Use in existing IdentityServer setup #55
Comments
|
Especially if it's planned to release this UI as a simple injectable middleware as issue #28 is about. |
|
@ruant Sure, I will add this use case to the upcoming video tutorial. It's a great idea. 👍 We are currently working on a project template for dotnet cli. It will be possible to use like this: After that I want to create the nuget packages with UI and BL & EF layers, but I think that takes more time to complete. :) Thank you for your feedback. |
|
Hi! This issue to me should be priority number one. After spending several hours in the code I still don't see how to use this with an existing installation. Somehow the code forces consumers to use its own EF migration and database schema, which bundles ASP.NET Core Identity and IdentityServer4.EntityFramework models into one single DB and DbContext. I tried to decouple both of these things to bind them to two different EF connections, without any success. Similarly, using this single DB as operational store, config store and identity store in vanilla IS4 fails because (from what I understand) migrations are not compatible. I would really love some doc about how to use this nice admin UI with the plain old IS4 quickstart at http://docs.identityserver.io/en/release/quickstarts/8_entity_framework.html. |
|
Hi, |
|
Thanks for your message and responsiveness, @skoruba! |
|
It’s absolutely possible to split the AdminDbContext into more DbContexts like you mentioned with IS4 quickstart sample. |
|
I have the same requirement: I want to enhance my existing SSO service (C#/Core 2.1, Identity Server 4, ASP.NET Identity, Sqlite, Kestrel webserver) with your great Admin UI. But I don´t know how to do! I have seen in the "official" IdentityServer4 - AdminUI tool from Rock Solid, that you can add "UseAdminUI" in the startup.cs and then an additional admin-url is available... that is very easy integration, but I am not sure if I like their tool and also not their licences - so my hope is on your solution :) |
|
@PKrause79 I will update the README with getting started guide - probable this week :) |
|
I am thinking, why you have separated (standalone) services for IDS4, ASP.NET Identity and your Admin-service? What are the reasons for that? Maybe your appraoch is better and its not a good design to integrate all the 3 artefacts as a "SSO-application" in only one service - what do you think? |
|
I have created two separated web apps - one for IS4 with Asp.Net Core Identity and AdminUI - I think it is up to you - how you will design this project structure - I prefer this approach. :) |
|
@PKrause79 - I have updated the |
|
@skoruba Hi! I'm also trying to add your AdminUI on my existing IS4 instance, but by following the readme I'm not really sure about how to make them works together... This is my actual IS4 configuration. DbContext public class AuthDbContext : IdentityDbContext<User>
{
public AuthDbContext(DbContextOptions<AuthDbContext> options)
: base(options)
{ }
protected override void OnModelCreating(ModelBuilder builder)
{
base.OnModelCreating(builder);
}
}Startup class public class Startup
{
public void ConfigureServices(IServiceCollection services)
{
services.AddDbContext<AuthDbContext>(options =>
options.UseSqlServer(connectionString,
sqlServerOptions => sqlServerOptions
.MigrationsAssembly(assemblyName)));
services.AddIdentity<User, IdentityRole>(options =>
{
options.Password.RequireDigit = true;
options.Password.RequiredLength = 10;
options.Password.RequireLowercase = true;
options.Password.RequireUppercase = true;
})
.AddEntityFrameworkStores<AuthDbContext>()
.AddDefaultTokenProviders();
services.AddMvc(config =>
{
// HTTP 406 when not supported format is requested by client
config.ReturnHttpNotAcceptable = true;
})
.SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
services.Configure<IISOptions>(iis =>
{
iis.AuthenticationDisplayName = "Windows";
iis.AutomaticAuthentication = false;
});
var builder = services.AddIdentityServer(options =>
{
options.Events.RaiseErrorEvents = true;
options.Events.RaiseInformationEvents = true;
options.Events.RaiseFailureEvents = true;
options.Events.RaiseSuccessEvents = true;
})
// Configuration data store
.AddConfigurationStore(configurationDb =>
{
configurationDb.ConfigureDbContext = db => db.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(assemblyName));
})
// Operational data store
.AddOperationalStore(operationalDb =>
{
operationalDb.ConfigureDbContext = db => db.UseSqlServer(connectionString, sql => sql.MigrationsAssembly(assemblyName));
})
.AddAspNetIdentity<User>();
}
}
