IdentityServer4 register UserService and get users from database in asp.net core

c# asp.net-core identityserver4
71,050

Solution 1

Update - IdentityServer 4 has changed and replaced IUserService with IResourceOwnerPasswordValidator and IProfileService

I used my UserRepository to get all the user data from the database. This is injected (DI) into the constructors, and defined in Startup.cs. I also created the following classes for identity server (which is also injected):

First define ResourceOwnerPasswordValidator.cs:

public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{
    //repository to get user from db
    private readonly IUserRepository _userRepository;

    public ResourceOwnerPasswordValidator(IUserRepository userRepository)
    {
        _userRepository = userRepository; //DI
    }

    //this is used to validate your user account with provided grant at /connect/token
    public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
    {
        try
        {
            //get your user model from db (by username - in my case its email)
            var user = await _userRepository.FindAsync(context.UserName);
            if (user != null)
            {
                //check if password match - remember to hash password if stored as hash in db
                if (user.Password == context.Password) {
                    //set the result
                    context.Result = new GrantValidationResult(
                        subject: user.UserId.ToString(),
                        authenticationMethod: "custom", 
                        claims: GetUserClaims(user));

                    return;
                } 

                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Incorrect password");
                return;
            }
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "User does not exist.");
            return;
        }
        catch (Exception ex)
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Invalid username or password");
        }
    }

    //build claims array from user data
    public static Claim[] GetUserClaims(User user)
    {
        return new Claim[]
        {
            new Claim("user_id", user.UserId.ToString() ?? ""),
            new Claim(JwtClaimTypes.Name, (!string.IsNullOrEmpty(user.Firstname) && !string.IsNullOrEmpty(user.Lastname)) ? (user.Firstname + " " + user.Lastname) : ""),
            new Claim(JwtClaimTypes.GivenName, user.Firstname  ?? ""),
            new Claim(JwtClaimTypes.FamilyName, user.Lastname  ?? ""),
            new Claim(JwtClaimTypes.Email, user.Email  ?? ""),
            new Claim("some_claim_you_want_to_see", user.Some_Data_From_User ?? ""),

            //roles
            new Claim(JwtClaimTypes.Role, user.Role)
        };
}

And ProfileService.cs:

public class ProfileService : IProfileService
{
    //services
    private readonly IUserRepository _userRepository;

    public ProfileService(IUserRepository userRepository)
    {
        _userRepository = userRepository;
    }

    //Get user profile date in terms of claims when calling /connect/userinfo
    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        try
        {
            //depending on the scope accessing the user data.
            if (!string.IsNullOrEmpty(context.Subject.Identity.Name))
            {
                //get user from db (in my case this is by email)
                var user = await _userRepository.FindAsync(context.Subject.Identity.Name);

                if (user != null)
                {
                    var claims = GetUserClaims(user);

                    //set issued claims to return
                    context.IssuedClaims = claims.Where(x => context.RequestedClaimTypes.Contains(x.Type)).ToList();
                }
            }
            else
            {
                //get subject from context (this was set ResourceOwnerPasswordValidator.ValidateAsync),
                //where and subject was set to my user id.
                var userId = context.Subject.Claims.FirstOrDefault(x => x.Type == "sub");

                if (!string.IsNullOrEmpty(userId?.Value) && long.Parse(userId.Value) > 0)
                {
                    //get user from db (find user by user id)
                    var user = await _userRepository.FindAsync(long.Parse(userId.Value));

                    // issue the claims for the user
                    if (user != null)
                    {
                        var claims = ResourceOwnerPasswordValidator.GetUserClaims(user);

                        context.IssuedClaims = claims.Where(x => context.RequestedClaimTypes.Contains(x.Type)).ToList();
                    }
                }
            }
        }
        catch (Exception ex)
        {
            //log your error
        }
    }

    //check if user account is active.
    public async Task IsActiveAsync(IsActiveContext context)
    {
        try
        {
            //get subject from context (set in ResourceOwnerPasswordValidator.ValidateAsync),
            var userId = context.Subject.Claims.FirstOrDefault(x => x.Type == "user_id");

            if (!string.IsNullOrEmpty(userId?.Value) && long.Parse(userId.Value) > 0)
            {
                var user = await _userRepository.FindAsync(long.Parse(userId.Value));

                if (user != null)
                {
                    if (user.IsActive)
                    {
                        context.IsActive = user.IsActive;
                    }
                }
            }
        }
        catch (Exception ex)
        {
            //handle error logging
        }
    }
}

Then in Startup.cs I did the following:

public void ConfigureServices(IServiceCollection services)
{
    //...

