I'm new at IdentityServer4. I read I need to implement an IPersistedGrantStore to store refresh tokens into a table like PersistedGrants in my database.
IdentityServer logs is the following when my native app ask for a new access token: "refresh_token" grant with value: "{value}" not found in store.
That's because I'm using in-memory version of the persisted grant store. So I need to store refresh token in a PersistedGrant table.
Therefore
in my startup.cs I added the following line:
builder.Services.AddScoped<IPersistedGrantStore, PersistedGrantStore>();
and IPersistedGrantStore.cs is
public interface IPersistedGrantStore
{
Task StoreAsync(CustomPersistedGrant grant);
Task<CustomPersistedGrant> GetAsync(string key);
Task<IEnumerable<CustomPersistedGrant>> GetAllAsync(string subjectId);
}
So I have a CustomPersistedGrant.cs class
public class CustomPersistedGrant
{
public string Key { get; set; }
public string Type { get; set; }
public string SubjectId { get; set; }
public string ClientId { get; set; }
public DateTime CreationTime { get; set; }
public DateTime? Expiration { get; set; }
public string Data { get; set; }
}
and now I have to write the code for my PersistedGrantStore.cs class.
But the question is: once I have write code for PersistedGrantStore.cs class where I call PersistedGrantStore.cs class? In Identity.Server Account/AccountController? I didn't find any example about it without use EntityFramework, because I don't want to use Entity Framework.
Thanks.
The key will be to implement IPersistedGrantStore using whatever backend you like, then to tell IdentityServer to use that implementation by registering the implementation in the dependency injection system.
For example, if you call your implementation PersistedGrantStore, then you could register the implementation like this:
services.AddTransient<IPersistedGrantStore, PersistedGrantStore>();
You can see that essentially this is all that the EntityFramework implementation does, once you take away all the EntityFramework stuff.
Later when IdentityServer wants to persist a grant, it will get your implementation and call the appropriate method. So you don't have to do anything, other than inject your implementation into IdentityServer so it can do whats needed.
I know the question is kind of old and you might have already found the problem. I think your only mistake is that you invented your own interface instead of implementing:
IdentityServer4.Stores.IPersistedGrantStore
If you want to use your own CustomPersistedGrant it should derive from:
IdentityServer4.Models.PersistedGrant
otherwise you would have to wrap it somehow.
Related
Is it possible to add columns to the AspNetUserLogins table, or subclass the IdentityUserLogin class, such that the Identity Framework will use that class properly?
This is an answer but I'm sure it's not going to end up the best one:
It can be done, but it's ugly.
First, you'll want to make a class of all the generics you're about to use, just to make your life easier. Those are:
[Table("AspNetUserRoles")]
public class StandardUserRole : IdentityUserRole<string>
[Table("AspNetRoles")]
public class StandardRole : IdentityRole<string, StandardUserRole>
[Table("AspNetUserLogins")]
public class LoginIdentity : IdentityUserLogin
(The above superclasses can be found in Microsoft.AspNet.Identity.EntityFramework).
This is going to make the following generic definitions shorter, and harder to get into a place where they won't compile due to clerical errors.
While you're here may as well add these to the DbContext, which normally does not leave them available to you:
public DbSet<LoginIdentity> LoginIdentities { get; set; }
public DbSet<StandardUserRole> UserRoles { get; set; }
Now, here comes the crazy:
public class Db :
// Replace this with a custom implementation
//IdentityDbContext<Visitor>,
IdentityDbContext<Visitor, StandardRole, string, LoginIdentity,
StandardUserRole, IdentityUserClaim>,
And, Visitor is going to need its own adjustment to match this declaration:
public class Visitor : IdentityUser<string, LoginIdentity, StandardUserRole,
IdentityUserClaim>
That satisfies the Models (which btw, are best to have in their own Project for Migrations performance reasons). But, you've still got all the Identity/OWIN stuff to deal with.
By default you're provided with an ApplicationUserManager that involves a UserStore. It normally inherits from UserManager, but that's going to be too restrictive now - you need to slightly expand it:
public class VisitorManager : UserManager<Visitor, string>
{
public VisitorManager(IUserStore<Visitor, string> store)
: base(store)
{
}
public static VisitorManager Create(
IdentityFactoryOptions<VisitorManager> options,
IOwinContext context)
{
var manager = new VisitorManager(new UserStore<Visitor,
StandardRole, string, LoginIdentity, StandardUserRole,
IdentityUserClaim>(context.Get<Db>()));
I warned you about crazy. SignInManager:
public class SignInManager : SignInManager<Visitor, string>
{
public SignInManager(VisitorManager userManager,
IAuthenticationManager authenticationManager)
: base(userManager, authenticationManager)
{
}
public override Task<ClaimsIdentity> CreateUserIdentityAsync(
Visitor user)
{
return user.GenerateUserIdentityAsync((VisitorManager)UserManager);
}
public static SignInManager Create(
IdentityFactoryOptions<SignInManager> options, IOwinContext context)
{
return new SignInManager(context.GetUserManager<VisitorManager>(),
context.Authentication);
}
}
That should get you through most of the dirty work. Not easy. But, having done that, you've got a working implementation where you can add extra fields to the Logins table! You can now extend the OWIN Auth stuff to provide events, and listen for the creation of new Logins. You can then respond to those by adding that extra info.
In our case, the goal was to have multiple Logins from multiple OpenId/OAuth Providers (Google, Facebook, etc) across multiple email addresses, on a single User/Visitor account. The framework does support that, but, it doesn't make a record of what Email is associated with what Login row, which is important when merging more Logins with a given account.
[Table("AspNetUserLogins")]
public class LoginIdentity : IdentityUserLogin
{
/// <summary>
/// The email address associated with this identity at this provider
/// </summary>
[MaxLength(300)]
public string Email { get; set; }
}
There's more you'll need to do to get the whole thing working, but it should be relatively obvious from the above starting point - with one exception, which I'll point out here.
By migrating from UserManager<TVisitor> to UserManager<TVisitor, string>, you quietly lose the ID-generation functionality built-in to the former. You'll need to emulate it yourself. As another gotcha, along the way you'll most likely implement Visitor as IUser<string>. Doing so will prevent you from setting the Id property, because it's read-only (no setter). You can avoid that with a second interface:
public interface IVisitor
{
string Id { get; set; }
string Uid { get; set; }
string UserName { get; set; }
string Email { get; set; }
string FirstName { get; set; }
string LastName { get; set; }
ICollection<StandardUserRole> Roles { get; }
ICollection<LoginIdentity> Logins { get; }
}
With that in place you can set Id safely (even in an abstracted class):
public override Task<IdentityResult> CreateAsync(Visitor user)
{
var guid = Guid.NewGuid();
string id = guid.ToString();
((IVisitor)user).Id = id;
return base.CreateAsync(user);
}
Remember to do same for CreateAsync(Visitor user, string password). Otherwise created users explode with DbEntityValidationException complaining Id is a required field.
I'm new to Azure App Service mobile apps. I'm trying to understand my options for using TableController to expose complex domain objects to clients. My goal of using TableController is to take advantage of client-side querying and offline sync.
Table controllers are designed to perform CRUD operations on simple DTOs. So I'm trying to figure out how a complex domain model could be exposed as the sort of DTOs that TableController is designed for.
I've read this post which explains MappedEntityDomainManager. That example shows a fairly simple mapping between DTOs and persistent objects. But what if I want my mapping to be more complex?
For example, let's say I have persistent types like this:
public class Order {
public Customer Customer { get; set; }
public IList<OrderItem> OrderItems { get; }
}
public class Customer {
public string Name { get; set; }
public string TelephoneNumber { get; set; }
}
public class OrderItem { ... }
And I have a table controller declared like this:
public class OrderController : TableController<OrderDto>
Could the OrderDto then look like this?
public class OrderDto {
public string CustomerName { get; }
public string Customer { get; }
public string OrderItems { get; }
}
The mappings would be as follows. The Order.Customer.Name property is flattened into OrderDto.CustomerName. The complete Customer object is serialized into OrderDto.Customer. And the Order.OrderItems list is serialized into OrderDto.OrderItems.
Can this sort of complex mapping be done with MappedEntityDomainManager? If not then how could it be done? I know about leveraging $expand, but I worry that may be an unsupported hack rather than the recommended approach.
The best way to do this is to use Automapper. The blog post was a simple example, but you can do very complex mapping using automapper.
Here's a more complex example: https://github.com/paulbatum/FieldEngineerLite/blob/master/FieldEngineerLite.Service/Controllers/JobController.cs. It's for Azure Mobile Services, but the same concept applies to Azure Mobile Apps. You just need to change the namespaces.
I've seen this that suggest I can build different views based on user:
different json views for the same entity
However in asp web api, one uses a Model class, I can't just add new properties willy-nilly.
So, for example I may have uri:
http://host/api/products/id
Returning the model:
public class Product{
public string Code { get; set; }
public string Description { get; set; }
}
But for another purpose I want to add more information, suppose this is expensive because it joins other data to build the model, or formats the data in a very specific way:
http://host/api/productsspecial/id
Returning the model:
public class ProductSpecial{
public string Code { get; set; }
public string Description { get; set; }
public decimal Price { get; set; } //assume expensive to look up
}
So obviously I have a way to do this, two different controllers, returning different views on the data. My question is, is this OK or is there a better way?
Anyway I could do this for example: http://host/api/products/id?includeprice=true and use that to return the alternative model? And is that a good idea?
I would suggest
GET /host/api/products/{id}?fields=code,description,price
You should avoid complicating your resource URL in the manner you describe. Every possible configuration of values would need a new name: "productsReallySpecial", etc.
The problem with ?includePrice=true is you then have a parameter for every variable you might want to make optional. Your documentation can list the default return values and the available return values.
I have the following setup, abridged for brevity:
public abstract class AuditableEntity
{
public int Id { get; set; }
public Login Login { get; set; } // Login that create this identity.
}
public class Login: AuditableEntity
{
public Security Security { get; set; }
public Guid SessionGuid { get; set; }
}
public class Security: AuditableEntity
{
public string UserName { get; set; }
public string PasswordHash { get; set; }
}
Now Login is only not required on the Login entity itself. In fact it doesn't belong in that table and I ignore it thus:
modelBuilder.Entity<Login>().Ignore(l => l.Login);
I want it as required on all other tables, but when I e.g. try and make it required on User:
modelBuilder.Entity<Security.Security>().Property(p => p.Login).IsRequired();
I get a compile error, "The type 'Login' must be a non-nullable value type in order to use it as parameter 'T'". I note that I am allowed to use it as parameter 'T' in the Ignore call before, so I assume this is some other, hidden T.
My immediately apparent solutions are not very elegant:
Use an FK value and not a reference poperty for Login in in AuditableEntity.
Create a new base class without Login, and another derived from that that adds Login, then inherit my Login class from the highest base, and all other classes from its immediate descendant.
Is there some better way of doing this?
You are using property syntax for native SQL properties. You actually want to use Nav property syntax such as .HasRequired(t=>t.Login).WithMany() or something similar
See http://msdn.microsoft.com/en-us/library/hh295843(v=vs.103).aspx, and the Configuring a Relationship with One Navigation Property section
I'm using Entity Framework Code First. The class i'm trying to create contains two collections (of the same type). I'm having problem recovering my respective collections.
My classes look like this:
public class Destination
{
public int DestinationId { get; set; }
public string Name { get; set; }
public List<Lodging> Lodgings { get; set; }
public List<Lodging> Lodgings2 { get; set; }
}
public class Lodging
{
public int LodgingId { get; set; }
public string Name { get; set; }
public Destination Destination { get; set; }
}
I created a new Destination, then I reopened (closed & opened) the database connection. When I retrieve the destination, my collections (dest.Lodgings and dest.Lodgings2) are null. How do I restore the respective collections? If my class only has one collection of a particular type, I could do the following:
var lodgings = context.Lodgings.Where(l => l.Destination.DestinationId == destId).ToList();
I can see that the relationships are maintained in the database schema (Destination_DestinationId1 and Destination_DestinationId2) but I don't seem to be able to get to them.
Any suggestion would be appreciated.
In addition to using Include (as you've discovered) (which loads the related data from the db at the same time the destination is retrieved) you can also retreive the lodgings after the fact. So if you query for the destination and then you want the lodgings, that's possible. One way is called explicit loading where you will use a Load method. The other is with lazy loading, which requires that your classes be set up a particular way and just the mere mention of the Lodgings property will trigger the call to the database to retrieve them.
there's a great blog post on the Ef team blog about the various ways to load related data with DbContext : http://blogs.msdn.com/b/adonet/archive/2011/01/31/using-dbcontext-in-ef-feature-ctp5-part-6-loading-related-entities.aspx
hth
Julie