}What am I supposed to do on Also, do I need to create a separate database for the Admin UI or can I add the required tables to the current one used by IS4? Actually, all my IS4 DbContexts uses the same database, so .NET IdentityUser, Persisted and Configuration are different DbContexts but all tables are on the same database. |
|
Was there any progress made on a document detailing how to add this very nice UI to an existing IS4 project? Cheers |
|
I tried to use this AdminUI with my existing DbContext & IS4, but after spending 8 hours I decided to just write my own admin panel with the help of cshtms in skoruba. I wish it could be much more easy to setup |
|
@elyasnew Did you try using this Admin via dotnew template or clone whole solution? Please, can you give me some points for improvements? I am happy for any suggestions. Thank you for your feedback! |
|
I don't know why I'm redirecting to Access Denied Page while I had set the role and user role properly |
|
@elyasnew I had this issue also during integration. Did you add the "roles" identity resources? Checklist: you need in DB 1) the role 2) an admin user with the right role 3) the roles identity resources with the role scope (@skoruba why is this even needed? I can't find mention of it in the code) 4) the right client with allowed scopes |
|
I finally managed to integrate this project with my IdentityServer4 install. The core issue I was trying to solve was to separate the data contexts for configuration, persisted grants, logs and identity. During my early explorations, I discovered that IdentityServer4.Admin assumes all of these things should be in the same data context (i.e. the same database) and that, considering the amount of work put into the STS app, this project seemed aiming at creating a complete, integrated administrable IdentityServer solution rather than “just” an Admin UI. This said, I really needed an admin UI. So I set myself to dive in the code and change everything needed to support my use case, while still staying compliant with the original design intent. And boy was it not straightforward. In total, from the moment I first discovered this project to the moment I got everything working, it took me about an aggregated week of work. Here’s what I would have liked to do:
Here’s what I actually had to do:
I’m sure you will understand that it is very hard for developers to spend this amount of effort to refactor – let alone to understand – a library’s code to suit their needs. I had to refactor interfaces and implementation signatures in almost all layers (and most of the time I ended up simplifying the code rather than complexifying it...). I forked this repo and commited my changes at https://github.com/xcit-lab/IdentityServer4.Admin/tree/feature/db-context-separation Having now spent a good bunch of time in the internals of this lib, I feel like it’s really close to be reusable and deployable in various settings. However before this happens, I see major hinderances that will need to be resolved:
I hope I provided enough details to help those who would want to integrate the app in its current state into their own IS install, and that this refactor will be considered for an upcoming release :) I don’t intend to maintain the fork synced with upstream, so if the changes make sense to you @skoruba I can maybe PR them into a dev branch. Sorry for the lengthy message, I hope this is useful. |
|
Thank you @Brice-xCIT for your reply, I absolutely agree with you that the configuration should be as simple as just writing app.UseIdentityServerAdminUI(). |
|
@Brice-xCIT Before we get to business - from the bottom of our hearts - thank you for spending a week of your working time on IS4.Admin. We're both humbled and honored that you're willing to contribute your improvements back to the project. I think that all of your suggestions are valid and should be included in the project. Lack of manpower to add everything as fast as we would want to is the only reason why it's not already there. Thank you for providing that additional push. Now to business - please open PR to the dev branch (and please preferably merge back any commits that are already in the dev branch). Currently we're working on password resetting, 2FA and profile management and audit logging on the dev branch - just so you know in which areas progress is happening right now. I'll alocate some of my time this week for reviewing any new PRs. |
|
Thank you so much for you great feedback @Brice-xCIT I know that these things need some improvements for easier setup. :) |
|
Hello @skoruba and @xmichaelx, sorry for coming late to the party! Thanks for your messages, I'm glad. I haven't had the time to PR yet, and I see that @skoruba beat me to integrating the changes, which is totally okay 😄. I will update the dev branch and reintegrate with my setup to see if it still works. I feel like we're getting very close to something that works out of the box, so I might work a bit more on Startup configuration to that end. |
