1

I have been trying to find out where is the code for the 'connect/token' endpoint on IdentityServer4. It's being impossible to find it, I am now starting to believe that this is some kind of built-in controller/endpoint which code is not available to be edited, as it happens with other endpoints ... am I right?

The real question is: I need to change the way this endpoint validates the provided credentials.

IdentityServer uses a hashing algorithm for the user passwords, but I wanted to know if it is possible to change the algorithm being used - or create a similar endpoint or validation method but using another hashing algorithm.

I am considering this approach because I have migrated some user accounts from other source and the hashed passwords stored on the database doesn't use the IdentityServer algorithm.

Feel free to comment, even if you don't have a specific answer, maybe we can reach other conclusions.

Thanks in advance!

PS: I am using ROPC grant type (aka password grant-type).

Edit: Since this scenario is a temporary one - passwords with the old hash (source application) will be migrated to the new hash (IdentityServer) whenever a user is logged in - I am thinking of developing an endpoint to use in the meanwhile to validate the credentials with the 'old' hash and generate a token there, not using the 'connect/token' endpoint at this moment. I am not sure how to generate a token, but I'll dig into that.

AMFerreira
  • 23
  • 4

2 Answers2

0

IdentityServer it self does not care about the users or passwords, instead it is handled in your own user interface, like how the picture below shows:

enter image description here

The AccountController class tells IdentityServer that a user has authenticated.

In a typical setup you use the QuickStart UI to handle the login/signup logic and hence, it is there you can customize how the user password should be stored. A common way to handle the users is to involve the logic from ASP.NET Identity, but this is not a requirement.

If you are using the client credientials flow, then all you have to do is to implement your own implementation of the IClientStore interface. You can find a sample implementation here. Don't forget to register it in startup.cs

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thank you Tore for your remarks. However, in this case, the client application doesn't perform any login on the IdentityServer UI, as the credentials are passed on the HTTP call performed to the /connect/token endpoint, so there isn't any endpoint on the AccountController being fired. – AMFerreira Apr 07 '21 at 16:04
  • I am sorry for not mentioning this earlier (post edited). I am using ROPC - aka Password Grant Type. I know it is not the most secure grant type to use, but that's what we would be using at this stage. I believe IClientStore interface doesn't help much under this specific scenario, or at least I am not seeing how. Nevertheless, thank you for your remarks. – AMFerreira Apr 07 '21 at 17:06
  • I think IClientStore is still used even if you use that flow? – Tore Nestenius Apr 07 '21 at 17:32
  • Indeed you are correct Tore, IClientStore is used. I will try to figure this out and get back with the solution once I have it. – AMFerreira Apr 08 '21 at 16:24
0

I ended up creating a new endpoint, validating the credentials in a custom way, and creating an impersonated token with the help of this: https://stackoverflow.com/a/44322425/2745936

It is not the perfect solution, but it really fits my needs.

AMFerreira
  • 23
  • 4