I am in process of creating a number of application-specific APIs of which would like to use IndentityServer as my STS and use OpenID Connect to manage identities.
I would also like to integrate my Umbraco 7.4 application to use this same IdentityService to Authenticate and Register User Membership from my Umbraco site.
If possible would you be so kind as to point out some references on integration of Umbraco User Membership with IdentityServer.
Hi John I'm currently travelling the same path, when I first started looking there was no information of substance linking umbraco with identity server. Whats more encouraging now is that you will find there are more threads on this forum with not just questions but also answers on how to combine the two.
I've been developing on 7.3 and as I too am still going through a learning process don't know if have enough authoritative knowledge to answer all the questions you might have. With identityserver the specifics of your intended use are all important due to the different flows with some more appropriate for given scenarios and therefore implementation could differ significantly.
In my case I wanted to provide access to an external api from within the backend of one instance of umbraco using front end accounts managed in another umbraco instance.
Maybe if you break things down into smaller specific questions I or others might be able to help (though I appreciate at this stage you may not think it as easy as I suggest)
My experience of identityserver started with the samples but all the local accounts were stored in memory, I didn't need to authenticate with Facebook or other providers, in effect I wanted to be the identity provider.
If you start there question is where do you want the user accounts accessed by identityserver to be stored?
I had already included UmbracoIdentity into my project to see how it worked, was able to add/register, login etc. and am very impressed with the solution however this approach seems to be highly woven into Umbraco application and although implements ASP.Net Identity within Umbraco, it does not seemingly integrate well with and external STS over OAuth and as such I can't authorize Umbraco Members within my custom APIs as I have no means (seemingly) to be able to check for an Umbraco Role via an STS. Please correct me if I am mistaken.
I was hoping not to Authorize within Umbraco, but rather do that in an STS.
What I would like to do instead is to implement and utilize an instance of IdentityServer V3 with OpenID Connect as my primary STS for all of my clients such as the Umbraco MVC client, Angular clients, custom API clients as well any third party API integrations I may need to include down the road.
I would like to include external Identity providers as an option for a Member to sign in and yet still be able to align to Umbraco Member roles as is realized via UmbracoIdentity only not in the MVC application, but rather in the STS.
My user workflows would exist on the STS like to create roles and assign these to an Umbraco member as well as user profile data as mapped to claims.
I would like the STS to handle all Front-End User/Member login, register etc and use the same UmbracoIdentity membership logic, related and supporting Umbraco tables as it's ASP.Net Identity persistence layer but move most of the core of UmbracoIdentity into the STS. I would like to then implement the Client Flow within Umbraco as opposed to having UmbracoIdentity.
I would then use Client Flow within custom APIs against that same STS in order to authorize API requests that flow out of my Umbraco application.
I have a fair understanding on how to setup the STS's Clients, Scopes and Users and APIs configuration however need assistance in implementing a variant of UmbracoIdentity within the STS (if that's even feasible to do so).
So from an Umbraco Login/Register UseCase perspective these would be handled at the STS, then redirected back the Umbraco site.
As an example of one such custom API scenario..
In my example below, I have a Document Management Solution (DMS) API that I would like to secure over OAuth via way of the STS. Components within my Umbraco Solution will wrap this DMS API and thus all should be via Client Flows.
What I would like to support is have Application Roles within Umbraco, that front-end users (members) map to and that are gated within my DMS API.
Hopefully this makes sense, I do apologize if I am mixing things up. Any assistance would be greatly appreciated.
Hi john this is only a quick reply i'll try to look in more detail tomorrow. What i found is this , identity server does indeed have a persistance layer but i didn't see anything that fit from my perspective with regards management of users. There is an identity server manager now but that seemed more geared to IT admins rather than the behaviour of user membership in the context of a software as a service site as i wanted.i also didn't fancy creating all the ui for managing sts users from scratch. As you will know you will probably need to implement a user store in identity server.
Now this is where the umbraco identity package came in for me. From looking at the source i noticed that the usermanager was very similar to the usermanager i was going to have to create in identityserver i order to work with the persistance layer. For me incorprating this code with a couple of adaptations within my identityserver classes meant my sts now used the umbraco usermanager as its user source rather than an entirely separate user table. In my case i was happy to have the sts closely coupled with my sas site but then have my other umbraco sites and apis only loosely coupled via identityserver. With all this said though i have not allowed facebook login so am only privide access to accounts seemingly local to the sts, i don't know how it would work with exteral social login accounts.
Thanks for the update. It appears you and I (and likely many to come) are absolutely on the same page, heading in the same direction.
I spent a good deal of time reviewing UmbracoIdentity and came down to the same conclusion as to what you have described.
I knew that at the end of the day I would still need to ensure that specific content still be restricted by user roles and thus moving UserManager aspects into the STS so as to still utilize the same backing User store seems to make the most sense for my needs as well.
Where I was planning to go was to map out the existing aspects that make up UmbracoIdentity and to then decouple those that made sense to live within the MVC CMS side vs. those that made sense to be situated within the STS side. I was then planning to overlay the aspects that would be required from future integrations such as external Identity Providers as well as 3rd party API integration.
In my previously shared DMS example, I will more than likely need to couple my DMS up with a 3rd party Document Signing Workflow of which there are a number of excellent 3rd party API based services which provide that capability via RESTful API. As you may have gleaned from my diagram, I am big on Azure, and as such (but not shown) I will be leveraging Azure Logic Apps to help facilitate workflow integration with these 3rd party services, thus have the STS should ensure a secure access-token based, authorization flow through the entire Document management lifecycle. I mention all of this as it may help to understand why decoupling the as is UmbracoIdentity makes sense when integrating of other 3rd party services.
It sounds like you have managed to integrate the Umbraco UserManager within the STS which if so, is fantastic.
I would be extremely grateful if you could assist me and others with doing the same.
Hi as everything is based on standards set out in aspnet identity it makes things a bit easier. All the hard work is evident in shannons package as far as figuring how to use the umbraco usermanager as a base, i just pilfered bits i found useful for my purposes and adapted them a bit. Theres some way clever people out there. I dont have access to any code today but will have a look tomorrow.
One thing a do remember having to do differently than if implementing the entity framework store was to specify to user id key was an int rather than being able to use generics i didnt like it but being a noob couldn't figure out any ther way
But as I say in some cases the user id argument type would need to change, and I guess you would most likely need to provide your own implementation for some if you want to provide external login Facebook etc.
using fwurl.site.Models.UmbracoIdentity;
using IdentityServer3.AspNetIdentity;
using IdentityServer3.Core.Configuration;
using IdentityServer3.Core.Services;
using IdentityServer3.Core.Services.Default;
using Microsoft.AspNet.Identity;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Umbraco.Core;
using Umbraco.Core.Services;
using UmbracoIdentity;
using UmbracoIdentity.Models;
using System.Net.Http;
using System.Threading.Tasks;
using IdentityServer3.Core;
using System.Security.Claims;
using IdentityServer3.Core.Models;
using IdentityServer3.Core.Extensions;
using IdentityModel;
using Microsoft.AspNet.Identity.Owin;
using Autofac;
namespace demo.site.IdSvr
{
public static class CustomUserServiceExtensions
{
public static void ConfigureCustomUserService(this IdentityServerServiceFactory factory)
{
factory.UserService = new Registration
Any comments good or bad let me know, It would also be great of course if could you share the results back once you get the external logins working!
Heres the what I put in my startup to configure identity server just ripped out of the user service identity server sample for now.
app.Map("/core", core =>
{
var idSvrFactory = Factory.Configure();
idSvrFactory.ConfigureCustomUserService();
var options = new IdentityServerOptions
{
SiteName = "IdentityServer3 - UserService-AspNetIdentity",
SigningCertificate = Certificate.Get(),
Factory = idSvrFactory
};
core.UseIdentityServer(options);
});
Sorry to eavesdrop on your conversation, but we are using IdSrv2 with the possibility of upgrading to IdSrv4 and Umbraco 7. I wonder how you are coming along or if you were able to get both working nicely together?
I progressed a bit more but the remit i was given was keenly targeted towards ensuring the logon screen remained on the client site rather than the sts, a bit like the resource owner flow but facilitating sso.
I got a test of this working, but as the project i was looking into this for took a different direction, it moved into r+d and hasn't gone through code review. The.demand hasn't been placed on me to look at this recently but it would be nice from a personal point of view to hear your experiences whether they be highs OR lows, and just see if anyone else is using these two systems in production .
For me it was (and still is really if I was trying to get it into production) a steep learning curve which would be made easier of there were a larger community of users regularly using the two together.
I realize this is a pretty old discussion, but some valid points taken as we try and integrate Azure Active Directory with Umbraco. We too would like to keep the login screen in Umbraco while utilizing the STS flow and token generation. And it would be preferable to maintain group assignments, etc. in the STS (AAD).
Use IdentityServer with User Membership
Hi,
I am in process of creating a number of application-specific APIs of which would like to use IndentityServer as my STS and use OpenID Connect to manage identities.
I would also like to integrate my Umbraco 7.4 application to use this same IdentityService to Authenticate and Register User Membership from my Umbraco site.
If possible would you be so kind as to point out some references on integration of Umbraco User Membership with IdentityServer.
Cheers
Hi John I'm currently travelling the same path, when I first started looking there was no information of substance linking umbraco with identity server. Whats more encouraging now is that you will find there are more threads on this forum with not just questions but also answers on how to combine the two.
I've been developing on 7.3 and as I too am still going through a learning process don't know if have enough authoritative knowledge to answer all the questions you might have. With identityserver the specifics of your intended use are all important due to the different flows with some more appropriate for given scenarios and therefore implementation could differ significantly.
In my case I wanted to provide access to an external api from within the backend of one instance of umbraco using front end accounts managed in another umbraco instance.
One definite authority of using identity for my case was Shannon Deminick and I referred to the umbracoidentity source here https://github.com/Shazwazza/UmbracoIdentity
Maybe if you break things down into smaller specific questions I or others might be able to help (though I appreciate at this stage you may not think it as easy as I suggest)
My experience of identityserver started with the samples but all the local accounts were stored in memory, I didn't need to authenticate with Facebook or other providers, in effect I wanted to be the identity provider.
If you start there question is where do you want the user accounts accessed by identityserver to be stored?
Hi Ian,
Thanks for taking the time to reply to my post.
I had already included UmbracoIdentity into my project to see how it worked, was able to add/register, login etc. and am very impressed with the solution however this approach seems to be highly woven into Umbraco application and although implements ASP.Net Identity within Umbraco, it does not seemingly integrate well with and external STS over OAuth and as such I can't authorize Umbraco Members within my custom APIs as I have no means (seemingly) to be able to check for an Umbraco Role via an STS. Please correct me if I am mistaken.
I was hoping not to Authorize within Umbraco, but rather do that in an STS.
What I would like to do instead is to implement and utilize an instance of IdentityServer V3 with OpenID Connect as my primary STS for all of my clients such as the Umbraco MVC client, Angular clients, custom API clients as well any third party API integrations I may need to include down the road.
I would like to include external Identity providers as an option for a Member to sign in and yet still be able to align to Umbraco Member roles as is realized via UmbracoIdentity only not in the MVC application, but rather in the STS.
My user workflows would exist on the STS like to create roles and assign these to an Umbraco member as well as user profile data as mapped to claims.
I would like the STS to handle all Front-End User/Member login, register etc and use the same UmbracoIdentity membership logic, related and supporting Umbraco tables as it's ASP.Net Identity persistence layer but move most of the core of UmbracoIdentity into the STS. I would like to then implement the Client Flow within Umbraco as opposed to having UmbracoIdentity.
I would then use Client Flow within custom APIs against that same STS in order to authorize API requests that flow out of my Umbraco application.
I have a fair understanding on how to setup the STS's Clients, Scopes and Users and APIs configuration however need assistance in implementing a variant of UmbracoIdentity within the STS (if that's even feasible to do so).
So from an Umbraco Login/Register UseCase perspective these would be handled at the STS, then redirected back the Umbraco site.
As an example of one such custom API scenario..
In my example below, I have a Document Management Solution (DMS) API that I would like to secure over OAuth via way of the STS. Components within my Umbraco Solution will wrap this DMS API and thus all should be via Client Flows.
What I would like to support is have Application Roles within Umbraco, that front-end users (members) map to and that are gated within my DMS API.
Hopefully this makes sense, I do apologize if I am mixing things up. Any assistance would be greatly appreciated.
Hi john this is only a quick reply i'll try to look in more detail tomorrow. What i found is this , identity server does indeed have a persistance layer but i didn't see anything that fit from my perspective with regards management of users. There is an identity server manager now but that seemed more geared to IT admins rather than the behaviour of user membership in the context of a software as a service site as i wanted.i also didn't fancy creating all the ui for managing sts users from scratch. As you will know you will probably need to implement a user store in identity server.
Now this is where the umbraco identity package came in for me. From looking at the source i noticed that the usermanager was very similar to the usermanager i was going to have to create in identityserver i order to work with the persistance layer. For me incorprating this code with a couple of adaptations within my identityserver classes meant my sts now used the umbraco usermanager as its user source rather than an entirely separate user table. In my case i was happy to have the sts closely coupled with my sas site but then have my other umbraco sites and apis only loosely coupled via identityserver. With all this said though i have not allowed facebook login so am only privide access to accounts seemingly local to the sts, i don't know how it would work with exteral social login accounts.
