Skoruba.IdentityServer4.Admin

The administration for the IdentityServer4 and Asp.Net Core Identity

Project Status

The application is written in the Asp.Net Core MVC - using .NET 6

🎉 New version of Duende IdentityServer Admin UI available here ⚡

Requirements

Install the latest .NET 6 SDK (using older versions may lead to 502.5 errors when hosted on IIS or application exiting immediately after starting when self-hosted)

Installation via dotnet new template

Install the dotnet new template:

Version 2.0.0 and higher works with IdentityServer4 version 4 🚀

🔒 NOTE:*This version affects your database data if you use the default database migrations that are part of the project - double check the migrations according to your database provider and create a database backup

``` shell
dotnet new -i Skoruba.IdentityServer4.Admin.Templates::2.1.0
```

Create new project:

``` shell
dotnet new skoruba.is4admin --name MyProject --title MyProject --adminemail "admin@example.com" --adminpassword "Pa$word123" --adminrole MyRole --adminclientid MyClientId --adminclientsecret MyClientSecret --dockersupport true
```

Project template options:

``` sh
--name: [string value] for project name
--adminpassword: [string value] admin password
--adminemail: [string value] admin email
--title: [string value] for title and footer of the administration in UI
--adminrole: [string value] for name of admin role, that is used to authorize the administration
--adminclientid: [string value] for client name, that is used in the IdentityServer4 configuration for admin client
--adminclientsecret: [string value] for client secret, that is used in the IdentityServer4 configuration for admin client
--dockersupport: [boolean value] include docker support
```

How to configure the Administration - IdentityServer4 and Asp.Net Core Identity

Follow these steps for setup project to use existing IdentityServer4 and Asp.Net Core Identity

Template uses following list of nuget packages

Available nuget packages

Running in Visual Studio

Set Startup projects:

Skoruba.IdentityServer4.Admin

Skoruba.IdentityServer4.Admin.Api

Skoruba.IdentityServer4.STS.Identity

Configuration of Administration for Deployment

Configuration of Admin for deploy on Azure

Configuration of Admin on Ubuntu with PostgreSQL database

Administration UI preview

This administration uses bootstrap 4

Admin UI - Light mode 🌞

Admin UI - Dark mode 🌙

Security token service (STS)

Forms

Cloning

``` shell
git clone https://github.com/skoruba/IdentityServer4.Admin
```

Running via Docker

It is possible to run Admin UI through the docker.

Docker setup

DNS

We need some resolving capabilities in order for the project to work. The domain skoruba.local is used here to represent the domain this setup is hosted on. The domain-name needs to be FQDN (fully qualified domain name).

Thus first, we need the domain skoruba.local to resolve to the docker-host machine. If you want this to work on your local machine only, use the first option.

DNS on docker-host machine only

Edit your hosts file:

On Linux: \etc\hosts

On Windows: C:\Windows\system32\drivers\etc\hosts

and add the following entries:

``` sh
127.0.0.1 skoruba.local sts.skoruba.local admin.skoruba.local admin-api.skoruba.local
```

This way your host machine resolves skoruba.local and its subdomains to itself.

Certificates

We also need certificates in order to serve on HTTPS. We'll make our own self-signed certificates with mkcert.

If the domain is publicly available through DNS, you can use Let's Encypt. Nginx-proxy has support for that, which is left out in this setup.

MkCert

Create the root certificate

Use mkcert to generate local self-signed certificates.

On windows mkcert -install must be executed under elevated Administrator privileges. Then copy over the CA Root certificate over to the project as we want to mount this in later into the containers without using an environment variable.

``` shell
cd shared/nginx/certs
mkcert --install
copy $env:LOCALAPPDATA\mkcert\rootCA.pem ./cacerts.pem
copy $env:LOCALAPPDATA\mkcert\rootCA.pem ./cacerts.crt
```

Create the skoruba.local certificates

Generate a certificate for skoruba.local with wildcards for the subdomains. The name of the certificate files need to match with actual domain-names in order for the nginx-proxy to pick them up correctly. We want both the crt-key and the pfx version.

``` shell
cd shared/nginx/certs
mkcert -cert-file skoruba.local.crt -key-file skoruba.local.key skoruba.local *.skoruba.local
mkcert -pkcs12 skoruba.local.pfx skoruba.local *.skoruba.local
```

This docker setup is come from this repository - thanks to bravecobra. 😊

Run docker-compose

Project contains the docker-compose.vs.debug.yml and docker-compose.override.yml to enable debugging with a seeded environment.

