Skip to content

HansKindberg/IdentityServer-Extensions

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

354 Commits

.Global

.Global

 
 

.github/workflows

.github/workflows

 
 

Samples

Samples

 
 

Source

Source

 
 

.editorconfig

.editorconfig

 
 

.gitignore

.gitignore

 
 

License

License

 
 

NuGet.config

NuGet.config

 
 

ReadMe.md

ReadMe.md

 
 

Repository files navigation

IdentityServer-Extensions

Additions and extensions for IdentityServer.

NuGet

License required for production

Additions/extensions to be able to setup a configurable, globalizable and localizable implementation of IdentityServer.

The idea is to setup an IdentityServer-implementation like the included implementation and configure continous-release with substitution/transforms for Web.config & appsettings.json or to copy the sample and use it as a template. The copy can then bee changed regarding configuration, style and translations.

IdentityServer:

1 Features

2 Configuration

2.1 Features

See above.

2.2 Globalization

2.3 Localization

2.4 Authentication-schemes

2.4.1 Example

Solution behind it:

2.4.2 Providers
2.4.2.1 Facebook
2.4.2.2 Google
2.4.2.3 Microsoft
2.4.2.4 Twitter
2.4.2.5 Other providers

3 Features and configuration depending on Duende.IdentityServer license

Some features/configuration depends on the Duende.IdentityServer license, https://duendesoftware.com/products/identityserver#pricing.

3.1 Automatic key management

If your Duende.IdentityServer license doesn't include the Automatic key management-feature you should disable it in appsettings.json:

{
	"IdentityServer": {
		"KeyManagement": {
			"Enabled": false
		},
	}
}

Configure for signing- and validation-certificates instead:

3.1.1 Production-example

{
	"IdentityServer": {
		"SigningCertificate": {
			"Options": {
				"Path": "CERT:\\LocalMachine\\My\\CN=IdentityServer-Signing-4"
			},
			"Type": "RegionOrebroLan.Security.Cryptography.Configuration.StoreResolverOptions, RegionOrebroLan"
		},
		"ValidationCertificates": [
			{
				"Options": {
					"Path": "CERT:\\LocalMachine\\My\\CN=IdentityServer-Signing-1"
				},
				"Type": "RegionOrebroLan.Security.Cryptography.Configuration.StoreResolverOptions, RegionOrebroLan"
			},
			{
				"Options": {
					"Path": "CERT:\\LocalMachine\\My\\CN=IdentityServer-Signing-2"
				},
				"Type": "RegionOrebroLan.Security.Cryptography.Configuration.StoreResolverOptions, RegionOrebroLan"
			},
			{
				"Options": {
					"Path": "CERT:\\LocalMachine\\My\\CN=IdentityServer-Signing-3"
				},
				"Type": "RegionOrebroLan.Security.Cryptography.Configuration.StoreResolverOptions, RegionOrebroLan"
			}
		]
	}
}

3.1.2 Development-example

{
	"IdentityServer": {
		"SigningCertificate": {
			"Options": {
				"Password": "password",
				"Path": "Data/Development-Signing-Certificate-4.pfx"
			},
			"Type": "RegionOrebroLan.Security.Cryptography.Configuration.FileResolverOptions, RegionOrebroLan"
		},
		"ValidationCertificates": [
			{
				"Options": {
					"Password": "password",
					"Path": "Data/Development-Signing-Certificate-1.pfx"
				},
				"Type": "RegionOrebroLan.Security.Cryptography.Configuration.FileResolverOptions, RegionOrebroLan"
			},
			{
				"Options": {
					"Password": "password",
					"Path": "Data/Development-Signing-Certificate-2.pfx"
				},
				"Type": "RegionOrebroLan.Security.Cryptography.Configuration.FileResolverOptions, RegionOrebroLan"
			},
			{
				"Options": {
					"Password": "password",
					"Path": "Data/Development-Signing-Certificate-3.pfx"
				},
				"Type": "RegionOrebroLan.Security.Cryptography.Configuration.FileResolverOptions, RegionOrebroLan"
			}
		]
	}
}

3.2 Dynamic Authentication Providers

If your Duende.IdentityServer license doesn't include the Dynamic Authentication Providers-feature you should disable it in appsettings.json:

{
	"FeatureManagement": {
		...
		"DynamicAuthenticationProviders": false,
		...
	}
}

or remove the line:

{
	"FeatureManagement": {
		...
		// Remove the line below
		"DynamicAuthenticationProviders": true,
		...
	}
}

4 Development

4.1 Migrations

We might want to create/recreate migrations. If we can accept data-loss we can recreate the migrations otherwhise we will have to update them.

Copy all the commands below and run them in the Package Manager Console for the affected database-context.

If you want more migration-information you can add the -Verbose parameter:

Add-Migration TheMigration -Context TheDatabaseContext -OutputDir Data/Migrations -Project Project -Verbose;

Important! Before running the commands below you need to ensure the "Project"-project is set as startup-project.

