper authentication.

Disabling API Security

In your Elsa Server Program.cs, disable security requirements:

Disabling Studio Authorization

If using Elsa Studio (WASM or standalone), also disable authorization:

This allows all HTTP requests to proceed without authentication checks.

Using Elsa.Identity

Elsa.Identity is the built-in identity system that provides user management, roles, and permissions out of the box.

1. Install NuGet Packages

2. Configure Services

Add Elsa.Identity to your Program.cs:

3. Configure Default Admin User

Add admin user configuration to appsettings.json:

4. Create Additional Users

Use the Identity API endpoints to create additional users:

5. Obtain Authentication Token

Authenticate and get a JWT token:

Response:

Use the accessToken in subsequent requests:

OIDC Configuration

OpenID Connect (OIDC) allows you to integrate with external identity providers like Azure AD, Auth0, Keycloak, and others.

General OIDC Setup

1. Register your application with the OIDC provider

2. Obtain client ID and client secret

3. Configure redirect URIs

4. Install required NuGet packages

5. Configure authentication middleware

Azure AD Integration

Azure Active Directory (Azure AD / Microsoft Entra ID) is a popular choice for enterprise applications.

Step 1: Register Application in Azure Portal

1. Navigate to Azure Portal

2. Go to Azure Active Directory > App registrations

3. Click New registration

4. Configure:

   • Name: Elsa Workflows Server

   • Supported account types: Choose based on your requirements

   • Redirect URI:

     • Type: Web

     • URI: https://your-elsa-server.com/signin-oidc

5. Click Register

6. Note the Application (client) ID and Directory (tenant) ID

Step 2: Create Client Secret

1. In your app registration, go to Certificates & secrets

2. Click New client secret

3. Add description and expiration

4. Click Add

5. Copy the secret value immediately (it won't be shown again)

Step 3: Configure API Permissions

1. Go to API permissions

2. Add permissions:

   • Microsoft Graph > Delegated > User.Read

   • Microsoft Graph > Delegated > openid

   • Microsoft Graph > Delegated > profile

   • Microsoft Graph > Delegated > email

3. Click Grant admin consent (if you have admin privileges)

Step 4: Install NuGet Packages

Step 5: Configure Services in Program.cs

Step 6: Add Configuration to appsettings.json

Step 7: Configure Studio for Azure AD

In your Elsa Studio Program.cs:

Auth0 Integration

Auth0 is a flexible identity platform with extensive features for authentication and authorization.

Step 1: Create Auth0 Application

1. Log in to Auth0 Dashboard

2. Navigate to Applications > Applications

3. Click Create Application

4. Configure:

   • Name: Elsa Workflows Server

   • Type: Regular Web Application

5. Click Create

Step 2: Configure Application Settings

1. Go to Settings tab

2. Note the Domain, Client ID, and Client Secret

3. Configure Allowed Callback URLs:

4. Configure Allowed Logout URLs:

5. Configure Allowed Web Origins (for CORS):

6. Click Save Changes

Step 3: Create API in Auth0 (Optional)

For API-based authentication:

1. Navigate to Applications > APIs

2. Click Create API

3. Configure:

   • Name: Elsa Workflows API

   • Identifier: https://your-elsa-api.com

   • Signing Algorithm: RS256

4. Click Create

Step 4: Install NuGet Packages

Step 5: Configure Services in Program.cs

Step 6: Add Configuration to appsettings.json

Step 7: Obtaining and Using Tokens

To authenticate API calls with Auth0:

1. Obtain an access token using OAuth 2.0 Client Credentials flow:

1. Use the access token in API requests:

Generic OIDC Provider

You can integrate with any OIDC-compliant provider (Keycloak, IdentityServer, Okta, etc.).

Step 1: Install NuGet Packages

Step 2: Configure Services in Program.cs

Step 3: Add Configuration to appsettings.json

Example: Keycloak Configuration

For Keycloak specifically:

API Key Authentication

API key authentication is useful for machine-to-machine communication and automated workflows.

Implementation Approach

Elsa doesn't provide built-in API key authentication, but you can implement it using ASP.NET Core authentication handlers.

Step 1: Create API Key Model

Create a model to represent API keys:

Step 2: Create API Key Store

Implement a store to manage API keys:

Step 3: Create Authentication Handler

Implement a custom authentication handler:

Step 4: Register Services

In Program.cs:

Step 5: Create API Management Endpoints

Create endpoints to manage API keys:

Step 6: Using API Keys

Once you have an API key, include it in the request header:

Or in C#:

Persistent API Key Storage

For production use, store API keys in a database:

Custom Authentication Provider

You can implement completely custom authentication logic by creating a custom authentication handler.

Example: Header-Based Authentication

This example shows a custom authentication provider that validates users based on a custom header.

Step 1: Create Custom Authentication Handler

Step 2: Create User Service Interface

Step 3: Register Custom Authentication

In Program.cs:

Step 4: Using Custom Authentication

Multiple Authentication Schemes

You can support multiple authentication schemes simultaneously:

This configuration accepts either JWT Bearer tokens or API keys.

Studio Authentication Configuration

Elsa Studio needs to be configured to authenticate with the Elsa Server API.

Studio with JWT Bearer Tokens

When using JWT-based authentication (OIDC, Elsa.Identity):

Studio with OIDC

When using OpenID Connect:

Studio with API Keys

When using API key authentication:

Add to appsettings.json:

Studio WASM Configuration

For Elsa Studio WASM (WebAssembly), configure in the Program.cs of the WASM project:

With wwwroot/appsettings.json:

Troubleshooting

401 Unauthorized Errors

Symptom: Requests to the API return 401 Unauthorized.

Common Causes:

1. Missing or invalid authentication token

   • Verify the token is included in the Authorization header

   • Check token format: Authorization: Bearer <token>

   • Ensure the token hasn't expired

2. Token validation issues

   • Verify the Authority configuration matches your identity provider

   • Check the Audience claim in the token matches your API audience

   • Ensure clock skew between servers isn't causing validation failures

3. Authentication middleware not configured

4. Authentication scheme mismatch

   • Verify the authentication scheme name matches between configuration and handler

Solutions:

404 Not Found Errors

Symptom: Authentication endpoints return 404 Not Found.

Common Causes:

1. Incorrect callback URLs

   • Verify redirect URIs match exactly in both your code and identity provider configuration

   • Check for trailing slashes or protocol mismatches (http vs https)

2. Missing authentication endpoints

   • Ensure you've called app.UseAuthentication() before app.UseWorkflowsApi()

3. Route configuration issues

   • Verify the callback path matches your configuration:

Solutions:

CORS Issues with Studio

Symptom: Studio cannot connect to the API due to CORS errors.

Solution:

Token Expiration Issues

Symptom: Users are logged out frequently or get 401 errors intermittently.

Solutions:

1. Increase token lifetime:

2. Implement token refresh:

HTTPS/SSL Certificate Issues

Symptom: Authentication fails with SSL/TLS errors in development.

Solution (Development only):

For production, ensure proper SSL certificates are configured.

Debugging Authentication Flow

Enable detailed authentication logging:

Security Best Practices

1. Use HTTPS Everywhere

Always use HTTPS in production to protect authentication tokens in transit:

2. Secure Signing Keys

Store signing keys securely, never in source code:

Use Azure Key Vault, AWS Secrets Manager, or HashiCorp Vault in production:

3. Implement Token Expiration

Set appropriate token lifetimes:

4. Use Role-Based Access Control

Implement role-based authorization:

Apply to endpoints:

5. Implement Rate Limiting

Protect against brute force attacks:

6. Validate Redirect URIs

Always validate redirect URIs to prevent open redirect vulnerabilities:

7. Implement Logging and Monitoring

Log authentication events for security auditing:

8. Rotate API Keys Regularly

Implement API key rotation:

9. Protect Against CSRF

Enable anti-forgery tokens for cookie-based authentication:

10. Security Headers

Add security headers to responses:

Production Considerations

1. Distributed Caching for Tokens

When running multiple instances, use distributed caching:

2. Database-Backed User Store

Use a database for user management:

3. Load Balancer Configuration

Configure sticky sessions or use token-based authentication:

4. Health Checks with Authentication

Exclude health check endpoints from authentication:

5. Environment-Specific Configuration

Use different configurations for different environments:

6. Monitoring and Alerting

Monitor authentication metrics:

7. Backup Authentication Method

Always have a backup authentication method:

8. Regular Security Audits

Schedule regular security reviews:

• Review access logs monthly

• Audit active API keys quarterly

• Test authentication flows after each deployment

• Scan for vulnerabilities with tools like OWASP ZAP

• Keep dependencies updated

9. Disaster Recovery

Document recovery procedures:

• Key rotation procedures

• User account recovery process

• Emergency access procedures

• Backup identity provider configuration

10. Documentation

Maintain documentation for:

• Authentication architecture diagrams

• Configuration management procedures

• Troubleshooting guides

• Security incident response plans

• Runbooks for common operations

Summary

This guide covered comprehensive authentication and authorization strategies for Elsa Workflows:

• No Authentication: Development/testing only

• Elsa.Identity: Built-in user management system

• OIDC Providers: Azure AD, Auth0, and generic OIDC integration

• API Keys: Machine-to-machine authentication

• Custom Providers: Implementing custom authentication logic

• Studio Configuration: Connecting Studio to authenticated APIs

• Troubleshooting: Common issues and solutions

• Security: Best practices for production deployments

Choose the authentication strategy that best fits your requirements, considering factors like:

• Organization's existing identity infrastructure

• Compliance and regulatory requirements

• User experience needs

• Operational complexity

• Scalability requirements

For additional help, refer to:

• Elsa Studio Configuration

• Elsa Server Configuration

• Database Configuration

• Distributed Hosting

If you encounter issues not covered in this guide, please open an issue on the Elsa Workflows GitHub repository.