User Repository as microservice #599
-
Hello, I am trying to connect simpleIdService with an external user repository as a microservice. What I have done so far is to implement a custom IUserRepository to communicate with the microservice API using a HttpClient but this is not enough because I still need to override several methods in the pwd area like the "ValidateCredentials" method. Any ideas on how I can do it? Do I need to change the Controller & method on UI views or this can be done in a different way? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 15 comments 8 replies
-
Hello ! If you create a class called "CustomApiUserRepository" and implement the interface "IUserRepository" along with its methods, it will be sufficient.
This solution is not easy to implement and introduces a strong dependency between your API and SimpleIdServer. If your API only stores user information and not their credentials, a better solution is to implement an auto-provisioning workflow. KR, SID |
Beta Was this translation helpful? Give feedback.
-
Thanks for your quick reply KR, My microservice stores credentials and exposes validation endpoints for validating username & passwords and responses a json with a list user's claims. My goal is to validate the password on the microservice and then map the response to a SimpleIdServer.IdServer.Domains.User I don't feel that simply implementing IUserRepository will be enough or the performance will be poor, because of IQueryable Query() & _authenticationHelper.GetUserByLogin(UserRepository.Query() method that needs all records to perform LINQ, plus i still need PasswordHelper.ComputeHash from simpleIDserver (which is something that I wish to bypass). So to sum up, i want to override the ValidateCredentials method with a http call and map the response to SimpleIdServer.IdServer.Domains.User Currently i only need to implement pwd area. |
Beta Was this translation helpful? Give feedback.
-
At the moment, it is not easy to accomplish this. I am going to refactor the solution to provide the option to override the 'ValidateCredentials' method. The ticket can be found at #600 (#600) |
Beta Was this translation helpful? Give feedback.
-
@agkoutis : Hello, I have made some modifications in the Here are the steps to follow:
You can edit the class
A local account must ALWAYS be created because SimpleIdServer uses the user's information during the processing of different OPENID-grant-types, such as Consent management, OAUTH2.0 grant management, Sessions, and more. |
Beta Was this translation helpful? Give feedback.
-
Hello, Thanks for the super fast response! Yes, I also believe that user information for sessions & consent must be part of the SimpleIdServer , but as far as the local accounts I will try to store user information in a temporary record until the session is complete or expires. Let me check on this and I will come back. AG |
Beta Was this translation helpful? Give feedback.
-
I have implemented a custom AuthenticateController with views and im waiting for the 4.0.5 release to implement ConfigureCustomAuthentication. Right now, I'm trying to provide some claims from user info endpoint again, using a microservice. After doing some research, I think that several services need to decouple from API Controllers and move to separated services with Interfaces like the userinfo endpoint, to be more flexible and provide out of box functionality. Im still working on a POC Thanks, |
Beta Was this translation helpful? Give feedback.
-
Before making a technical proposal to fulfill your requirements, could you please list the information you wish to manage in the custom API? Currently, I have identified only two properties:
Is this correct? |
Beta Was this translation helpful? Give feedback.
-
@agkoutis : I have created ticket #603 to add a new service that will retrieve the list of claims for the authenticated user. This class will be utilized by SimpleIdServer to obtain the list of claims for the authenticated user. In the end, you will be able to:
|
Beta Was this translation helpful? Give feedback.
-
Hello @simpleidserver , Microservice manages the user authentication and contains a list of claims. Password is sent from SIDServer login page with RSA encryption to LoginService API. LoginService decrypts passwords and hashes with users' salt to compare to stored value. Apart from that, the microservice also contains users claims by provider. So my goal is, when a new token is requested, the SIDServer will call the micro service and request user claims to include to Token payload (user - API specific Claims like role access). Next, when the App client uses the userinfoendpoint the SIDServer again will request from the microservice the identity claims and will respond only to the claims that the user is allowed to request and he is request (using scopes). The mapping between Scope and claims exists on SIDServer. So as a result, the SIDServer will get all user's claims from the api and he will include the claims in the userinfo endpoint based on the client app request (scopes from token) There are several endpoints that users can change passwords, update their profile (or automatically update with the response from external provider claims). Also service contains a user lock mechanism (by admin or failed login retries) , change password policy, and password complexity policy. Thanks! |
Beta Was this translation helpful? Give feedback.
-
I have made some modifications in the branch 'release/4.0.5'. It is now possible to call your Custom API to retrieve the user's claims and to verify the user's credentials. You can try the sample project here: https://github.com/simpleidserver/SimpleIdServer/tree/release/4.0.5/samples/CustomUserApi The class 'CustomUserRepository' is used to fetch the claims from your API, and the class 'CustomPasswordAuthenticationService' is used to verify the user's credentials. Please notify me if the changes fulfill your needs :) Kind Regards, SID |
Beta Was this translation helpful? Give feedback.
-
Hello! I just implemented the CustomUserRepository. I'm missing a part and I need some information about mapping, please. In CustomUserRepository I'm supposed to return all users' claims, and SID will filter them based on clients' app request (and allowed) scopes in user info request? Thanks again! |
Beta Was this translation helpful? Give feedback.
-
All the claims of the User must be returned by the CustomUserRepository. |
Beta Was this translation helpful? Give feedback.
-
Great! Thanks! |
Beta Was this translation helpful? Give feedback.
-
Hello all, I have started the implementation of the custom repository and I noticed that some implementations still use EF regarding the user information in the Consents Controller. So when the controller calls the var user = await _userRepository.GetBySubject(nameIdentifier, prefix, cancellationToken); which returns the response from the API Call (note that users are also stored to SID db) the await _userRepository.SaveChanges(cancellationToken); does nothing. (probably because it does not contain tracking changes I'm guessing) Any suggestions? |
Beta Was this translation helpful? Give feedback.
-
Hello, In your
If the user exists in the REST.API but not in the SimpleIdServer database, you can override the I've updated the sample project (https://github.com/simpleidserver/SimpleIdServer/tree/master/samples/CustomUserApi), demonstrating how to use an external REST.API to authenticate the user. The most important classes are:
|
Beta Was this translation helpful? Give feedback.
I have made some modifications in the branch 'release/4.0.5'. It is now possible to call your Custom API to retrieve the user's claims and to verify the user's credentials.
You can try the sample project here: https://github.com/simpleidserver/SimpleIdServer/tree/release/4.0.5/samples/CustomUserApi
The class 'CustomUserRepository' is used to fetch the claims from your API, and the class 'CustomPasswordAuthenticationService' is used to verify the user's credentials.
Please notify me if the changes fulfill your needs :)
Kind Regards,
SID