HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions
8.0.1
See the version list below for details.
dotnet add package HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions --version 8.0.1
NuGet\Install-Package HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions -Version 8.0.1
<PackageReference Include="HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions" Version="8.0.1" />
paket add HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions --version 8.0.1
#r "nuget: HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions, 8.0.1"
// Install HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions as a Cake Addin #addin nuget:?package=HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions&version=8.0.1 // Install HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions as a Cake Tool #tool nuget:?package=HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions&version=8.0.1
Identity Server 8 update
This project is a DotNet 8 revival of the Identity Server 4 and Identity Server 4 Admin UI, for Open ID Connect (OIDC) and OAuth, which was archived when .NET Core 3.1 reached end of support.
HigginsSoft.IdentityServer8 and Admin UI Nuget Packages are available here for use in DotNet 8.
IdentityServer8.Admin
The administration for the IdentityServer8 and Asp.Net Core Identity
Project Status
The application is written in the Asp.Net Core MVC - using .NET 8
This project is a refresh of the now deprecated original IdentityServer4.Admin which is no longer being maintained.
HigginsSoft.IdentityServer8 Nuget Packages are available for use in DotNet 8 projects.
Work is currently being done to update the project to t DotNet 8.
Initially the main nuget packages supporting DotNet 8 will be released, followed by the DotNet tool and project templates.
Once the project is stable, the documentation will be updated to reflect the changes.
In the meantime, the original documentation is still available and should work for most cases.
That project used the commerical paid version of Identity Server offered by Duende Software.
π If you are looking for the paid version of Duende IdentityServer Admin UI, it is available here β‘
Build Status And Stats
Nuget Packages
Identity Server 8
Identity Server 8 Administration UI
Requirements
- Install the latest .NET 6 SDK (using older versions may lead to 502.5 errors when hosted on IIS or application exiting immediately after starting when self-hosted)
Installation via dotnet new template
- Install the dotnet new template:
dotnet new -i IdentityServer8.Admin.Templates::2.1.0
Create new project:
dotnet new IdentityServer8Admin --name MyProject --title MyProject --adminemail "admin@example.com" --adminpassword "Pa$$word123" --adminrole MyRole --adminclientid MyClientId --adminclientsecret MyClientSecret --dockersupport true
Project template options:
--name: [string value] for project name
--adminpassword: [string value] admin password
--adminemail: [string value] admin email
--title: [string value] for title and footer of the administration in UI
--adminrole: [string value] for name of admin role, that is used to authorize the administration
--adminclientid: [string value] for client name, that is used in the IdentityServer8 configuration for admin client
--adminclientsecret: [string value] for client secret, that is used in the IdentityServer8 configuration for admin client
--dockersupport: [boolean value] include docker support
How to configure the Administration - IdentityServer8 and Asp.Net Core Identity
Template uses following list of nuget packages
Running in Visual Studio
- Set Startup projects:
- IdentityServer8.Admin
- IdentityServer8.Admin.Api
- IdentityServer8.STS.Identity
Configuration of Administration for Deployment
- Configuration of Admin for deploy on Azure
- Configuration of Admin on Ubuntu with PostgreSQL database
Administration UI preview
- This administration uses bootstrap 4
Admin UI - Light mode π
Admin UI - Dark mode π
Security token service (STS)
Forms
Cloning
git clone https://github.com/higginssoft/IdentityServer8.Admin
Running via Docker
- It is possible to run Admin UI through the docker.
Docker setup
DNS
We need some resolving capabilities in order for the project to work. The domain higginssoft.local
is used here to represent the domain this setup is hosted on. The domain-name needs to be FQDN (fully qualified domain name).
Thus first, we need the domain higginssoft.local
to resolve to the docker-host machine. If you want this to work on your local machine only, use the first option.
DNS on docker-host machine only
Edit your hosts file:
- On Linux:
\etc\hosts
- On Windows:
C:\Windows\system32\drivers\etc\hosts
and add the following entries:
127.0.0.1 higginssoft.local sts.higginssoft.local admin.higginssoft.local admin-api.higginssoft.local
This way your host machine resolves higginssoft.local
and its subdomains to itself.
Certificates
We also need certificates in order to serve on HTTPS. We'll make our own self-signed certificates with mkcert.
If the domain is publicly available through DNS, you can use Let's Encypt. Nginx-proxy has support for that, which is left out in this setup.
MkCert
Create the root certificate
Use mkcert to generate local self-signed certificates.
On windows mkcert -install
must be executed under elevated Administrator privileges. Then copy over the CA Root certificate over to the project as we want to mount this in later into the containers without using an environment variable.
cd shared/nginx/certs
mkcert --install
copy $env:LOCALAPPDATA\mkcert\rootCA.pem ./cacerts.pem
copy $env:LOCALAPPDATA\mkcert\rootCA.pem ./cacerts.crt
Create the higginssoft.local
certificates
Generate a certificate for higginssoft.local
with wildcards for the subdomains. The name of the certificate files need to match with actual domain-names in order for the nginx-proxy to pick them up correctly. We want both the crt-key and the pfx version.
cd shared/nginx/certs
mkcert -cert-file higginssoft.local.crt -key-file higginssoft.local.key higginssoft.local *.higginssoft.local
mkcert -pkcs12 higginssoft.local.pfx higginssoft.local *.higginssoft.local
This docker setup is come from this repository - thanks to bravecobra. π
Run docker-compose
- Project contains the
docker-compose.vs.debug.yml
anddocker-compose.override.yml
to enable debugging with a seeded environment. - The following possibility to get a running seeded and debug-able (in VS) environment:
docker-compose build
docker-compose up -d
It is also possible to set as startup project the project called
docker-compose
in Visual Studio.
Docker images
- Docker images will be available also in docker hub
Publish Docker images to Docker hub
- Check the script in
build/publish-docker-images.ps1
- change the profile name according to your requirements.
Installation of the Client Libraries
cd src/IdentityServer8.Admin
npm install
cd src/IdentityServer8.STS.Identity
npm install
Bundling and Minification
The following Gulp commands are available:
gulp fonts
- copy fonts to thedist
foldergulp styles
- minify CSS, compile SASS to CSSgulp scripts
- bundle and minify JSgulp clean
- remove thedist
foldergulp build
- run thestyles
andscripts
tasksgulp watch
- watch all changes in all sass files
EF Core & Data Access
The solution uses these
DbContexts
:AdminIdentityDbContext
: for Asp.Net Core IdentityAdminLogDbContext
: for loggingIdentityServerConfigurationDbContext
: for IdentityServer configuration storeIdentityServerPersistedGrantDbContext
: for IdentityServer operational storeAdminAuditLogDbContext
: for Audit LoggingIdentityServerDataProtectionDbContext
: for dataprotection
Run entity framework migrations:
NOTE: Initial migrations are a part of the repository.
It is possible to use powershell script in folder
build/add-migrations.ps1
.This script take two arguments:
- --migration (migration name)
- --migrationProviderName (provider type - available choices: All, SqlServer, MySql, PostgreSQL)
For example:
.\add-migrations.ps1 -migration DbInit -migrationProviderName SqlServer
Available database providers:
- SqlServer
- MySql
- PostgreSQL
It is possible to switch the database provider via
appsettings.json
:
"DatabaseProviderConfiguration": {
"ProviderType": "SqlServer"
}
Connection strings samples for available db providers:
PostgreSQL:
Server=localhost;Port=5432;Database=IdentityServer8Admin;User Id=sa;Password=#;
MySql:
server=localhost;database=IdentityServer8Admin;user=root;password=#
We suggest to use seed data:
- In
Program.cs
βMain
, uncommentDbMigrationHelpers.EnsureSeedData(host)
or use dotnet CLIdotnet run /seed
or viaSeedConfiguration
inappsettings.json
- The
Clients
andResources
files inidentityserverdata.json
(section called: IdentityServerData) - are the initial data, based on a sample from IdentityServer8 - The
Users
file inidentitydata.json
(section called: IdentityData) contains the default admin username and password for the first login
Authentication and Authorization
- Change the specific URLs and names for the IdentityServer and Authentication settings in
appsettings.json
- In the controllers is used the policy which name is stored in -
AuthorizationConsts.AdministrationPolicy
. In the policy -AuthorizationConsts.AdministrationPolicy
is defined required role stored in -appsettings.json
-AdministrationRole
. - With the default configuration, it is necessary to configure and run instance of IdentityServer8. It is possible to use initial migration for creating the client as it mentioned above
Azure Key Vault
- It is possible to use Azure Key Vault and configure it in the
appsettings.json
with following configuration:
"AzureKeyVaultConfiguration": {
"AzureKeyVaultEndpoint": "",
"ClientId": "",
"ClientSecret": "",
"UseClientCredentials": true
}
If your application is running in Azure App Service
, you can specify AzureKeyVaultEndpoint
. For applications which are running outside of Azure environment it is possible to use the client credentials flow - so it is necesarry to go to Azure portal, register new application and connect this application to Azure Key Vault and setup the client secret.
- It is possible to use Azure Key Vault for following parts of application:
Application Secrets and Database Connection Strings:
- It is necesarry to configure the connection to Azure Key Vault and allow following settings:
"AzureKeyVaultConfiguration": {
"ReadConfigurationFromKeyVault": true
}
Dataprotection:
Enable Azure Key Vault for dataprotection with following configuration:
"DataProtectionConfiguration": {
"ProtectKeysWithAzureKeyVault": false
}
The you need specify the key identifier in configuration:
"AzureKeyVaultConfiguration": {
"DataProtectionKeyIdentifier": ""
}
IdentityServer certificate for signing tokens:
- It is possible to go to Azure Key Vault - generate new certificate and use this certificate name below:
"AzureKeyVaultConfiguration": {
"IdentityServerCertificateName": ""
}
Logging
We are using
Serilog
with pre-definded following Sinks - white are available inserilog.json
:- Console
- File
- MSSqlServer
- Seq
{
"Serilog": {
"MinimumLevel": {
"Default": "Error",
"Override": {
"Skoruba": "Information"
}
},
"WriteTo": [
{
"Name": "Console"
},
{
"Name": "File",
"Args": {
"path": "log.txt",
"rollingInterval": "Day"
}
},
{
"Name": "MSSqlServer",
"Args": {
"connectionString": "...",
"tableName": "Log",
"columnOptionsSection": {
"addStandardColumns": [ "LogEvent" ],
"removeStandardColumns": [ "Properties" ]
}
}
}
]
}
}
Audit Logging
- This solution uses audit logging via - https://github.com/higginssoft/AuditLogging (check this link for more detal about this implementation π)
- In the Admin UI project is following setup:
services.AddAuditLogging(options => { options.Source = auditLoggingConfiguration.Source; })
.AddDefaultHttpEventData(subjectOptions =>
{
subjectOptions.SubjectIdentifierClaim = auditLoggingConfiguration.SubjectIdentifierClaim;
subjectOptions.SubjectNameClaim = auditLoggingConfiguration.SubjectNameClaim;
},
actionOptions =>
{
actionOptions.IncludeFormVariables = auditLoggingConfiguration.IncludeFormVariables;
})
.AddAuditSinks<DatabaseAuditEventLoggerSink<TAuditLog>>();
// repository for library
services.AddTransient<IAuditLoggingRepository<TAuditLog>, AuditLoggingRepository<TAuditLoggingDbContext, TAuditLog>>();
// repository and service for admin
services.AddTransient<IAuditLogRepository<TAuditLog>, AuditLogRepository<TAuditLoggingDbContext, TAuditLog>>();
services.AddTransient<IAuditLogService, AuditLogService<TAuditLog>>();
Admin Configuration
Admin and STS can be customized without editing code in appsettings.json
under AdminConfiguration section
Themes
Ui can be customized using themes integrated from bootswatch.
From version 2.0.0 is possible to change theme from UI. π
By default, configuration value is null to use default theme. if you want to use a theme, just fill the lowercase theme name as configuration value of Theme
key.
You can also use your custom theme by integrating it in your project or hosting css on your place to pass the url in CustomThemeCss
key. (Note that custom theme override standard theme)
- Important Note: Theme can use external resources which caused errors due to CSP. If you get errors, please make sure that you configured correctly CSP section in your
appsettings.json
with thrusted domains for resources.
"AdminConfiguration": {
"PageTitle": "Skoruba IdentityServer8",
"HomePageLogoUri": "~/images/higginssoft-icon.png",
"FaviconUri": "~/favicon.ico",
"Theme": "united",
"CustomThemeCss": null,
...
},
Audit Logging Configuration
In appsettings.json
is following configuration:
"AuditLoggingConfiguration": {
"Source": "IdentityServer.Admin.Web",
"SubjectIdentifierClaim": "sub",
"SubjectNameClaim": "name",
"IncludeFormVariables": false
}
The IdentityServer8.Admin.BusinessLogic
layer contains folder called Events
for audit logging. In each method in Services is called function LogEventAsync
like this:
await AuditEventLogger.LogEventAsync(new ClientDeletedEvent(client));
Final audit log is available in the table dbo.AuditLog
.
Login Configuration
- In
IdentityServer8.STS.Identity
- inappsettings.json
is possible to specify which column will be used for login (Username
orEmail
):
"LoginConfiguration": {
"ResolutionPolicy": "Username"
}
or using Email
:
"LoginConfiguration": {
"ResolutionPolicy": "Email"
}
Register Configuration
- In
IdentityServer8.STS.Identity
- inappsettings.json
is possible to disable user registration (default: true
):
"RegisterConfiguration": {
"Enabled": false
}
How to configure API & Swagger
- For development is running on url -
https://localhost:44302
and swagger UI is available on url -https://localhost:44302/swagger
- For swagger UI is configured a client and an API in STS:
"AdminApiConfiguration": {
"IdentityServerBaseUrl": "https://localhost:44310",
"OidcSwaggerUIClientId": "higginssoft_identity_admin_api_swaggerui",
"OidcApiName": "higginssoft_identity_admin_api"
}
- Swagger UI contains following endpoints:
How to configure an external provider in STS
- In
IdentityServer8.STS.Identity/Helpers/StartupHelpers.cs
- is method calledAddExternalProviders
which contains the example withGitHub
,AzureAD
configured inappsettings.json
:
"ExternalProvidersConfiguration": {
"UseGitHubProvider": false,
"GitHubClientId": "",
"GitHubClientSecret": "",
"UseAzureAdProvider": false,
"AzureAdClientId": "",
"AzureAdTenantId": "",
"AzureInstance": "",
"AzureAdSecret": "",
"AzureAdCallbackPath": "",
"AzureDomain": ""
}
- It is possible to extend
ExternalProvidersConfiguration
with another configuration properties. - If you use DockerHub built image, you can use appsettings to configure these providers without changing the code
- GitHub
- AzureAD
List of external providers for ASP.NET Core:
- https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
- https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/
Azure AD
- Great article how to set up Azure AD:
Email service
- It is possible to set up emails via:
SendGrid
In STS project - in appsettings.json
:
"SendgridConfiguration": {
"ApiKey": "",
"SourceEmail": "",
"SourceName": ""
}
SMTP
"SmtpConfiguration": {
"From": "",
"Host": "",
"Login": "",
"Password": ""
}
CSP - Content Security Policy
- If you want to use favicon or logo not included/hosted on the same place, you need to declare trusted domain where resources are hosted in appsettings.json.
"CspTrustedDomains": [
"google.com",
"mydomain.com"
],
Health checks
- AdminUI, AdminUI Api and STS contain endpoint
health
, which check databases and IdentityServer.
Localizations - labels, messages
- The project has following translations:
- English
- Chinese
- Russian
- Persian
- Swedish
- Danish
- Spanish
- French
- Finish
- German
- Portuguese
Feel free to send a PR with your translation. π
All labels and messages are stored in the resources
.resx
- locatated in/Resources
- Client label descriptions from - http://docs.identityserver.io/en/latest/reference/client.html
- Api Resource label descriptions from - http://docs.identityserver.io/en/latest/reference/api_resource.html
- Identity Resource label descriptions from - http://docs.identityserver.io/en/latest/reference/identity_resource.html
Tests
- The solution contains unit and integration tests.
Integration tests use StartupTest class which is pre-configured with:
DbContext
contains setup for InMemory databaseAuthentication
is setup forCookieAuthentication
- with fake login url for testing purpose onlyAuthenticatedTestRequestMiddleware
- middleware for testing of authentication.
Overview
Solution structure:
STS:
IdentityServer8.STS.Identity
- project that contains the instance of IdentityServer8 and combine these samples - Quickstart UI for the IdentityServer8 with Asp.Net Core Identity and EF Core storage and damienbod - IdentityServer8 and Identity template
Admin UI Api:
IdentityServer8.Admin.Api
- project with Api for managing data of IdentityServer8 and Asp.Net Core Identity, with swagger support as well
Admin UI:
IdentityServer8.Admin.UI
- ASP.NET Core MVC application that contains Admin UIIdentityServer8.Admin
- ASP.NET Core MVC application that uses Admin UI package and it's only for application bootstrapIdentityServer8.Admin.BusinessLogic
- project that contains Dtos, Repositories, Services and Mappers for the IdentityServer8IdentityServer8.Admin.BusinessLogic.Identity
- project that contains Dtos, Repositories, Services and Mappers for the Asp.Net Core IdentityIdentityServer8.Admin.BusinessLogic.Shared
- project that contains shared Dtos and ExceptionHandling for the Business Logic layer of the IdentityServer8 and Asp.Net Core IdentityIdentityServer8.Shared
- Shared common Identity DTOS for Admin UI, Admin UI Api and STSIdentityServer8.Shared.Configuration
- Shared common layer for Admin UI, Admin UI Api and STSIdentityServer8.Admin.EntityFramework
- EF Core data layer that contains Entities for the IdentityServer8IdentityServer8.Admin.EntityFramework.Configuration
- EF Core data layer that contains configurationsIdentityServer8.Admin.EntityFramework.Identity
- EF Core data layer that contains Repositories for the Asp.Net Core IdentityIdentityServer8.Admin.EntityFramework.Extensions
- project that contains extensions related to EntityFrameworkIdentityServer8.Admin.EntityFramework.Shared
- project that contains DbContexts for the IdentityServer8, Logging and Asp.Net Core Identity, inluding shared Identity entitiesIdentityServer8.Admin.EntityFramework.SqlServer
- project that contains migrations for SqlServerIdentityServer8.Admin.EntityFramework.MySql
- project that contains migrations for MySqlIdentityServer8.Admin.EntityFramework.PostgreSQL
- project that contains migrations for PostgreSQL
Tests:
IdentityServer8.Admin.IntegrationTests
- xUnit project that contains the integration tests for AdminUIIdentityServer8.Admin.Api.IntegrationTests
- xUnit project that contains the integration tests for AdminUI ApiIdentityServer8.Admin.UnitTests
- xUnit project that contains the unit tests for AdminUIIdentityServer8.STS.IntegrationTests
- xUnit project that contains the integration tests for STS
The admininistration contains the following sections:
IdentityServer8
Clients
It is possible to define the configuration according the client type - by default the client types are used:
Empty
Web Application - Server side - Authorization Code Flow with PKCE
Single Page Application - Javascript - Authorization Code Flow with PKCE
Native Application - Mobile/Desktop - Authorization Code Flow with PKCE
Machine/Robot - Client Credentials flow
TV and Limited-Input Device Application - Device flow
Actions: Add, Update, Clone, Remove
Entities:
- Client Cors Origins
- Client Grant Types
- Client IdP Restrictions
- Client Post Logout Redirect Uris
- Client Properties
- Client Redirect Uris
- Client Scopes
- Client Secrets
API Resources
- Actions: Add, Update, Remove
- Entities:
- Api Claims
- Api Scopes
- Api Scope Claims
- Api Secrets
- Api Properties
Identity Resources
- Actions: Add, Update, Remove
- Entities:
- Identity Claims
- Identity Properties
Asp.Net Core Identity
Users
- Actions: Add, Update, Delete
- Entities:
- User Roles
- User Logins
- User Claims
Roles
- Actions: Add, Update, Delete
- Entities:
- Role Claims
Application Diagram
Roadmap & Vision
1.0.0:
- Create the Business Logic & EF layers - available as a nuget package
- Create a project template using dotnet CLI -
dotnet new template
- First template: The administration of the IdentityServer8 and Asp.Net Core Identity
- Add logging into
- Database
- File
- Seq
- Add localization for other languages
- English
- Chinese
- Russian
- Persian
- Swedish
- Danish
- Spanish
- French
- Finish
- Manage profile
- Password reset
- Link account to an external provider (example with Github)
- Two-Factor Authentication (2FA)
- User registration
- Email service
- SendGrid
- Add API
- IdentityServer8
- Asp.Net Core Identity
- Add swagger support
- Add audit logs to track changes (#61)
- Docker support (#121)
- Health Checks (Databases and IdentityServer)
- Support for multiple database providers (SqlServer, Mysql, PostgreSQL)
- Simplify Admin Identity middleware (#430)
- Add support for loading signing key from Azure Key Vault (#533)
- Protect keys for dataprotection from Azure Key Vault (#715)
2.0.0
- Update to IdentityServer8 version 4 (#633)
- Add support for themes (#725)
- Extract UI part into nuget package (#770, #409, #55, #322, #28, #133)
3.0.0
- Connect Admin Api to the Admin UI (#478)
4.0.0:
- Create a project template using dotnet CLI -
dotnet new template
- Second template: The administration of the IdentityServer8 (without Asp.Net Core Identity) (#79)
- Add windows authentication (#479)
Future:
- Add UI tests (#97, #116)
- Add more unit and integration tests π
- Extend administration for another protocols
Licence
This repository is licensed under the terms of the MIT license.
NOTE: This repository uses the source code from https://github.com/IdentityServer/IdentityServer8.Quickstart.UI which is under the terms of the Apache License 2.0.
Acknowledgements
This web application is based on these projects:
- ASP.NET Core
- IdentityServer8.EntityFramework
- ASP.NET Core Identity
- XUnit
- Fluent Assertions
- Bogus
- AutoMapper
- Serilog
Thanks to TomΓ‘Ε‘ HΓΌbelbauer for the initial code review.
Thanks to Dominick Baier and Brock Allen - the creators of IdentityServer8.
Contributors
Thanks goes to these wonderful people (emoji key):
This project follows the all-contributors specification. Contributions of any kind are welcome!
Contact and Suggestion
I am happy to share my attempt of the implementation of the administration for IdentityServer8 and ASP.NET Core Identity.
Any feedback is welcome - feel free to create an issue or send me an email - jan@higginssoft.com. Thank you π
Support and Donation ποΈ
If you like my work, you can support me by donation. π
Paypal
https://www.paypal.me/higginssoft
Patreon
Product | Versions Compatible and additional computed target framework versions. |
---|---|
.NET | net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
-
net8.0
NuGet packages (1)
Showing the top 1 NuGet packages that depend on HigginsSoft.IdentityServer8.Admin.EntityFramework.Extensions:
Package | Downloads |
---|---|
HigginsSoft.IdentityServer8.Admin.EntityFramework
Entity Framework layer for the administration of the IdentityServer8 |
GitHub repositories
This package is not used by any popular GitHub repositories.
Version | Downloads | Last updated |
---|---|---|
8.0.2-beta.0 | 99 | 2/12/2024 |
8.0.2-alpha.0 | 146 | 2/12/2024 |
8.0.1 | 1,061 | 2/11/2024 |
8.0.1-beta.0 | 55 | 2/11/2024 |
8.0.1-alpha.2 | 56 | 2/9/2024 |
8.0.1-alpha.1 | 69 | 2/9/2024 |
8.0.1-alpha.0 | 65 | 2/11/2024 |
8.0.0 | 221 | 2/9/2024 |
8.0.0-alpha.1 | 52 | 2/9/2024 |