|
Hi @Brice-xCIT - thank you for your response, I will be happy for your PR. Feel free to contribute. :) |
|
Hi @skoruba, I was able to configure and run skoruba admin for my application and now am trying extend few classes in Admin Console to display few additional information. On this note i would like to add a new property to IdentityUser class. What i thought is to extend the dbcontext but after discussions with team now trying with extending the IdentityClass. Please help with a correct approach. Tried to refer this url https://github.com/skoruba/IdentityServer4.Admin/tree/feature/extensible-aspnet-identity but got response as 404 |
|
you can extend this object - https://github.com/skoruba/IdentityServer4.Admin/blob/master/src/Skoruba.IdentityServer4.Admin.EntityFramework.Identity/Entities/Identity/UserIdentity.cs and according new properties you should extend your Then you need solve mapping between these new properties (if needed): Thanks! |
|
@skoruba Thanks for the solution. |
|
Hi Jan (@skoruba), What is the current recommended way to integrate with existing instance of IdP (backed by Asp.Net Identity) using rc1? I've been going over @Brice-xCIT comments and your joint PR activity but can't figure out where to start. In particular, I really liked Brice's "what I would have liked to do" steps that mention pulling NuGet package and registering services.AddIdentityServerAdminUI(...) but it seems it hasn't been implemented that way in rc1? Do I need to implement some flavor of "what I actually had to do" steps? Thank you! |
|
Hi @narbit, the easy service registration you mention is available in the branch extract-ui-package. Sadly it had not been merged into rc1 yet (and is now lagging far behind master). This being said it works and this is how one can use it: and with in appsettings.json: with |
|
Hi @Brice-xCIT , thank you for sharing! Unfortunately after spending couple of days on this and not making progress I had to get moving and went with this project https://github.com/brunohbrito/JPProject.IdentityServer4.AdminUI instead. Which had its own challenges but overall was much easier to adapt to with an existing IdP setup. |
|
Hi guys, thanks for feedback on this. I will improve docs for this use case - how to connect to existing IS4. |
|
Greatly appreciate your efforts and time on this project. I was also evaluating JPProject alongside this admin UI project. We are decided to extend the existing IDM/STS to include the Admin area (along with the User Profile). One advantage I see is less maintenance as there is no need of additional client, works with the existing authorization policies (I have broken the parts into permissions base by extending the existing asp net identity framework). I was really wondering why would't that be considered in this project.!! I know security wide, its recommended to add few pages in the central IDM. But again if we have this as an another client, its backing with STS for security. Server pages are more secure than the javascript application. Admin UI as a razor library , then register the services in the startup. I know the complete integration can not be smooth as the product needs to be integrated. Perhaps register the existing dbContext (ConfigurationDbContext, IdentityDbContext, PersistenseDbContext). So the Admin UI uses its own additional tables required for audit. We are reusing the IDM for many of our applications by skinning the client specific styles. So it works out best going with the permissions based and having a role and permissions management pages. |
|
@skoruba do you mind taking a minute on the above query. I just want to make sure about the approach I am going. |
|
Hi @skoruba and congrats for the v1.0 release. Now that the lib is out there, would there be a way for you to revisit this issue? What are the current plans to simplify integration of the lib? |
|
Hi @Brice-xCIT - I am glad to see you for long time again. 😊 I agree with you, this is still little-bit harder to upgrade to the newest version, especially UI part. I think - currently good way for some cases could be a docker image which is available. But I will wonder about some another approach. What do you think? |
|