The following possibility to get a running seeded and debug-able (in VS) environment:

``` sh
docker-compose build
docker-compose up -d
```

It is also possible to set as startup project the project called docker-compose in Visual Studio.

Docker images

Docker images will be available also in docker hub

Publish Docker images to Docker hub

Check the script in build/publish-docker-images.ps1 - change the profile name according to your requirements.

Installation of the Client Libraries

``` shell
cd src/Skoruba.IdentityServer4.Admin
npm install
cd src/Skoruba.IdentityServer4.STS.Identity
npm install
```

Bundling and Minification

The following Gulp commands are available:

gulp fonts - copy fonts to the dist folder

gulp styles - minify CSS, compile SASS to CSS

gulp scripts - bundle and minify JS

gulp clean - remove the dist folder

gulp build - run the styles and scripts tasks

gulp watch - watch all changes in all sass files

EF Core & Data Access

The solution uses these DbContexts :

AdminIdentityDbContext : for Asp.Net Core Identity

AdminLogDbContext : for logging

IdentityServerConfigurationDbContext : for IdentityServer configuration store

IdentityServerPersistedGrantDbContext : for IdentityServer operational store

AdminAuditLogDbContext : for Audit Logging

IdentityServerDataProtectionDbContext : for dataprotection

Run entity framework migrations:

NOTE: Initial migrations are a part of the repository.

It is possible to use powershell script in folder build/add-migrations.ps1.

This script take two arguments:

--migration (migration name)

--migrationProviderName (provider type - available choices: All, SqlServer, MySql, PostgreSQL)

For example: .\add-migrations.ps1 -migration DbInit -migrationProviderName SqlServer

Available database providers:

SqlServer

MySql

PostgreSQL

It is possible to switch the database provider via appsettings.json :

``` sh
"DatabaseProviderConfiguration": {
"ProviderType": "SqlServer"
}
```

Connection strings samples for available db providers:

PostgreSQL:

Server=localhost;Port=5432;Database=IdentityServer4Admin;User Id=sa;Password=#;

MySql:

server=localhost;database=IdentityServer4Admin;user=root;password=#

We suggest to use seed data:

In Program.cs -> Main, uncomment DbMigrationHelpers.EnsureSeedData(host) or use dotnet CLI dotnet run /seed or via SeedConfiguration in appsettings.json

The Clients and Resources files in identityserverdata.json (section called: IdentityServerData) - are the initial data, based on a sample from IdentityServer4

The Users file in identitydata.json (section called: IdentityData) contains the default admin username and password for the first login

Authentication and Authorization

Change the specific URLs and names for the IdentityServer and Authentication settings in appsettings.json

In the controllers is used the policy which name is stored in - AuthorizationConsts.AdministrationPolicy. In the policy - AuthorizationConsts.AdministrationPolicy is defined required role stored in - appsettings.json - AdministrationRole.

With the default configuration, it is necessary to configure and run instance of IdentityServer4. It is possible to use initial migration for creating the client as it mentioned above

Azure Key Vault

It is possible to use Azure Key Vault and configure it in the appsettings.json with following configuration:

``` sh
"AzureKeyVaultConfiguration": {
"AzureKeyVaultEndpoint": "",
"ClientId": "",
"ClientSecret": "",
"UseClientCredentials": true
}
```

If your application is running in Azure App Service, you can specify AzureKeyVaultEndpoint. For applications which are running outside of Azure environment it is possible to use the client credentials flow - so it is necesarry to go to Azure portal, register new application and connect this application to Azure Key Vault and setup the client secret.

It is possible to use Azure Key Vault for following parts of application:

Application Secrets and Database Connection Strings:

It is necesarry to configure the connection to Azure Key Vault and allow following settings:

``` sh
"AzureKeyVaultConfiguration": {
"ReadConfigurationFromKeyVault": true
}
```

Dataprotection:

Enable Azure Key Vault for dataprotection with following configuration:

``` sh
"DataProtectionConfiguration": {
"ProtectKeysWithAzureKeyVault": false
}
```

The you need specify the key identifier in configuration:

``` sh
"AzureKeyVaultConfiguration": {
"DataProtectionKeyIdentifier": ""
}
```

IdentityServer certificate for signing tokens:

It is possible to go to Azure Key Vault - generate new certificate and use this certificate name below:

``` sh
"AzureKeyVaultConfiguration": {
"IdentityServerCertificateName": ""
}
```

Logging

We are using Serilog with pre-definded following Sinks - white are available in serilog.json :

Console

File

MSSqlServer

Seq

``` json
{
"Serilog": {
"MinimumLevel": {
"Default": "Error",
"Override": {
"Skoruba": "Information"
}
},
"WriteTo": [
{
"Name": "Console"
},
{
"Name": "File",
"Args": {
"path": "log.txt",
"rollingInterval": "Day"
}
},
{
"Name": "MSSqlServer",
"Args": {
"connectionString": "...",
"tableName": "Log",
"columnOptionsSection": {
"addStandardColumns": [ "LogEvent" ],
"removeStandardColumns": [ "Properties" ]
}
}
}
]
}
}
```

Audit Logging

This solution uses audit logging via - https://github.com/skoruba/AuditLogging (check this link for more detal about this implementation 😊)

In the Admin UI project is following setup:

``` cs
services.AddAuditLogging(options => { options.Source = auditLoggingConfiguration.Source; })
.AddDefaultHttpEventData(subjectOptions =>
{
subjectOptions.SubjectIdentifierClaim = auditLoggingConfiguration.SubjectIdentifierClaim;
subjectOptions.SubjectNameClaim = auditLoggingConfiguration.SubjectNameClaim;
},
actionOptions =>
{
actionOptions.IncludeFormVariables = auditLoggingConfiguration.IncludeFormVariables;
})
.AddAuditSinks<DatabaseAuditEventLoggerSink<TAuditLog>>();
// repository for library
services.AddTransient<IAuditLoggingRepository<TAuditLog>, AuditLoggingRepository<TAuditLoggingDbContext, TAuditLog>>();
// repository and service for admin
services.AddTransient<IAuditLogRepository<TAuditLog>, AuditLogRepository<TAuditLoggingDbContext, TAuditLog>>();
services.AddTransient<IAuditLogService, AuditLogService<TAuditLog>>();
```

Admin Configuration

Admin and STS can be customized without editing code in appsettings.json under AdminConfiguration section

Themes

Ui can be customized using themes integrated from bootswatch.

From version 2.0.0 is possible to change theme from UI. 🎈

By default, configuration value is null to use default theme. if you want to use a theme, just fill the lowercase theme name as configuration value of Theme key.

You can also use your custom theme by integrating it in your project or hosting css on your place to pass the url in CustomThemeCss key. (Note that custom theme override standard theme)

Important Note: Theme can use external resources which caused errors due to CSP. If you get errors, please make sure that you configured correctly CSP section in your appsettings.json with thrusted domains for resources.

``` json
"AdminConfiguration": {
"PageTitle": "Skoruba IdentityServer4",
"HomePageLogoUri": "~/images/skoruba-icon.png",
"FaviconUri": "~/favicon.ico",
"Theme": "united",
"CustomThemeCss": null,
...
},
```

Audit Logging Configuration

In appsettings.json is following configuration:

``` json
"AuditLoggingConfiguration": {
"Source": "IdentityServer.Admin.Web",
"SubjectIdentifierClaim": "sub",
"SubjectNameClaim": "name",
"IncludeFormVariables": false
}
```

The Skoruba.IdentityServer4.Admin.BusinessLogic layer contains folder called Events for audit logging. In each method in Services is called function LogEventAsync like this:

``` sh
await AuditEventLogger.LogEventAsync(new ClientDeletedEvent(client));
```

Final audit log is available in the table dbo.AuditLog.

Login Configuration

In Skoruba.IdentityServer4.STS.Identity - in appsettings.json is possible to specify which column will be used for login (Username or Email ):

``` sh
"LoginConfiguration": {
"ResolutionPolicy": "Username"
}
```

or using Email :

``` sh
"LoginConfiguration": {
"ResolutionPolicy": "Email"
}
```

Register Configuration

In `Skorub