Hi Ian,
Thanks for the update. It appears you and I (and likely many to come) are absolutely on the same page, heading in the same direction.
I spent a good deal of time reviewing UmbracoIdentity and came down to the same conclusion as to what you have described.
I knew that at the end of the day I would still need to ensure that specific content still be restricted by user roles and thus moving UserManager aspects into the STS so as to still utilize the same backing User store seems to make the most sense for my needs as well.
Where I was planning to go was to map out the existing aspects that make up UmbracoIdentity and to then decouple those that made sense to live within the MVC CMS side vs. those that made sense to be situated within the STS side. I was then planning to overlay the aspects that would be required from future integrations such as external Identity Providers as well as 3rd party API integration.
In my previously shared DMS example, I will more than likely need to couple my DMS up with a 3rd party Document Signing Workflow of which there are a number of excellent 3rd party API based services which provide that capability via RESTful API. As you may have gleaned from my diagram, I am big on Azure, and as such (but not shown) I will be leveraging Azure Logic Apps to help facilitate workflow integration with these 3rd party services, thus have the STS should ensure a secure access-token based, authorization flow through the entire Document management lifecycle. I mention all of this as it may help to understand why decoupling the as is UmbracoIdentity makes sense when integrating of other 3rd party services.
It sounds like you have managed to integrate the Umbraco UserManager within the STS which if so, is fantastic.
I would be extremely grateful if you could assist me and others with doing the same.
I am very interested to learn more.
Hi as everything is based on standards set out in aspnet identity it makes things a bit easier. All the hard work is evident in shannons package as far as figuring how to use the umbraco usermanager as a base, i just pilfered bits i found useful for my purposes and adapted them a bit. Theres some way clever people out there. I dont have access to any code today but will have a look tomorrow.
One thing a do remember having to do differently than if implementing the entity framework store was to specify to user id key was an int rather than being able to use generics i didnt like it but being a noob couldn't figure out any ther way
All the best
Hi John here is the code I used to create a custom user service which uses the umbraco user manager as a backing user store. You will see there are a bunch of methods commented out with no body which come originally from here https://github.com/IdentityServer/IdentityServer3.Samples/blob/master/source/AspNetIdentity/WebHost/App_Packages/IdentityServer3.AspNetIdentity/IdentityServer3.AspNetIdentity.cs
But as I say in some cases the user id argument type would need to change, and I guess you would most likely need to provide your own implementation for some if you want to provide external login Facebook etc.
Any comments good or bad let me know, It would also be great of course if could you share the results back once you get the external logins working!
Heres the what I put in my startup to configure identity server just ripped out of the user service identity server sample for now.
Hi Ian,
Thanks for the sample code!
Using my favourite diff tool I am able to see your changes shine through. There are a few copy/paste issues which I will easily resolve.
I will integrate your logic into my solution and let you know how things work out.
I will also work on external identity provider support and will post any changes.
This may be worth a GitHub fork off of UmbracoIdentity so it can be further evolved and shared with the greater community.
This was exactly the head-start I was hoping to achieve via this post. Again, many thanks mate!
Cheers John
BTW: I am in Ontario, Canada. I assume by your hours of response, you are in the UK?
yes, I know I also just looked up the time in ontario when I saw my post accepted, hope you have a good day ahead!
Sorry to eavesdrop on your conversation, but we are using IdSrv2 with the possibility of upgrading to IdSrv4 and Umbraco 7. I wonder how you are coming along or if you were able to get both working nicely together?
I progressed a bit more but the remit i was given was keenly targeted towards ensuring the logon screen remained on the client site rather than the sts, a bit like the resource owner flow but facilitating sso.
I got a test of this working, but as the project i was looking into this for took a different direction, it moved into r+d and hasn't gone through code review. The.demand hasn't been placed on me to look at this recently but it would be nice from a personal point of view to hear your experiences whether they be highs OR lows, and just see if anyone else is using these two systems in production .
For me it was (and still is really if I was trying to get it into production) a steep learning curve which would be made easier of there were a larger community of users regularly using the two together.
Here is a good starting point: https://pstokes.co.uk/posts/umbraco-members-and-identity-server-part-1/
I realize this is a pretty old discussion, but some valid points taken as we try and integrate Azure Active Directory with Umbraco. We too would like to keep the login screen in Umbraco while utilizing the STS flow and token generation. And it would be preferable to maintain group assignments, etc. in the STS (AAD).
is working on a reply...