aruss / identitybase Goto Github PK

Add account page where user can see his information and change email and password.

in every project is used the version 2.0.2 of Microsoft.EntityFrameworkCore, except for the IdentityBase.EntityFramework.IntegrationTests, that is still used the 2.0.1 version.

https://github.com/IdentityBaseNet/IdentityBase/blob/develop/test/IdentityBase.EntityFramework.IntegrationTests/IdentityBase.EntityFramework.IntegrationTests.csproj

Add all the out of the box available third party authentication providers.

Show success notifications for

• Password changed
• Account associated/removed

Display state of email confirmation in user account page, and provide a button for resending the confirmation mail.

Introduce a dynamic form logic, so plugins can inject form controls.

Send user an email which contains a confirmation code, which he has to confirm on an additional step in the login form.

Requires #7, #19 to be implemented first.

Hello

Thank you for a great job by putting all the stuff of an IdentityServer together. I faces a problem on finding the 1.1.21 version of ServiceBase library. Until found the ling where I can found current version.

Do you plan to update nuget package for the ServiceBase library? I'm sure that this will help for new people who will try your package.

Thank you!

sh dotnet ef migrations add init --context MigrationDbContext

then

error message : Your startup project 'IdentityBase.EntityFramework.SqlServer' doesn't reference Microsoft.EntityFrameworkCore.Design. This package is required for the Entity Framework Core Tools to work. Ensure your startup project is correct, install the package, and try again.

If the login_hint parameter is present in authorization request then pre-fill the user name input field.

For use cases like WebApi.AutorityUrl the reverse proxy should be able to override the hostname via HTTP header.

If user clicks on cancel link in the registration confirmation mail the created user should be removed, since there is no way anymore to create a account with same email address. Only way then is to recover account by using recovery form.

On the registration form, there is no reCAPTCHA validation.

Create options for reCAPTCHA plugins to be able to select which form should contain the reCAPTCHA validation.

An option to add a custom link that will be displayed side by side with "forgot password" links.

Used for adding links for e.g. terms and privacy agreements.

Remove "User already exists" message on registration, instead just display the message that further instruction is sent via email. Maybe send an actual email with account recovery link, but then protect the form with captcha to avoid spamming mailboxes.

Remove options CancelAfterAccountRecovery, CancelAfterAccountConfirmation that cancels the registration and confirmation flows, the flows should have only tree following outcomes.

1. an error then the error page will be displayed
2. Operation was successful and LoginAfterAccountRecovery or LoginAfterAccountConfirmation is set to true then it should automatically authenticate and redirect to RP
3. Operation was successful and LoginAfterAccountRecovery or LoginAfterAccountConfirmation is set to false then it should display the login page

I have 2 products / applications
I would like to create an SSO for my users.
But for each application, needs a TenantId to filter information in the database

Any idea? Solution?

TBD;

Generation of links should be done via HTTP API

Example request

{
  "returnUrl": "http://localhost:21402/fancy-campaign",
  "validTil": "2019-04-23T18:25:43.511Z",
  "validateUrl": "http://localhost:21402/check?fancy-compain",
  "lifetime": 1337,
  "userAccounts": [
    "alice@localhost",
    "bob@localhost",
    "bill@localhost"
  ]     
}

Example response

{
  "results": [{
    "email": "alice@localhost",
    "activateUrl": "http://localhost:5000/foo/activate/6970e2e5-3e8a-4da3-a4cf-cc8cb137ab5b",
    "authUrl": "http://localhost:5000/foo/login/f4fe3d17-d524-4efb-809d-02e17e46f158"
  }, {
    "email": "bob@localhost",
    "activateUrl": "http://localhost:5000/foo/activate/f3df273e-0b7f-4cb8-ab7d-2cdff8b02482",
    "authUrl": "http://localhost:5000/foo/login/793f94ac-f6c2-42d7-a880-b1f4005a364c"
  }, {
    "email": "bill@localhost",
    "activateUrl": "http://localhost:5000/foo/activate/e41e570a-5e0c-4759-9e67-4889f9683b8e",
    "authUrl": "http://localhost:5000/foo/login/bcc56959-8e79-41d6-b050-5e9d485b290d"
  }]
}

When do you finish the function?such as Authentication API,Multitenancy,Administration dashboard etc.

If error occurs on token verification page a login/resister form should be displayed or at least the links to this forms should be provided since the client ID is present.

Add https://developers.google.com/recaptcha/docs/v3 as a plugin

Requires #19 to be implemented first.

A user should be able to use recover function if the user account is not yet confirmed since the recovery function sends the mail and by doing so confirms the email address.

Create a docker example for following scenario

• Identity Server
• Web App
• Web API
• Postgres DB
• Nginx

With

• Custom domains
• Third party logins
• SMTP configuration
• ReCaptcha configuration

Check if the error is in the configuration of IdSrv.

[10:45:11 VRB] returnUrl is valid
[10:45:11 VRB] returnUrl is valid
[10:45:11 DBG] Start authorize request protocol validation
[10:45:11 DBG] mvc.hybrid found in database: True
[10:45:11 DBG] Checking for PKCE parameters
[10:45:11 DBG] No PKCE used.
[10:45:12 DBG] Found ["email", "openid", "profile"] identity scopes in database
[10:45:12 DBG] Found ["idbase", "api1"] API scopes in database
[10:45:12 DBG] Found ["email", "openid", "profile"] identity scopes in database
[10:45:12 DBG] Found ["idbase", "api1"] API scopes in database
[10:45:12 DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[10:45:12 VRB] Authorize request protocol validation successful
[10:45:12 VRB] AuthorizationRequest being returned
[10:45:12 VRB] AuthorizationRequest being returned

Rewrite default theme with Bootstrap4 https://getbootstrap.com
Add javascript validation

If user already have a account with the same email and the AutomaticAccountMerge option is set to true the IdentityBase should merge the accounts automatically.

If AutomaticAccountMerge set to false a screen should be displayed asking the user if he wants to proceed and merge accounts or use a different account.

Blocked by #25

Show validation errors on corresponding input elements.

Use default validation patterns explained here https://docs.microsoft.com/en-us/aspnet/core/mvc/models/validation?view=aspnetcore-2.1

Use jQuery unobtrusive validation for default theme.

Cleanup the configuration and switch to YAML files.

Current plugin architecture is inspired more or less by ExtCore so you have a bunch of folders with lot of dlls and you load them on app start in your current app domain, that works but it is a crappy way to do it, since you don't use the whole fancy dotnet core lazy assembly loading stuff but instead loading all the assemblies on startup.

Another idea would be to check out NopCommerce they just copy all the assemblies to one directory and just load the initial assemblies of each plugin, the rest will be discovered automatically since all the required assemblies are in one folder. This way the startup times wouldn't increase, but it is still crap since it copies files around and if your process breaks in the middle of it the application ends up in crippled and you have to handle such cases.

It would be nice if probing path feature would work like it worked in former .net versions. Then you would just need to change a configuration for additional plugins and load only the initial assembly of each active plugin manually. But this feature does not work as expected in current dotnet core version, see https://github.com/dotnet/coreclr/issues/18683

If someone has a nice idea to make it simple, please share

Each client should be able to override basic application configuration like

• EnableLocalLogin
• AccountLockoutDuration
• RequireLocalAccountVerification
• RequireExternalAccountVerification
• EnableAccountDeletion
• EnableLoginHints

and so on...