4.1.1 Configuration

4.1.1.1 Create migrations
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteConfiguration -Force -Project Project;
Remove-Migration -Context SqlServerConfiguration -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Data\Migrations\Configuration" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteConfigurationMigration -Context SqliteConfiguration -OutputDir Data/Migrations/Configuration/Sqlite -Project Project;
Add-Migration SqlServerConfigurationMigration -Context SqlServerConfiguration -OutputDir Data/Migrations/Configuration/SqlServer -Project Project;
Write-Host "Finnished";
4.1.1.2 Update migrations
Write-Host "Updating migrations...";
Add-Migration SqliteConfigurationMigrationUpdate -Context SqliteConfiguration -OutputDir Data/Migrations/Configuration/Sqlite -Project Project;
Add-Migration SqlServerConfigurationMigrationUpdate -Context SqlServerConfiguration -OutputDir Data/Migrations/Configuration/SqlServer -Project Project;
Write-Host "Finnished";

4.1.2 Identity

4.1.2.1 Create migrations
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteIdentity -Force -Project Project;
Remove-Migration -Context SqlServerIdentity -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Identity\Data\Migrations" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteIdentityMigration -Context SqliteIdentity -OutputDir Identity/Data/Migrations/Sqlite -Project Project;
Add-Migration SqlServerIdentityMigration -Context SqlServerIdentity -OutputDir Identity/Data/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
4.1.2.2 Update migrations
Write-Host "Updating migrations...";
Add-Migration SqliteIdentityMigrationUpdate -Context SqliteIdentity -OutputDir Identity/Data/Migrations/Sqlite -Project Project;
Add-Migration SqlServerIdentityMigrationUpdate -Context SqlServerIdentity -OutputDir Identity/Data/Migrations/SqlServer -Project Project;
Write-Host "Finnished";

4.1.3 Operational (PersistedGrant)

4.1.3.1 Create migrations
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteOperational -Force -Project Project;
Remove-Migration -Context SqlServerOperational -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Data\Migrations\Operational" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteOperationalMigration -Context SqliteOperational -OutputDir Data/Migrations/Operational/Sqlite -Project Project;
Add-Migration SqlServerOperationalMigration -Context SqlServerOperational -OutputDir Data/Migrations/Operational/SqlServer -Project Project;
Write-Host "Finnished";
4.1.3.2 Update migrations
Write-Host "Updating migrations...";
Add-Migration SqliteOperationalMigrationUpdate -Context SqliteOperational -OutputDir Data/Migrations/Operational/Sqlite -Project Project;
Add-Migration SqlServerOperationalMigrationUpdate -Context SqlServerOperational -OutputDir Data/Migrations/Operational/SqlServer -Project Project;
Write-Host "Finnished";

4.1.4 Plugins

4.1.4.1 SAML
4.1.4.1.1 Create migrations
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteSamlConfiguration -Force -Project Project;
Remove-Migration -Context SqlServerSamlConfiguration -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Data\Saml\Migrations" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteSamlConfigurationMigration -Context SqliteSamlConfiguration -OutputDir Data/Saml/Migrations/Sqlite -Project Project;
Add-Migration SqlServerSamlConfigurationMigration -Context SqlServerSamlConfiguration -OutputDir Data/Saml/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
4.1.4.1.2 Update migrations
Write-Host "Updating migrations...";
Add-Migration SqliteSamlConfigurationMigrationUpdate -Context SqliteSamlConfiguration -OutputDir Data/Saml/Migrations/Sqlite -Project Project;
Add-Migration SqlServerSamlConfigurationMigrationUpdate -Context SqlServerSamlConfiguration -OutputDir Data/Saml/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
4.1.4.2 WsFederation
4.1.4.2.1 Create migrations
Write-Host "Removing migrations...";
Remove-Migration -Context SqliteWsFederationConfiguration -Force -Project Project;
Remove-Migration -Context SqlServerWsFederationConfiguration -Force -Project Project;
Write-Host "Removing current migrations-directory...";
Remove-Item "Project\Data\WsFederation\Migrations" -ErrorAction Ignore -Force -Recurse;
Write-Host "Creating migrations...";
Add-Migration SqliteWsFederationConfigurationMigration -Context SqliteWsFederationConfiguration -OutputDir Data/WsFederation/Migrations/Sqlite -Project Project;
Add-Migration SqlServerWsFederationConfigurationMigration -Context SqlServerWsFederationConfiguration -OutputDir Data/WsFederation/Migrations/SqlServer -Project Project;
Write-Host "Finnished";
4.1.4.2.2 Update migrations
Write-Host "Updating migrations...";
Add-Migration SqliteWsFederationConfigurationMigrationUpdate -Context SqliteWsFederationConfiguration -OutputDir Data/WsFederation/Migrations/Sqlite -Project Project;
Add-Migration SqlServerWsFederationConfigurationMigrationUpdate -Context SqlServerWsFederationConfiguration -OutputDir Data/WsFederation/Migrations/SqlServer -Project Project;
Write-Host "Finnished";

5 Technicalities

5.1 Development-environment

This solution is built on:

  • Visual Studio Enterprise 2019
  • Windows 10

5.2 NuGet

The solution uses the following NuGet-packages:

5.3 Documentation

5.4 Examples

5.5 Information

5.5.1 Products

6 Notes

Various saved notes that appeared during development.

6.1 Mutual TLS (client-certificate-authentication)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\SendTrustedIssuerList

If it does not exist, create it as REG_DWORD.

Values:

  1. Off
  2. On

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\ClientAuthTrustMode

If it does not exist, create it as REG_DWORD.

Values:

  1. Machine Trust (default) - Requires that the client certificate is issued by a certificate in the Trusted Issuers list.
  2. Exclusive Root Trust - Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list
  3. Exclusive CA Trust - Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.
  • /connect/mtls/token
  • /connect/mtls/revocation
  • /connect/mtls/introspect
  • /connect/mtls/deviceauthorization

6.2 Links

About

Additions and extensions for IdentityServer.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

41 tags

Packages

No packages published

Languages