ASP.Net Core MVC Identity with identityserver4

0
votes

i have a few questions. I have a setup with an asp.net core application with identityserver4 and EF. that works fine. Now i want to know which way i have to store items in the database.

i have seven tables for identity database:

AspNetUSerRoleClaims - claims for roles (which roles has access to what)
AspNetRoles - roles of the user
AspNetUserClaims - claims of the user like firstname, country
AspNetUserLogins - how to use this table?
AspNetUserRoles - roles for users
AspNetUsers - user stored here
AspNetUserTokens - how to use this table

Now i have registered a user and a few roles in the database and set the connection to the AspNetUserRoles (which role has the user). Now i want to add more information to the user through the registration like country, given_name, family_name. But where i have to store them. only in the AspNetUserClaims or should i store the information in the AspNetUser table (through ApplicationUser and a extra column in the AspNetUser table)?

And how can i store items in the AspNetLogin and AspNetToken table or is this automatically done by the Identityserver?

Thanks in advance for your answer

1
asp.net-mvcasp.net-identityidentityserver4
Whether or not to store as columns or claims is primarily opinion-based - both approaches work. IdentityServer does not use the AspNet* tables at all - AspNetLogins stores third-party logins (e.g. Facebook, Google) that are linked to AspNetUsers and AspNetUserTokens is for third-party login tokens linked to AspNetUsers and AspNetLogins.Kirk Larkin
ok thank you. I thought Identityserver uses the claims table to put them in an id-token or access-token? I see there is a IdentityClaims table too, how works the user claims with the identityClaims together?eldios1981
Not directly, it doesn't. Remember that IS4 works with not just Identity - You can have in memory users, etc, which couldn't possibly get claims from AspNetUserClaims in the database. It's an extension point - IProfileService - which sits in between IS4 itself and Identity to map between the two. IdentityClaims is an IS4 table, but these represent the concept of which claims are available for which IdentityResources. It's a big subject...Kirk Larkin
ah there is light at the end of the tunnel. thank you very much, now i understand it moreeldios1981

1 Answers

2
votes

I have a similar problem and have posted a related article.

What I can say is this ...

  1. The AspNet* tables are created for normal AspNet Identity authentication (ie if your are NOT using other authentication mechanisms or custom user stores)
  2. If you want to add Columns to the AspNetUsers table, you extend the IdentityUser class. (eg public class MyApplicationUser : IdentityUser), then add your custom properties (eg FirstName). This essentially changes the model. To ensure that EF writes your model changes to the DB table, you need to extend the IdentityDbContext class with your new MyApplicationUser class.
  3. If you want custom claims for the user (eg. hair_color) to be added to the AspNetUserClaims table, you need to call userManager.AddClaimAsync(). You could do this during the registration process or login process with data from the form, or from claims received from external auth providers such as Google, Facebook, Twitter etc.
  4. In general, if you are using IdentityServer, the AspNetUserTokens table is NOT used as IDS' primary responsibility is to issue and validate tokens (id_tokens, access_tokens etc)

Hope this helps getting you started.

I'm trying to figure out if its best practice to add additional user information to the entity (ie AspNetUsers) or to add them as claims in AspNetUserClaims.