    //identity server 4 cert
    var cert = new X509Certificate2(Path.Combine(_environment.ContentRootPath, "idsrv4test.pfx"), "your_cert_password");

    //DI DBContext inject connection string
    services.AddScoped(_ => new YourDbContext(Configuration.GetConnectionString("DefaultConnection")));

    //my user repository
    services.AddScoped<IUserRepository, UserRepository>();

    //add identity server 4
    services.AddIdentityServer()
        .AddSigningCredential(cert)
        .AddInMemoryIdentityResources(Config.GetIdentityResources()) //check below
        .AddInMemoryApiResources(Config.GetApiResources())
        .AddInMemoryClients(Config.GetClients())
        .AddProfileService<ProfileService>();

    //Inject the classes we just created
    services.AddTransient<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
    services.AddTransient<IProfileService, ProfileService>();

    //...
}

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    //...

    app.UseIdentityServer();

    JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();

    IdentityServerAuthenticationOptions identityServerValidationOptions = new IdentityServerAuthenticationOptions
    {
        //move host url into appsettings.json
        Authority = "http://localhost:50000/",
        ApiSecret = "secret",
        ApiName = "my.api.resource",
        AutomaticAuthenticate = true,
        SupportedTokens = SupportedTokens.Both,

        // required if you want to return a 403 and not a 401 for forbidden responses
        AutomaticChallenge = true,

        //change this to true for SLL
        RequireHttpsMetadata = false
    };

    app.UseIdentityServerAuthentication(identityServerValidationOptions);

    //...
}

You will also need Config.cs which defines your clients, api's and resources. You can find an example here: https://github.com/IdentityServer/IdentityServer4.Demo/blob/master/src/IdentityServer4Demo/Config.cs

You should now be able to call IdentityServer /connect/token

enter image description here

For any further info, please check the documentation: https://media.readthedocs.org/pdf/identityserver4/release/identityserver4.pdf

Old answer (this does not work for newer IdentityServer4 anymore)

Its pretty simple once you understand the flow of things.

Configure your IdentityService like this (in Startup.cs - ConfigureServices()):

var builder = services.AddIdentityServer(options =>
{
    options.SigningCertificate = cert;
});

builder.AddInMemoryClients(Clients.Get());
builder.AddInMemoryScopes(Scopes.Get());

//** this piece of code DI's the UserService into IdentityServer **
builder.Services.AddTransient<IUserService, UserService>();

//for clarity of the next piece of code
services.AddTransient<IUserRepository, UserRepository>();

Then setup your UserService

public class UserService : IUserService
{
    //DI the repository from Startup.cs - see previous code block
    private IUserRepository _userRepository;

    public UserService(IUserRepository userRepository)
    {
        _userRepository = userRepository;
    }

    public Task AuthenticateLocalAsync(LocalAuthenticationContext context)
    {
        var user = _userRepository.Find(context.UserName);

        //check if passwords match against user column 
        //My password was hashed, 
        //so I had to hash it with the saved salt first and then compare.
        if (user.Password == context.Password)
        {
            context.AuthenticateResult = new AuthenticateResult(
                user.UserId.ToString(),
                user.Email,

                //I set up some claims 
                new Claim[]
                {
                    //Firstname and Surname are DB columns mapped to User object (from table [User])
                    new Claim(Constants.ClaimTypes.Name, user.Firstname + " " + user.Surname),
                    new Claim(Constants.ClaimTypes.Email, user.Email),
                    new Claim(Constants.ClaimTypes.Role, user.Role.ToString()),
                    //custom claim
                    new Claim("company", user.Company)
                }
            );
        }

        return Task.FromResult(0);
    }

    public Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        //find method in my repository to check my user email
        var user = _userRepository.Find(context.Subject.Identity.Name);

        if (user != null)
        {
            var claims = new Claim[]
                {
                    new Claim(Constants.ClaimTypes.Name, user.Firstname + " " + user.Surname),
                    new Claim(Constants.ClaimTypes.Email, user.Email),
                    new Claim(Constants.ClaimTypes.Role, user.Role.ToString(), ClaimValueTypes.Integer),
                    new Claim("company", user.Company)
            };

            context.IssuedClaims = claims.Where(x => context.RequestedClaimTypes.Contains(x.Type));
        }

        return Task.FromResult(0);
    }

    public Task IsActiveAsync(IsActiveContext context)
    {
        var user = _userRepository.Find(context.Subject.Identity.Name);

        return Task.FromResult(user != null);
    }
}

Basically by injecting UserService into builder (of type IdentityServerBuilder) Services, allows it to call the UserService on auth.

I hope this helps others as it took me a couple of hours to get this going.

Solution 2

In IdentityServer4. IUserService is not available anymore, now you have to use IResourceOwnerPasswordValidator to do the authentication and to use IProfileService to get the claims.

In my scenario, I use resource owner grant type, and all I need is to get users' claims to do role based authorization for my Web APIs according to the username and password. And I assumed that the subject is unique for every user.

I have posted my codes below, and it can work properly; could anyone tell me that is there any issues about my codes?

Register these two services in the startup.cs.

public void ConfigureServices(IServiceCollection services)
{
    var builder = services.AddIdentityServer();
    builder.AddInMemoryClients(Clients.Get());
    builder.AddInMemoryScopes(Scopes.Get());
    builder.Services.AddTransient<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
    builder.Services.AddTransient<IProfileService, ProfileService>();
}

Implement the IResourceOwnerPasswordValidator interface.

public class ResourceOwnerPasswordValidator: IResourceOwnerPasswordValidator
{
    public Task<customgrantvalidationresult> ValidateAsync(string userName, string password, ValidatedTokenRequest request)
    {
        // Check The UserName And Password In Database, Return The Subject If Correct, Return Null Otherwise
        // subject = ......
        if (subject == null)
        {
            var result = new CustomGrantValidationResult("Username Or Password Incorrect");
            return Task.FromResult(result);
        }
        else {
            var result = new CustomGrantValidationResult(subject, "password");
            return Task.FromResult(result);
        }
    }
}

Implement the ProfileService interface.

public class ProfileService : IProfileService
{
    public Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        string subject = context.Subject.Claims.ToList().Find(s => s.Type == "sub").Value;
        try
        {
            // Get Claims From Database, And Use Subject To Find The Related Claims, As A Subject Is An Unique Identity Of User
            //List<string> claimStringList = ......
            if (claimStringList == null)
            {
                return Task.FromResult(0);
            }
            else {
                List<Claim> claimList = new List<Claim>();
                for (int i = 0; i < claimStringList.Count; i++)
                {
                    claimList.Add(new Claim("role", claimStringList[i]));
                }
                context.IssuedClaims = claimList.Where(x => context.RequestedClaimTypes.Contains(x.Type));
                return Task.FromResult(0);
            }
        }
        catch
        {
            return Task.FromResult(0);
        }
    }

    public Task IsActiveAsync(IsActiveContext context)
    {
        return Task.FromResult(0);
    }
}

Solution 3

In IdentityServer4 1.0.0-rc5 neither IUserService nor CustomGrantValidationResult is available.

Now instead of returning an CustomGrantValidationResult you will need to set the context.Result.

 public class ResourceOwnerPasswordValidator: IResourceOwnerPasswordValidator
 {
    private MyUserManager _myUserManager { get; set; }
    public ResourceOwnerPasswordValidator()
    {
        _myUserManager = new MyUserManager();
    }

    public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
    {
        var user = await _myUserManager.FindByNameAsync(context.UserName);
        if (user != null && await _myUserManager.CheckPasswordAsync(user,context.Password))
        {
             context.Result = new GrantValidationResult(
                 subject: "2", 
                 authenticationMethod: "custom", 
                 claims: someClaimsList);


        }
        else
        {
             context.Result = new GrantValidationResult(
                    TokenRequestErrors.InvalidGrant,
                    "invalid custom credential");
         }


        return;

   }

Resource Owner Password Validation

Share:
71,050
Nick De Beer
Author by

Nick De Beer

Updated on February 15, 2020

Comments

  • Nick De Beer
    Nick De Beer about 4 years

    I've searched all over on how to register a UserService with IdentityServer4 in asp.net core, but I cant seem to find the right way to do it.

    This is the code to register InMemoryUsers found here, however I would like to access users from my MSSQL DB not static users defined in the sample.

    var builder = services.AddIdentityServer(options =>
{
    options.SigningCertificate = cert;
});

builder.AddInMemoryClients(Clients.Get());
builder.AddInMemoryScopes(Scopes.Get());
builder.AddInMemoryUsers(Users.Get());

    So then I looked at this which is for IdentityServer3.

    var factory = new IdentityServerServiceFactory()
                .UseInMemoryClients(Clients.Get())
                .UseInMemoryScopes(Scopes.Get());

var userService = new UserService();
factory.UserService = new Registration<IUserService>(resolver => userService);

    From reading online it seems I need to use the DI system to register the UserService, but I'm not sure how it binds to the IdentityServer eg.

    services.AddScoped<IUserService, UserService>();

    So my question is:

    How do I bind my UserService to the builder (IdentityServer4 Users)? And how would I go about calling my database to access and authenticate my existing db users in the UserService (I use repositories to connect to db)?

    Taking into account this has to work with asp.net core.

    Thanks!

  • Frank Fajardo
    Frank Fajardo about 8 years
    Hmmm, from what I can see, the IUserService on IdSvr4 (for ASP.NET Core 1.0) no longer exists. It has been replaced by two interfaces/services IProfileService and IResourceOwnerPasswordValidator.
  • leastprivilege
    leastprivilege about 8 years
    Yes - going forward - they will be split. Separate concerns.
  • fra
    fra over 7 years
    I've followed this answer, but I receive the following error: "Additional information: No storage mechanism for grants specified. Use the 'AddInMemoryStores' extension method to register a development version". I'm using "services.AddIdentityServer" to create the builder, the version of IdentitiServer4 is 1.0.0-rc1-update2.
  • Evan Nagle
    Evan Nagle over 7 years
    It's worth pointing out that if you want to take control of the "sub" claim, you have to do some customization earlier in the pipeline than this.
  • Hussein Salman
    Hussein Salman over 7 years
    Its the same error persisting, even if I provide implementation for both services!
  • Hussein Salman
    Hussein Salman over 7 years
    @EternityWYH can you take a look at this [stackoverflow.com/questions/40797993/…
  • Ilya Chumakov
    Ilya Chumakov about 7 years
    Thanks for answer, for me it was enough to implement IResourceOwnerPasswordValidator and IProfileService in "IdentityServer4": "1.3.1"
  • Sinaesthetic
    Sinaesthetic about 7 years
    for whatever reason, i can't even get this to hit a breakpoint on the first line of the password validator. It automatically just rejects the password. Not seeing any errors in the logs. Also that interface definition for IResourceOwnerPasswordValidator is incorrect. It's only returns Task, not Task<T> and only has the context as parameter
  • Sinaesthetic
    Sinaesthetic about 7 years
    Why is this the selected answer if it can't even apply to identityserver4
  • Nick De Beer
    Nick De Beer about 7 years
    @Sinaesthetic - So sorry about that, identityserver4 has been updated since this answer was posted and does not use IUserService anymore. I've updated my answer, so I hope this helps.
  • DrCopyPaste
    DrCopyPaste almost 7 years
    Regarding the updated part: In ProfileService.GetProfileDataAsync shouldn't the call to GetUserClaims actually be ResourceOwnerPasswordValidator.GetUserClaims (like that other call in the same function)? Or is there one definition of GetUserClaims missing?
  • Uros
    Uros over 6 years
    @NickDeBeer: In GetProfileDataAsync you already have claims in context.Subject.claims. Why do you go to db again?
  • Nick De Beer
    Nick De Beer over 6 years
    @Uros - You should be able to call just context.IssuedClaims = context.Subject.Claims.ToList(); in GetProfileData, just depends if you need to hide some claims from the public or need to do some intermediary logic when viewing profile data.
  • dragonfly02
    dragonfly02 over 6 years
    Does this need updating for .net core 2? I implemented both IProfileServiece and IResourceOwnerPasswordValidator but none of them gets called by the identity server.
  • Noobie3001
    Noobie3001 about 6 years
    Same here, custom classes are not firing on IdentityServer 2.1.3
  • Rzassar
    Rzassar almost 5 years
    In addition to @NickDeBeer's answer, passing claims in ResourceOwnerPasswordValidator will not shown in access-token. Because ProfileService is responsible for that matter. github.com/IdentityServer/IdentityServer4/issues/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Exception: Correlation failed. Unknown location
Bearer error="invalid_token", error_description="The issuer is invalid"
Multitenant Identity Server 4
Generate access token with IdentityServer4 without password
Identity Server 4 Authorization Code Flow example
"InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'"
How to add custom claims to access token in IdentityServer4?
using IdentityServer4 with custom Configration DBContext
Identity Server 404 after login (stuck on signin-oidc)
Is it possible to bind Route Value to a Custom Attribute's Property in ASP.NET Core Web API?