Identityserver4 user management when only external users are needed

0
votes

My scenario: I have a client ASP.NET MVC app that I'm now securing with IdentityServer4, using IDSRV4 only as Federated Gateway (no local users are needed). i.e. any user accessing the app can only authenticate using an external provider (either ADFS for our internal company users or the Belgian eID login provider via SAML2 for external users which are all Belgian citizens). IDSRV4 returns the external claims to the client app (using the OpenIDConnect OWIN middleware), which is then used to sign in the user.

This flow is working in terms of authentication (i.e. identitytoken). However I'm a bit confused if I will need a persistent user store on my IDSRV4 (like ASP.NET Core Identity) if I want to start requesting access tokens, or if I could just keep on living with InMemory users (or even no store at all) as ALL my users will ALWAYS be identified by one of the two aforementioned external providers.

Thanks for any insight.

Mathieu

1
asp.net-identityidentityserver4

1 Answers

0
votes

You won't need any persistent user store for the purpose of handing out access tokens, that is handled by Identity Server. The configuration of the client application in IdentityServer needs to use the hybrid flow (AllowedGrantTypes = GrantTypes.Hybrid) and the client application's has to request an authorization code as well as an identity token (options.ResponseType = "code id_token").

However, it may not be a best practice to pass the unique identification of users (subject claim or another claim unique identifying the user) from the external provider to your client applications. You may want to map that user information with your own unique identification of the user. In that case you would need a persistent user store to hold on to your own unique user identification.