31

I'd like to use IdentityServer4 for authentication in my ASP.NET Core MVC web application, but the user registration process seems awkward. Most web sites that require user registration don't redirect you do a separate site (e.g. Facebook, Twitter, etc.) to sign up if you're using local user accounts.

One solution is to host IdentityServer4 in the same process as my MVC client, but that is discouraged.

Are there any good real world examples of local user registration with IdentityServer4?

DMannion
  • 313
  • 1
  • 3
  • 4
  • 2
    Why not just use ASP.NET Identity with the MVC application? No need for IdentityServer (unless I'm missing something). IdS is needed when you want an independent authentication/authorization server across many apps (a.k.a. clients) that access many apis (a.k.a resources). – travis.js Feb 25 '17 at 01:40
  • I dont think so. But there is nothing stopping you from making an API that registers users which sits alongside your IDS stuff. – Lutando Feb 27 '17 at 07:37

1 Answers1

39

IdentityServer is for authenticating existing users, not really creating new users. In our use-case, we have 3 projects playing a part:

  • The identity server
  • A protected API
  • An identity provider (aspnet core identity) project

Users are created by a call to the API, which creates the appropriate structures in the identity provider. Our identity server makes calls to the identity provider when validating requests for tokens. Our API uses identity server to protect the resources, and our identity provider to retrieve information we may need about that user that aren't contained as claims (permissions, for example).

In this way our identity provider can be shared across projects (one user base with different roles), and the Identity Server is purely for authenticating users. All user management functions belong elsewhere.

EDIT: @peyman We're not doing anything particular ground-breaking: just using the aspnet core identity framework (http://odetocode.com/blogs/scott/archive/2013/11/25/asp-net-core-identity.aspx).

The IUserStore and UserManager are the main drivers of this. When a user is created they are assigned a role, which for us is based on which application requested the creation of that user. Our implementation of IUserStore is what will ultimately be called by IdentityServer when verifying identity, and the data provided is used by IdentityServer to build up claims. Our resource API is relatively simply protected using Policies for claim based authorisation (https://learn.microsoft.com/en-us/aspnet/core/security/authorization/claims)

Mashton
  • 6,037
  • 2
  • 25
  • 35
  • 7
    This is really helpful. I'm still struggling to visualize the entire flow of using IdentityServer to issue both identity and access tokens, how to isolate user identity from application specific permissions, etc. So, your IdentityServer calls your IdentityProvider. Is your Identity provider a separate API or part of your main asp.net website? How do you protect your Identity provider then? – DMannion Mar 07 '17 at 19:28
  • 1
    In our particular case, our identity provider is an API on infrastructure that isn't publicly accessible: it can only be called from the presentation infrastructure. Other architectures are possible though, and I've seen some have the identity provider as part of the IdentityServer. Not having done this myself, I can only guess that they provide new endpoints (some open, some protected) to allow other apis/sites access. – Mashton Mar 07 '17 at 21:28
  • Hi @Mashton, I have similar scenario where I have Saas application with multiple projects (aps.net form sites) with different databases and want to use single IDP but for the user validation I want the IDP to connect to each of their database. So not sure how to approach this based on the client? – cvetyab May 19 '17 at 21:27
  • I have a similar setup, where I have an endpoint to create user. It accepts post request, in my case this register endpoint is an open endpoint meaning no authorization so which means anybody can access this endpoint and possible that any user creates a loop and endlessly create a new user. How is it in your case and how do you tackle that ? – SomeGuyWhoCodes Aug 10 '17 at 14:17
  • Our API endpoint for registration is only callable from our presentation layer - a website in this case - and we require a recaptcha and it is also rate limited. – Mashton Aug 11 '17 at 15:50
  • 1
    Hi @Mashton, can you provide us some code for Identity Provider specially for permission management? and how to use it on Resource Api? – peyman Oct 11 '17 at 00:12
  • "Our identity server makes calls to the identity server when validating requests for tokens." can you please explain this in more detail or do you mean "Our identity server makes calls to the identity provider when validating requests for tokens." ? – niklr Jul 31 '18 at 11:00
  • Yes sorry about that - typo. It should be as you've said and I've fixed it now. – Mashton Aug 01 '18 at 07:20
  • 1
    Hi @Mashton, have you implemented IdentityProvider as a web API project? Could you describe how the data exchange between IdentityServer and IdentityProvider takes place? Where is user password verification implemented? What data are you sending to IdentityProvider and what data is returned back to IdentityServer? Thank you! – Siarhei Kavaleuski Oct 28 '19 at 13:40