Create User Management Web API & UI

[leastprivilege]

Use this as a forum to discuss the feature.

[jmischel]

Throwing my hat into the ring here. What's being done and how can I help out?

[Ruudvdl]

I'll see what i can do, i'm almost done opensourcing my version. we can see what we can take form that and reuse it in here.

[leastprivilege]

This is not about seeing what an individual can do. We need to capture requirements - what people really want. Then see how to achieve that in a way that it makes sense.

That's an interesting read e.g.: http://www.simplecloud.info/

[jmischel]

The SCIM stuff is interesting, although overkill for what I need in my application. I can see, though, where it would be generally useful, and I would not oppose making the necessary changes to the internal interface to support it. There's more work on the external interface, having to make the compatible REST services.

My needs for the user management API are fairly simple: I need to support password expiration (user's password is 90 days old, so user must change it before the STS will issue a token), and password reset (user clicks "Forgot password", enters user name, and we email a password reset link that is good for 24 hours). I don't have to support user-initiated password change in the first version, but I'm betting that the requirement will be imposed before we ship.

That said, I like the IUserManagementRegistry that Ruudvdl posted in the linked thread, and I'm happy to help design and implement other parts of the system as long as I get my password change/reset functionality.

Other things that people might wait.

User name recovery - If user doesn't remember his login name, supply email address and the system will email the user id. An alternative for some systems might be to let the user log in with his email address and user password. In effect, an email address is considered equivalent to a user name. Not all systems store users' email addresses, of course, so this functionality can't be required.

Password recovery (rather than reset) - Some systems store encrypted passwords rather than salted hashes, and they'll email the clear text password to the user in response to a "forgot password" request. This is obviously a huge security risk, but changing those systems can be an expensive proposition. Some people might want this password recovery functionality. I would argue against implementing it due to security considerations and that the password reset thing can be done almost as easily and much more securely.

Security question support. "What was your first pet's name?" and all that kind of thing. I don't know how prevalent those things are, but some of our customers seem to think it's a good idea to have them. A related but not necessarily mutually exclusive feature would be password hints.

Lockout after N (configurable) attempts at answering security question or verifying new password.

Editing other user profile information should all be done with an IUserProfile interface of some kind. The SCIM stuff defines what looks like a reasonable standard set of information, and allows for application-specific extensions.

[brockallen]

Many of these things are already implemented here:

https://github.com/brockallen/BrockAllen.MembershipReboot

It's not integrated into IdentityServer, but you could easily implement the interfaces to map from IdentityServer to MembershipReboot (I've done this on a few projects now).

[Ruudvdl]

https://github.com/MacawNL/Thinktecture.IdentityServer.v2

this is what I have made (with lots of extra's) might help with implementing an API I would like to add that everything is not as cleanly coded as I would of liked. but just haven't had the time to get it all pretty! but its a working progress so will get improved on.

[apideveloper]

I started creating this as well but we went with Api first on everything using UserManagementRepository as the backing class.

After that anyone can make their own client interface.

[brockallen]

Just an update -- we're working internally on a long term solution. Once we have something to share, we'll make an announcement.

[knockoutuser]

@brockallen. That's good news :). If I'm not asking too much... any idea about when we might see a first draft or working prototype of this new feature? Thanks!

[brockallen]

Not terribly soon, unfortunately :(

[shiranGinige]

@brockallen , "It's not integrated into IdentityServer, but you could easily implement the interfaces to map from IdentityServer to MembershipReboot (I've done this on a few projects now). " - would you be kind enough to show us a sample ?

[brockallen]

I don't have an example offhand (that I can share) but it involves implementing the appropriate extensibility interfaces that IdentityServer has and call into MR for the implementation.

[apideveloper]

I don’t have any I can share right now. Brock is correct about wrapping your user management portal to the api endpoints of Identity server. You can do this in Identity server or as an external product so long as you reuse endpoints appropriately

Sent from Windows Mail

From: Brock Allen Sent: ‎Thursday‎, ‎September‎ ‎5‎, ‎2013 ‎9‎:‎26‎ ‎AM To: thinktecture/Thinktecture.IdentityServer.v2 Cc: epicthreedev

I don't have an example offhand (that I can share) but it involves implementing the appropriate extensibility interfaces that IdentityServer has and call into MR for the implementation.

— Reply to this email directly or view it on GitHub.

[jtolar]

I am trying to implement this myself, the problem I am running into is that MembershipReboot implements EF6 where Identity Server does not. When will IdentityServer implement EF 6? I am updating my instance to EF6 but updates will more than likely overwrite my changes.

[bkottapally]

Does anyone know if MembershipReboot supports more than one security questions?

[brockallen]

You mean secret question/answer for password reset? If that's the question, it does.

[bkottapally]

@brockallen Thanks for the info. Is there any document, that helps me how to do it please?

[brockallen]

You'd have to check the MR samples.

[StateBarofArizona]

@Ruudvdl I downloaded your solution. It looks pretty good, I like the Bootstrap. Makes it look more modern. It appears you haven't updated it much lately as it appears to run against some older code. Basically, you dropped the MR sample web onto the IS website? It looks like you were able to do all the work in the Website project and leave the core bits alone?

[Ruudvdl]

I have done a bit of changes on the core, since ive implemented simple membership. I haven't used MR, but did all custom work. This was because i didn't want facebook/twitter/windows live etc logins to just pass through the tokens but that those users where then also created. And to accomplish that i had to implement simple membership with dotnetopenauth. this also contained much of the user management such as password reset, and account verification. I also built a 2 step email change option. I can see if i'll have time to update and do a merge, But i'm quite busy with a project at the moment, so it might be a couple of weeks till i get to it.

[StateBarofArizona]

Any idea why I was able to create the first, admin user but trying to add additional users generates a 500 server error?

From: Ruudvdl [mailto:notifications@github.com] Sent: Tuesday, April 22, 2014 2:46 PM To: thinktecture/Thinktecture.IdentityServer.v2 Cc: Connie DeCinko Subject: Re: [Thinktecture.IdentityServer.v2] Create User Management Web API & UI (#212)

I have done a bit of changes on the core, since ive implemented simple membership. I haven't used MR, but did all custom work. This was because i didn't want facebook/twitter/windows live etc logins to just pass through the tokens but that those users where then also created. And to accomplish that i had to implement simple membership with dotnetopenauth. this also contained much of the user management such as password reset, and account verification. I also built a 2 step email change option. I can see if i'll have time to update and do a merge, But i'm quite busy with a project at the moment, so it might be a couple of weeks till i get to it.

— Reply to this email directly or view it on GitHubhttps://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/212#issuecomment-41099908.

Top-notch continuing legal education on your summer vacation. Join us for CLE by the Sea! http://azbar.org/CLEbytheSea

Embracing Our Future - SBA 2014 Annual Convention Westin La Paloma Resort & Spa, Tucson http://azbar.org/Convention

[Ruudvdl]

Hmm no not sure, if the elmah log is configured correctly you can check /elmah to see what the 500 error is. I'm thinking its perhaps a configuration issue. If this is a real issue just send me the bug in my fork and i'll have a look at it tomorrow.

[StateBarofArizona]

That would be great. It looks like Elmah is not logging anything (maybe that’s the error?). The Elmah.mdf database is there but not updating.

From: Ruudvdl [mailto:notifications@github.com] Sent: Tuesday, April 22, 2014 3:36 PM To: thinktecture/Thinktecture.IdentityServer.v2 Cc: Connie DeCinko Subject: Re: [Thinktecture.IdentityServer.v2] Create User Management Web API & UI (#212)

Hmm no not sure, if the elmah log is configured correctly you can check /elmah to see what the 500 error is. I'm thinking its perhaps a configuration issue. If this is a real issue just send me the bug in my fork and i'll have a look at it tomorrow.

— Reply to this email directly or view it on GitHubhttps://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/212#issuecomment-41104426.

Top-notch continuing legal education on your summer vacation. Join us for CLE by the Sea! http://azbar.org/CLEbytheSea

Embracing Our Future - SBA 2014 Annual Convention Westin La Paloma Resort & Spa, Tucson http://azbar.org/Convention

[StateBarofArizona]

Somewhere in here is giving the 500 error: this.UserManagementRepository.CreateUser(model.Username, model.Password);

From: Ruudvdl [mailto:notifications@github.com] Sent: Tuesday, April 22, 2014 3:36 PM To: thinktecture/Thinktecture.IdentityServer.v2 Cc: Connie DeCinko Subject: Re: [Thinktecture.IdentityServer.v2] Create User Management Web API & UI (#212)

Hmm no not sure, if the elmah log is configured correctly you can check /elmah to see what the 500 error is. I'm thinking its perhaps a configuration issue. If this is a real issue just send me the bug in my fork and i'll have a look at it tomorrow.

— Reply to this email directly or view it on GitHubhttps://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/212#issuecomment-41104426.

Top-notch continuing legal education on your summer vacation. Join us for CLE by the Sea! http://azbar.org/CLEbytheSea

Embracing Our Future - SBA 2014 Annual Convention Westin La Paloma Resort & Spa, Tucson http://azbar.org/Convention

[StateBarofArizona]

It was hanging up on the email.

From: Ruudvdl [mailto:notifications@github.com] Sent: Tuesday, April 22, 2014 3:36 PM To: thinktecture/Thinktecture.IdentityServer.v2 Cc: Connie DeCinko Subject: Re: [Thinktecture.IdentityServer.v2] Create User Management Web API & UI (#212)

Hmm no not sure, if the elmah log is configured correctly you can check /elmah to see what the 500 error is. I'm thinking its perhaps a configuration issue. If this is a real issue just send me the bug in my fork and i'll have a look at it tomorrow.

— Reply to this email directly or view it on GitHubhttps://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/212#issuecomment-41104426.

Top-notch continuing legal education on your summer vacation. Join us for CLE by the Sea! http://azbar.org/CLEbytheSea

Embracing Our Future - SBA 2014 Annual Convention Westin La Paloma Resort & Spa, Tucson http://azbar.org/Convention