IdentityServer4 and user management

Question

I've been crushing all over the web to found some data about IdentityServer4 and what it's really used for.

For what I've understand so far, IdentityServer4 is the token issuer and it's the system that will keep the link between what ressources a specific client can access or not. So, IdentityServer will get client identification to say if, yes or no, it has the right to access this ressource, or it will get the user identification (aka mail and password) to get a token to say if user is registered or not.

If I'm not mistaking, this means that user store has to been near IdentityServer OR that IdentityServer should be aware of every modification that has been made in user store. I haven't found some valuable thing on this, concerning the last version of identity server. Moreover, it seems that IdentityServer needs AspNet Identity, which means that information will be duplicated...

Is there anything I don't understand or getting wrong ? If not, how it is doable easily (considering I'm starting from scratch and I have to migrate an old legacy user store) ?

Answer 1

You have a couple of options for the user management:

1. As you said - using Asp NET Identity
2. Using Entity Framework
3. Using a custom logic created by yourself

Options 1 & 2 have a lot of examples and a quickstart for each of them, so I won't go deep there.

Option 3 - custom implementation. We ended up with this on our side. We had lots of custom things on our side (felt irrelevant to extend/override the EF approach), we didn't need Asp NET Identity, so decided to go with custom implementation.

More or less - we have a db, that holds our users. EF for accessing db (works with PostgreSQL, SQL Server, and a lot more, so you have the freedom here) and custom services, that serve for CRUD operations and whatever else you need for your tables.

IdentityServer allows you to hook up custom implementations of almost every service/store that it is using:

services.AddIdentityServer()
            .AddInMemoryCaching()
            .AddProfileService<ProfileService>()
            .AddClientStoreCache<ClientStore>()
            .AddResourceStoreCache<ApiResourceStore>()

All of these are custom implementations of their interfaces. Also you have the freedom to modify the AccountController, where the actual login takes place, so you can hook up your user service there, and check against your own db.

So basically the approach here depends on you, your time frame etc.