From what I can see, in its current state this project only supports using the app as-is, in a standalone deployment. For this, it's great. What is lacking however is supporting using the app as a library module, not as an app. I believe that is what the various people who have commented on this and other similar issues were going for. In a nutshell, we want to be able to inject the Admin UI into our projects, without having to change a single line of code in any Skoruba.IdentityServer4.* project. To be fair, why else would you distribute NuGet packages, if not to integrate them into existing projects? From that perspective, I believe the way to go is to just follow ASP.NET Core ecosystem conventions. In all libs I've integrated so far, the pattern is always the same: a single call in ConfigureServices with options, and a single call in Configure to bootstrap middlewares. Anything that will require me to perform several calls in Startup is already too low-level. I don't think it would require a big effort to slightly reorganize the library code to support that. As we've previously discussed, turning the current project .Admin (and .Admin.Api?) into Razor libraries is quite fast and efficient. And providing a configuration builder that allows integrators to inject the services is quite standard. Both of these things have already been done and are currently in the extract-ui-package branch, but sadly it is lagging so far behind dev that it maybe even should be entirely re-done. Although I would really need this if I were to upgrade my current install of .Admin, I'm not sure I have the courage to do this work if it doesn't ever get merged. That's why I wonder what your strategy is :) |
|
I would like to transfer UI part into Razor Class Library, but I remember that I had some issue if I wanted to rewrite existing view, this did not work properly in the past in my case. Currently I am almost done with version 2.0.0 - which will be published as 2.0.0-beta1, because there was a lot of changes and it needs to be more tested. So if you have a time to help me transfer 2.0.0 to Razor Class Library, it would be great and I am definitelly open to rework it. Thanks! |
|
Thanks @skoruba for your message. I'd be willing to help early next year. However I'm not sure transferring the UI part to an RCL will be enough to solve this issue completely. There also needs to be some easier configuration model for DI (like #255) and possibly some separation of the .Admin and .Admin.API core code into their own libraries (like #225). Does this make sense to you? |
|
Hey @Brice-xCIT - yes, I really appreciate your help on this feature. I would like to transfer the UI part into RCL. |
|
Hi @skoruba. I'm starting to take a closer look at this issue, and to double down on my previous comment, I'm struggling to understand how just separating the UI into its own package will be enough to solve this issue. Indeed, an existing application would also need to replicate the startup protocol in Admin:Startup.cs, isn't that right? And in order to do that, it would also need to have access to Admin:StartupHelpers.cs, which in turn would have to be bundled into the NuGet package. Do you believe StartupHelpers and its dependencies should be in package Admin.UI? If you do, that would mean that a user wanting to use this in an existing setup would only need to include a ref to the Admin.UI package to their project. If you don't, it means that there needs to be another NuGet package (Admin.Core? Admin?) that lets users access the helpers and all the code that is necessary to bootstrap admin UI and services during an arbitrary app's startup. What do you think? |
|
Hey @Brice-xCIT - My idea is following:
What do you think? |
|
Thanks @skoruba for the clarification. It makes sense to me now. At first glance I think that some other folders may have to move too (Configuration, Scripts?, Styles?). Do you see anything that specifically should not move to UI? |
|
@Brice-xCIT - I would also move the Configuration, scripts and style into UI package. 👍 |
|
I think I did most of the work at https://github.com/xcit-lab/IdentityServer4.Admin/tree/feature/extract-ui-package-v2 but I don't think it's completely ready for a PR yet, although all tests pass. (Left for me to do is the possibility to set the migration assemblies.) I had to move a lot of things and did quite a few refactors there and there. In particular, I'm not too sure about some parts of Startup I moved away (e.g. HSTS). |
|
@Brice-xCIT - I have checked your changes and it looks really good. 👌 I think some of things from Startup we will remove from UI package (not sure now) but for start it is more than enough - I am really happy for your work. |
|
Thanks for the review! I will tie a few loose ends and submit a PR soon, then. |
For people having identity server running already, any plans on making a guide on how to get this awesome Admin UI to work?
Maybe there has to be some work done with exposing setup options like naming, using existing dbcontexts etc.
The text was updated successfully, but these errors were encountered: