Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request: Plug and Play template #75

Open
pdevito3 opened this issue Jul 8, 2022 · 23 comments
Open

Request: Plug and Play template #75

pdevito3 opened this issue Jul 8, 2022 · 23 comments
Milestone

Comments

@pdevito3
Copy link

pdevito3 commented Jul 8, 2022

What would you guys think of putting together a more detailed auth server template? Something we could essentially clone down, add some env variables, change some branding, and safely deploy something to prod. The ones you have are good starts, but still require a lot of time to set up for practical use vs something like keycloak.

Obviously there’s no one solution fits all, but getting together a ready to go common starter would go a long way. The less work it takes to get something up the easier it is for teams to bring it on and the easier it is to sell to leadership teams compared to more plug and play solutions.

Note
At the end of the day, the faster and easier it is to get something up and running in production, the more customers you’ll be able to get.

@brockallen
Copy link
Member

We used to have this (like ~5 years ago) using the ASP.NET Identity template as the base, but with every new version and all the changes made maintenance very difficult, so we stopped. But maybe with the ASP.NET Identity UI now packaged in their NuGet, this might be more manageable -- not sure. We might still need to override a page or two, though.

@pdevito3
Copy link
Author

pdevito3 commented Jul 8, 2022

If it helps, I personally wouldn't care about continuity with their template. Even if you had your own implementation, as long as I'd be able to get a plug and play, smart default solution cloned down and up and running quickly, that would be the bigger concern for me.

@brockallen
Copy link
Member

Personally, I'd not really feel comfortable using the ASP.NET Identity template out of the box in prod -- I think there are too many things that don't work right. And so then that's not something we would provide -- doing a proper, production ready ASP.NET Identity project would be way more of an investment, and potential liability that's beyond what our core product is meant to focus on.

@pdevito3
Copy link
Author

pdevito3 commented Jul 8, 2022

Personally, I'd not really feel comfortable using the ASP.NET Identity template out of the box in prod -- I think there are too many things that don't work right.

Yeah this is one of the big roots of the issue. Getting something up an running takes a ton of work so it's a harder sell to leadership. Even from the dev side feels like reinventing the wheel instead of focusing on the specific business IP that brings value to the company.

And so then that's not something we would provide -- doing a proper, production ready ASP.NET Identity project would be way more of an investment, and potential liability that's beyond what our core product is meant to focus on.

Yeah, this is a different issue all together, but I wanted to at least throw this out there for consideration as it's a big barrier to entry and downside vs some others (e.g. keycloak) which does provide a lot out of the box.

@brockallen
Copy link
Member

Yeah this is one of the big roots of the issue.

And that is not our product, so we won't be doing that anytime soon. There are lots of consulting organizations that have done their own work in this area and then sell their version of this as a package with support and their backing.

Re: keycloak -- I don't know exactly what it does, but it's a "canned" thing, and that's pretty much the antithesis of what our design is all about. You get to code all of that stuff to work exactly the way you want with IdentityServer. So that's the tension here.

@pdevito3
Copy link
Author

pdevito3 commented Jul 8, 2022

And that is not our product, so we won't be doing that anytime soon. There are lots of consulting organizations that have done their own work in this area and then sell their version of this as a package with support and their backing.

Fair. I more meant that it's part of the equation to a functioning system that we would need to go live, but your point stands about being able to add an existing paid product. I could see that as a downside to some vs something that's included with what we'd already be paying for with duende, but it won't be an issue for everyone.

Re: keycloak -- I don't know exactly what it does, but it's a "canned" thing, and that's pretty much the antithesis of what our design is all about. You get to code all of that stuff to work exactly the way you want with IdentityServer. So that's the tension here.

Yup, agreed, but if we had a canned base that we could easily customize that would be the best of both worlds and a huge differentiator for duende in the entire space.

@brockallen
Copy link
Member

brockallen commented Jul 15, 2022

Following up on this thread -- are you looking for something developer focused, or production ready?

Ah, looking above, you are looking for production it seems. The closest thing I have for you is that Rock Solid Knowledge has something like this, so perhaps that gives you want you want?

https://www.identityserver.com/articles/getting-started-with-sso

@leastprivilege
Copy link
Member

any feedback on that?

@pdevito3
Copy link
Author

Sorry I missed the notifications on these. Will need to deep dive it, but looks potentially solid.

With that said, having something directly through your team and the actual product would be preferable for many I would think. Would also be an easier sell to leadership teams for a quick ramp up with a Duende system.

@pdevito3
Copy link
Author

Got to look at it a bit tonight. As far as I can tell, the product you linked is more like keycloak, which is fine but not quite what I meant with the OP.

What I am getting at with this is to have a more robust template that gives us smart Duende Auth Server defaults with enough meat to actually go into prod quickly vs spending weeks or months building it manually.

Again, I know it won't have everything but having the most common workflows on a template that we can quickly clone down and use as is or customize it to our needs, it would speed teams along immensely and be a big differentiator in the space.

@leastprivilege
Copy link
Member

Could you compile a list what this template should have out of the box?

@leastprivilege
Copy link
Member

Oh - and how you envision customization - and what do you think needs to be customized?

@pdevito3
Copy link
Author

pdevito3 commented Jul 24, 2022

You guys have done more prod implementations across orgs than me and would know better, but here's my initial brain dump on what I might want to be able to go live with day 1.

If I think of anything else I'll try to come back and update this. Happy to answer an questions.

Features

Here's a general list of features I'd expect, probably with some gaps I'm forgetting. I'd think these are in Razor or Blazor (Blazor might be best, see customization comment below).

Theoretically they're even backed by api endpoints so teams could do something like a SPA UI but still leverage all the heavy backend flows needed, but I know that probably increases the lift substantially and wouldn't be needed for an MVP.

You guys have parts of these already, but I want to try to put together a complete list.

Account

  • User/Password Login
    • Form validation including password messages
    • Forgot password (togglable?)
      • Link on login & form to fill out with confirmation
    • Remember Me (togglable?)
    • MFA login
      • I can see this as potentially not holding up an initial MVP, but would probably want it to be a fast follow, as not having
        this might be a requirement for many orgs and is not trivial to build out
    • Plug and play HRD
  • Logout
  • Registration
    • Togglable email verification
      • Maybe with mailhog or something in a docker container?
      • Confirm email page
      • Resend email
    • Consents
  • User Managed Access
    • Manage basic profile info
    • Setup MFA?
    • Even if you don't back the other items above by an API, I would think you might want to for this as well so apps can support profile management without redirecting to the auth server, iframing, etc.

I'd also guess that having CIBA and maybe device support would be useful for many, but I just haven't had to deal with that myself on projects so I don't know how common that is across the community.

Administration

I'd think in practice most teams would want to have a database based config, but maybe code based would be fine here? Regardless, having some supporting UI around config and managing as much of it as we're able to would be really useful.

I know there are paid services for this already, but having to tell leadership that we need to go buy Duende and another UI platform to support it is a hard pill to swallow. Maybe those provide an enhanced experience, but we can still get something with the OOTB template.

  • Manage clients
    • View clients
    • Add/Edit client
      • Given that code and client credentials flow are the two that should be used having these two types of clients being very plug and play for setup would be a great touch I think
    • Manage scopes
    • Manage keys and credentials
    • Manage audience
  • Manage scopes
    • View list
    • Add/Edit scope
    • Seed default useful scopes (email, profile, openid, role, etc.)
  • Manage users
    • View list
    • Add/Edit user
    • Password reset
    • Unblock
    • Manage roles
    • Manage Consents
    • Manage MFA
  • Manage roles
  • View sessions

DX

  • Having a project that runs locally is great, but facilitating an easy deployment and making that process as smooth as possible would help the DX a lot. I'm not an infra guy, but depending on how far you take it I'd think you could have one or more of the below
    • Dockerfile (I'd think you at least need this)
    • Docker compose for local dev with easy db spin ups (not needed, but nice to have IMHO)
    • Pulumi or Terraform setup for adding infra in maybe Azure and AWS and devs could just delete the one they aren't using?

Stretch

I don't think these should block an MVP, but would be nice at some point

  • OTP login
    • Many people are using OTP logins and would see having this option as valuable, but could see this as something to follow a v1 template
  • Impersonation
    • As far as I know there isn't a super tried and true way to do this, so I'm guessing this probably won't fly with you guys, but having some kind of impersonation option would really help a lot of teams.
  • Temporary password assignment and UI (e.g. I can add a user as an admin, send them their info with a temp password, and they are prompted to change it on login)

Customization Options

  • The first and biggest thing I can think of is branding (and this would be a key differentiator).

    Each dev shop will probably need to make tweaks to the logo some positioning and generaly styles, and maybe even controls and more details like that to match their brand. Usually this might be a major pain and limiting with something like Auth0 or Keycloak, but you guys have a chance to shine here.

    To be clear, I don't mean something like CSS Zen Garden where we can make our own custom stylesheet, but the lighter the lift to add our branding the better. Components with something like a SPA or Blazor would probably be the best options and would most easily facilitate updating controls. For example, a components directory has an input, checkbox, components and if I change the styling on that input component all of my inputs will then but updated based on that style.

  • Password requirements. I know this is identity based and, but this probably something that varies between orgs and would be good to update. Ideally there's a UI for it, but personally I could see doing this in the code and having it be fine.

  • I would guess that some shops would want to customize their claims on their token to a degree.

Examples

I started trying to make one myself, much of it leveraging stuff from here or here, but there were still lots of gaps and it was too big of a lift for me to do on my own as I was out of my depth in a few areas.

@brockallen brockallen transferred this issue from DuendeSoftware/IdentityServer.Templates Aug 2, 2022
@pdevito3
Copy link
Author

👋 guys just thought of this again. made a couple minor tweaks to the above, but think it mostly still holds. hopefully this is still in the cards at some point. as always happy to answer any questions

@figuerres
Copy link

hey i am just now coming in here .... way back i used identity server at one time. now i am in a new project and need to setup a new one. i think i have almost caught up on things and i do have one thing to add in here:

so i have been using the "quickstart" and the first parts i found helpful.
but now i came to the "Using Aspnet Core Identity" where it starts a new project and kind of dumps the prior one.
i feel like that is kind of a bad call.
i want to use ms sql for my data store. in the prior steps i had that started.
but now the current guide has made a sql lite db and now i feel like to get where i want i have to kind of merge things from the different quick starts and i am taking a step back.
i would rather the aspnet core identity start just let me keep what i had and just add the identity tables to the sql db i have.

let the user set the data storage before creating the migration and the database.
so that quick start 5 uses what i did in # 4

@figuerres
Copy link

figuerres commented Feb 19, 2024

also unless i am mistaken the quickstart pulled in an old reference to v4
i just found this line in the code for HostingExtensions.cs:
using IdentityServer4.EntityFramework.DbContexts;
have to see if that was me by accident....

no i think that was me.... i may have by mistake pulled in the old stuff.....

@pdevito3
Copy link
Author

FWIW for me, I'd definitely prefer something without identity to start and maybe there's an extension of it down the road that includes it if there's enough ask. It would just add a lot more work and delay and complexity to something that's already a massive lift.

And personally, I have no interest in maintaining identity info directly.

@brockallen
Copy link
Member

Ah and herein lies part of the complexity :) Everyone needs/wants something different based on different assumptions and requirements, and given that we're a framework we can be utilized in a variety of ways. Of course, I think that's well understood.

In any event, we have kept this issue open because it is still something we'd like to do something about as we have cycles available for it. Thanks!

@figuerres
Copy link

@brockallen and @pdevito3
yeah for sure there is no real "one size fits all" in this..... i do get that....

in my case i need "something" to hold the user login info and it needs to be not Microsoft/google etc....
and some of the other software i am working with has support for the Microsoft identity libraires.
so it may not be perfect but it fits in.

@pdevito3
Copy link
Author

In any event, we have kept this issue open because it is still something we'd like to do something about as we have cycles available for it. Thanks!

That's exciting 🙂

@pdevito3
Copy link
Author

Hmm, wasn't really thinking before but yeah an inherent part of this is user management, so theoretically identity actually saves some time?

So I guess up to the team on whatever's easiest I'd be open to. If that means having identity help with the heavy lifting then that's cool.

Sorry hadn't really thought this all the way through when I commented earlier lol

Regardless, yeah this is definitely a hard problem and everyone will have different thoughts, but at least having some kind of functional prof ready base to work from would be a major differentiator for y'all

@figuerres
Copy link

also i have a limited time, if i am not able to make this work i have to use other means....
for example the system i am building will have a web app and a database in azure.
so one option is to use azure app registration and azure ad for part of what i am creating that will work and its almost turn key.

there are also other id packages like auth0 but i am not sure what that costs .....

will have to check on options while i try to get a working proof of concept here....

@figuerres
Copy link

i am reading the documentation for how to use the dotnet ef tool. i think i will get this working but it might be worth updating the quickstarts slightly.

just give new users an option for if you want to put the data in one database that is not sql lite then do this....
for example i want to store all my data in one mssql database.
it would help to have the templates and the quickstarts allow me to do that and not just assume that i want to have multiple sqllite databases.
also have quickstart 5 allow for using what was just done in quickstart 4 be used in 5

just helps for the folks who want to just get a very basic system working with a database and not in memory data.

yes we can figure it out .... but if the new developer is not familiar with how all the dotnet ef tools work it will help get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants