ASP.NET Core Identity as a service

[danroth27]

Add a layer to ASP.NET Core Identity that exposes identity as a service.

This service should provide an opinionated and turn-key identity solution that enables customers to easily migrate to Azure AD B2C. The service should support flows for Web Apps and Web APIs as supported today by Azure AD B2C. Apps interact with the service using standardized protocols (OpenID Connect, OAuth 2.0, JSON Web Tokens) while abstracting the user from protocol details. Client token acquisition will be supported through the Microsoft Authentication Library (MSAL). The goal is to provide a consistent identity offering for in-app, on premise, and cloud scenarios.

Benefits of exposing ASP.NET Core Identity as a service:

• The actual app code is much simpler and decoupled from its identity concerns
• Support for established authentication standards and patterns simplifies security concerns and builds trust
• The identity service can live in a separate process
• Reuse user identities across multiple apps
• Support for issuing JWT tokens for Web API security
• Enable apps to easily migrate to use Azure AD B2C, or any other OpenID Connect provider
• Consistent client library story (MSAL) for acquiring tokens
• Consistent identity story across in-app, on premise, and cloud scenarios

Out of scope:

• Support for all OpenID Connect and OAuth 2.0 flows is not a goal. Supported flows will be limited to those supported by Azure AD B2C
• Other features not supported by Azure AD B2C are out of scope as they would impede migration

[Ponant]

@danroth27 , I saw this video a few days ago but that was not enough for me except in getting a general idea. The problem with abstraction is that you lose the basics of understanding code, namely follow a method which calls another method etc (I may be too old for that ;) ). I would rather go for something like Adam Tulliper did once https://mva.microsoft.com/en-US/training-courses/customizing-aspnet-authentication-with-identity-8647?l=1Yef8hF1_7604984382, but in a short version until you clean up the code. After that, people will adopt it in my opinion because you offer a better separation of concern.

[danroth27]

@Ponant Yup, totally agree. I'll shoot for getting something out by early June.

[danroth27]

The initial code for this feature is now checked in, so I'm going to go ahead and close this issue. However, please feel free to continue to comment if you have further questions. Even better, give the ASP.NET Core 2.0 Preview 1 bits a spin and let us know what you think!

[ghost]

So after all these comments, the only change is the words describing what you have done. But what we get is still the original intent.

This service should provide an opinionated and turn-key identity solution that enables customers to easily migrate to Azure AD B2C.

There was not much point in allowing discussion if you do not listen. This is the biggest problem with all Microsofts "open source" efforts. e.g. project.json vs .csproj. It is a waste of time discussing these choices when the decisions have already been made in an office at Microsoft.

If you want people to use your B2C product, lower its price to something less insane. Herding customers into using it by making other options painful will not work. People will just leave your stack to somewhere where they do not get their arms twisted by the vendor i.e. real open source.

[luisgizirian]

With a separation as a Service, it seems to me that more complex scenarios are getting into the Identity equation. So, I ask again if support on Mutitenancy (TenantId into AspNetUsers table) is still out of reach. Please refer to #1047 & #266.

SaaS apps were neither AzureAD nor IdentityServer are a fit, would greatly benefit of this construct right from the library itself.

Thanks! Luis

[danroth27]

@PericlesSouza It certainly wasn't the intent to ignore any feedback. We've been monitoring this issue closely and I've opened the following issues to track the feedback we've heard. If I missed something please do let me know:

• Consider renaming the packages to make clear the alignment with Azure AD B2C. We are open to this, but we want to avoid causing confusion where people think these components have a dependency on B2C, when they don't (https://github.com/aspnet/Identity/issues/1198)
• Reduce the complexity of the template additions that support OIDC as much as possible (https://github.com/aspnet/Security/issues/1212, https://github.com/aspnet/Identity/issues/1199, https://github.com/aspnet/Identity/issues/1201)
• Consider adding a template option that only adds cookie auth without the OIDC pieces (https://github.com/dotnet/templating/issues/800)
• Provide a way to ship controllers and views as a binary/package (https://github.com/aspnet/Home/issues/2030)

Your specific feedback has been about not forcing folks to use Azure AD B2C, which this feature does not do. It sounds like you are particularly interested in preserving choice of identity provider, which is exactly what this feature is about. This feature decouples your app from ASP.NET Core Identity making it easy to switch to IdentityServer, OpenIdDict or any OIDC provider you want.

[danroth27]

@luisgizirian Unfortunately, I don't believe we have any new plans around multitenancy. However, the Orchard folks have been hard at work on Orchard Core and they have multitenancy support built-in.

[luisgizirian]

@danroth27 That's a deal-breaker for us.

We're a proprietary SaaS platform supporting multiple websites for our customers . We're stuck into ASP.NET Identity v.2 (with multi-tenancy addition). We have already +50K users among our tenants (sites with customers of our customers). We shall decouple from v.2 Identity (while keeping existing passwords) to allow our code base to evolve an be upgraded to .NET Core.

We operate on top of Azure using a combination of IaaS, SDN, PaaS, and several Azure services (Microsoft offered and 3rd Parties as well thru Marketplace) over multiple DCs.

It's a big deal to us the negative on moving on with multitenancy for ASP.NET Identity Core, but I hope it is for the best somehow. At first look, Orchard Core is not in our best interest as its a big tradeoff with a steeper learning curve that deviate us from our core.

[jersiovic]

@luisgizirian I don't think @danroth27 would mean you should move to OrchardCore, simply that you can look on it to see how multitenancy was solved to bring ideas to your platform. So, instead of forcing others to have a tenant id in user table that maybe we don't want to use, you could adapt to what exists using a different user table per tenant.

[Bartmax]

This feature decouples your app from ASP.NET Core Identity making it easy to switch to IdentityServer, OpenIdDict or any OIDC provider you want.

What a lie, created a new project and tried to swap to another provider... it's just imposible. After that I did create new blank app, and got auth stuff done in like 15 minutes.

@danroth27 The definition of the word easy that you use in every comment on this issue is not what you think it is.

Even better, give the ASP.NET Core 2.0 Preview 1 bits a spin and let us know what you think!

As sincere as possible, I think the new auth template it's useless/confusing/complex (at least for me), it also doesn't work right (neither the former template so was no surprise) and I have no plan to invest anymore time on it or this issue.

What I get from this and the many times that I tried to contribute to the way authentication is done, point out defects on the templates, etc. is that I just need to forget that Microsoft has any authentication "stuff" and move on. 😫

[danroth27]

@Bartmax It's certainly not impossible. If it helps, take a look at my IdentitySwap sample that's preconfigured to allow you to swap between local ASP.NET Core Identity, Azure AD B2C, and IdentityServer4 for sign in by changing a single line of code. This is the same demo app I used at BUILD. There's certainly plenty of room for improvement (it's only preview1), but hopefully it gives the idea of what we're trying to enable.

I can tell your frustrated (sounds like there's some history here), but if you'd be willing to share where you ran into issues I'd love to hear what they were. You're probably one of the first people to try out the new templates, and we greatly appreciate the early feedback.

[minhnhat2807]

@danroth27 Where can I change grant_types_supported because when I looked at this link xxx/v2.0/.well-known/openid-configuration it's always empty

I tried to use ASP.NET Core Identity for issue token to user, how?

[danroth27]

@minhnhat2807 Please note that we recently made a decision to postpone the identity as a service work until after 2.0 so that it has more time to bake.

The configuration document is provided by the IdentityServiceConfigurationController in the template. See https://github.com/aspnet/Identity/blob/dev/samples/IdentityOIDCWebApplicationSample/Areas/IdentityService/Controllers/IdentityServiceConfigurationController.cs#L23 for the latest implementation of this endpoint. Note that the route for this endpoint is [HttpGet("tfp/IdentityService/signinsignup/v2.0/.well-known/openid-configuration")] to match the behavior of Azure AD B2C.

[ghost]

Typical of how .Net Core is mismanaged.

Make a decision to go off on a tangent that nobody asked for (while ignoring the most wanted features), and then swerve to another direction at the last moment.

You guys need to be managed by the folks that carefully husband the C# language. They know what they are doing.

[gregoryagu]

@danroth27 So what does this mean? Will it have to wait until aspnetcore 3.0? Or will it get released as part of an update to 2.0?

[kevinchalet]

@gregoryagu

The following items (and items related to them) were cut completely from the 2.0.0 release due to them being deemed not ready. We will revisit them in 2.1:

• Convention-based configuration in our sub-systems (aspnet/MetaPackages#117)
• Identity as a Service (STS)

https://github.com/aspnet/Announcements/issues/253

[chassq]

In general the identity xp over the years has been a tumultuous one (e.g. ASP Role/Membership, Identity, AD Integration, OWIN OAuth, etc..) It has kind of bounced us all over the place and caused a good bit of complexity and time consuming R&D. I hope this implementation ultimately comes down to making it easier for us not more complex! I want to spend more time thinking about my business requirement implementations than an Identity framework. Its not only the code to implement but also maintenance and longevity too!

For our Web Apps and APIs we are looking at Identity Server 4 for a unified solution. IDS 4 looks great but just seems more than we need/want. We were also are looking at Azure AD B2C but when you factor in user storage, authentication and Multi-Factor the cost becomes far too big for a small startup.

I guess we would like to see this be a seamless very low friction implementation to a low cost backend service that does what Azure B2C does (or here is an idea. MAKE AZURE B2C CHEAPER! :-)). Love the idea of having a unified identity service for our APIs and Web Apps but please make this as low friction as possible. Also please do something MS will stick with for years to come, if possible! Otherwise it is really very little help.

My $.02....

[mcquiggd]

@chassq

I agree with your points regarding the 'identity journey' we have had over the last few iterations. Also agree with the cost of Azure B2C

IDS4 is actually a very good attempt at making a highly complex subject, easy to use. The samples and documentation are thorough, and its essential to understand the concepts behind the industry standards it employs, whatever backend you choose, in order to properly secure your applications.

My experience so far with IDS4 has been very good - flexible, efficient and scalable. The initial investment will pay dividends.

[Eilon]

One of the goals here is to at least standardize on the OpenID Connect (OIDC) protocol. That makes it a lot easier to swap out the back end. If you started with one backend and need to switch to another, you still have to figure out how to migrate your data (that's nearly always true anyway), but at least the app's frontend shouldn't need to change.

[gregoryagu]

@mcquiggd, @chassq I looked at the current cost of AzureB2C. For less than 1,000,000 users, the cost works out to 18 cents per month based on 50 logins per month ($0.0028 each login), plus 1.1 cents per user per month. Add in Multi-Factor auth at once per month at 3 cents each.

That seems pretty reasonable pricing to me.

Am I missing something?

[gregoryagu]

I watched @danroth27 build demo of Identity As A service and it seems pretty cool to me. Is there a way to get the bits for this so I can give it a spin?

[chassq]

The azure price calculator (see https://azure.microsoft.com/en-us/pricing/calculator/ ) has 1 million stored users at $1,045.00/Mo. Add 1 million authentications = $2,660.00/mo. Add 10,000 multi-factor = $300/mo for a total of $4,005.00/mo. So please tell me what I have wrong here. Am I not using the calculator correctly?

[gregoryagu]

Your calculations comes to one half cent per user, per month. If it's a totally free app with several million users, I can see the case for rolling your own auth. But that seems pretty reasonable to me for a paid app.

[chassq]

Yep. If they drop the price they could gain more adoption and become a defacto for Identity. And make it far easier on the dev community by having one place to turn for Identity. Just look at the costs for Azure Functions. An execution is next to nothing by comparison. Why is Identity so expensive? A stored user cannot take that much disk space and an authorization should be on par time and resource wise as an Azure Function call. You can get 10 million Azure function executions (assuming under 1 sec and less than 128kb) for $13.60/month. Azure AD B2C just seems way over priced to me as compared to other Azure cloud services.

[mcquiggd]

You will always have considerably more Azure B2C authentications than 1 per user per month, even if a proportion of your users are using a third party such as Facebook, with long-lived access tokens. Refresh tokens could kill you if you are not careful. Not requiring people to periodically re-authenticate is fraught with problems.

When going B2C, you have to allow for cost to rapidly increase, and switching identity providers means downtime / risk. Iv'e contracted for several startups that went under because they were popular, but they hadn't planned the cash flow / cash burn, while building a potential customer base.

Compare the above cost estimated by @chassq - $4,005.00/month. (thanks for that) which assumes the very low active authentication rate of 1 per month.

Hosting my own IdentityServer on an auto-scaled App Service, Standard Level, even with 3 permanently running S1 instances that never auto-scale down during quiet periods, will cost me an initial $223 per month (database costs added below), and can easily handle the same load and scale to peak demand. In practice it would be less due to auto scale down.

Combining that with Cosmos DB (DocumentDB) using: 10GB of SSD based storage (that's a whole lot of user profiles). 4000 Request Units per second, 744 hours each month. Thats about 2000 authentication requests per second. And just for the hell of it, an additional 40,000 Request Units per minute provisioned throughput, 744 hours each month.

$320.57

So, total cost $543.57. And capable of dealing with 10s of millions of user profiles, and 100s of millions of authentications each month. Double that price if you want Geographic Region Failover. Still considerably more performance for a quarter of the cost.

With the spare $3000 per month you can add as many regions, load balancers, traffic managers as you want. Or load it into a Redis cluster with the CosmosDB for permanent storage.

Azure B2C for 1 million user accounts (which is not much for B2C), and only 5 authentications (and don't forget those refresh tokens - each is another chargeable 'authentication') per user, per month, is $12,105.00.

$145,000 a year for logging in might be lost amongst all the other costs. For me its not acceptable. And you still wouldn't be able to login at your own domain name.

If users choose login with username and password as they want to use their password managers... oh dear!

eCommerce - start adding up those multi-factor authentications ... boom.

Seriously, feel free to spend more than you need to if you wish; perhaps you have a high margin product, and no investors wanting to minimise your spending of their money.

Every cost adds up and eats into profitability; especially during the growth phase of a startup.

[Bartmax]

Just to be clear, Auth0 is kind-of the same stupid 💸 pricing model. When one player enters the market and takes all the developers don't 😢 and said we didn't warn you.

I wish I could use xxxx (insert name Azure, Auth0, whatever) for identity. As of right now, we are strongly suggesting all our customers/clients to roll their own login mechanism. With libraries like open iddict I really don't see much value added from Auth0 nor Azure and the pricing is insane, IN-SANE

[benaadams]

@chassq multi-factor is sms based; which has a 3rd party cost per auth. You are better using the authenticator app version for 2fa that's in 2.0 (also advised to use it instead of sms based 2fa as per current security advice) so that shouldn't be a cost worth worrying about?

[Ponant]

@danroth27 , any idea on when Identity as a Service will come up now that it is removed from 2.0? Is it expected for 2.1?

[danroth27]

It's being actively developed, but when it will ship is still TBD.

[gregoryagu]

@danroth27 Can I beta test it for you?

[danroth27]

There's no beta to test yet. It's still very much a work in progress.

[brockallen]

There's no beta to test yet. It's still very much a work in progress.

Turns out that building a token service is a lot of work :)

[mcquiggd]

@brockallen

That's why I admire the people that open-source theirs...

[brockallen]

That's why I admire the people that open-source theirs...

Well, OSS is not free and not typically a charity. You have to evaluate the motivations of those that do. Ours is to sell consulting and services. Microsoft's is to sell Azure.

[mcquiggd]

@brockallen

The difference being I can use your OSS without paying for the optional consultancy... and assess the quality of it's implementation, compare it to OpenIddict for example. I can also submit fixes.

You put it all out there for everyone to look at, if you pardon the expression...

[brockallen]

Sure, but Microsoft will (if not already) OSS theirs.

The most important thing, which you've somewhat gotten at, is what's the right token server for you. If you plan to use and move to Azure B2C, then I suspect the Microsoft one will be the right choice. But if you're not sure, or you need more features or flexibility than Azure B2C, then the Microsoft token server will probably not be the right choice for you.

I hope Microsoft has the courage and honesty to be very clear on this point as they move forward promoting their token server. They have a huge amount of power and influence in what developers hear and think (regardless if the info is correct or not) in their marketing and in things like the File->NewProject experience.

[Ponant]

@brockallen , in what do you want MS to be clear on and how can you know what they are doing in the details? I know there are lots of discussions on this topic and surely they are not the most glorifying ones, but my point is that if you are concerned about their implementation then why not explaining what are those limitations of their future OSS. Otherwise it is perceived as a negative critic for free not mentioning a biased one.

[brockallen]

@Ponant I thought I was clear... the Microsoft token service (from their own words if you piece enough of it together) is designed for eventually moving your users and token service to be hosted in Azure B2C. It's not a more general purpose or flexible token server. That's all.

What I'm trying to protect against if when people are told half-truths and manipulated in order to sell a product that's not appropriate for their needs. I'm not saying Microsoft has done this in regard to their new token service, but I have seen it done elsewhere for other products in other scenarios. So I'm just trying to keep Microsoft honest about what they are building and what it does.

[Ponant]

While I considered using AB2C, I decided not to do it (priced too high and lack of customization and unclear data sovereignty rules). You may be right but I understood their answers differently, quoting parts from @danroth27 and @Eilon ,

Enable apps to easily migrate to use Azure AD B2C, or any other OpenID Connect provider

We're really not trying to force anyone to do anything. We're trying to decouple apps from ASP.NET Core Identity so that you can choose whatever identity provider you want. We're doing this by wrapping ASP.NET Core Identity in standards complaint service endpoints. By decoupling identity from the app in this way you can then switch to whatever OpenID Connect provider you want whenever you want to. If you don't want the OIDC endpoints at all you can remove them, but we think most customers will want this level of flexibility.

One of the goals here is to at least standardize on the OpenID Connect (OIDC) protocol. That makes it a lot easier to swap out the back end. If you started with one backend and need to switch to another, you still have to figure out how to migrate your data (that's nearly always true anyway), but at least the app's frontend shouldn't need to change.

I think what they are doing is an invariant OIDC-compliant protocol, I recall Dan made this demo https://github.com/danroth27/ProjectConstruction/tree/master/IdentitySwap

[brockallen]

I think what you are referring to is the MVC/ASP.NET Identity templates that consume an OIDC token service, which is separate from the token service itself that is being provided as the migration path to Azure B2C.

And I think, in a sense, your slight confusion has illustrated the exact concern I'm trying to raise. By blurring the distinction between the consuming app and the token service itself (or another way to look at it is by failing to explain with extreme clarity the distinction between the two), it's easy to fall into the situation where File->New Project has led you into being spoon fed a token service whose design is to funnel you into Azure B2C, unbeknownst to the developer. That's the power of owning VS and the File->New Project message that is delivered to developers. Most folks don't know any better that this is not the right choice for them or their companies or projects. For many it is, but again, if it's the only choice how would a developer differentiate?

IMO, those should be two different project templates. But that doesn't demo well on stage at conferences and during keynotes.

[Bartmax]

@Ponant : @brockallen asking/saying/hoping that ms will be clear in their strategy is not for free, MS wasn't clear and lied in the past about this.

bonus: my opinion shouldn't feel biased.

[chassq]

IMHO,

1) MS needs to lower the cost of Azure B2C drastically and make it along the lines of the cost of say a storage account (store users) + a function execution (per auth) + email/sms call (optional for multi-fac) + AD/365 Integration (optional). If they did that then AD B2C becomes a more viable option for what is really needed and there is no more feeling that they are leading us into overpaying for something that should be a cloud commodity. AD B2C is not a commodity today at its current cost.

2) Keep the identity programming model simple as possible. Today ASP NET Identity is just to disjointed with crap you have to think about (e.g. RoleStore, UserStore, UserManager, TokenStore, ClaimsStore, PasswordHasher, SecurityStamp, etc.. etc.. etc...). Put on top of that the lackluster docs on how to set that stuff up and override it and bad method design (e.g. VerifyUserTokenAsync returns a bool when it should return an object which specifies at least success or not and if not gives an error message) and you get a framework people begin to dread to use.

I guess my point is that if identity is going to be made so hard to deal with that many developers will simply not use it and opt for a "home grown" path of least resistance solution which could have major security problems. I personally have seen this time and again in code for which I have had to take responsibility.

If we can make identity streamlined and simple more people will use it and hopefully more applications will be safer for it. Don't just think big tech company with tons of resources to field a dedicated dev security team. Think startup/small/medium/big business that is not led by technical people and do not know how to run their company as a tech company but want a technology based product. I know that sounds crazy but I see it all the time. They don't give devs the time and resources to do the right thing. So making identity one thing they can count on not to be a time/maintenance suck really helps!

3) I totally agree in keeping the identity and backing store separate but out of the gate there should be an easy path or 2 for the new folks so that they do not have to put to much time and effort into getting a great secure auth/auth framework setup and implemented.

I am not trying to advocate for MS but they are in a unique position to make this happen for a great number of people and make our eco-system safer. Just want them to do the right thing.

Hope that input makes some sense.... Sorry, I rambled.... Sorry so long....

[brockallen]

I guess my point is that if identity is going to be made so hard to deal with that many developers will simply not use it and opt for a "home grown" path of least resistance solution which could have major security problems.

The problem is that identity is just as much a business feature as anything else, while also concerning security. The reason IdentityServer is so popular is that because identity is not something you can productize as a cloud hosted SaaS offering and control and customize. IdentityServer does take care of the security stuff, while designed to allow the developer to do the customization they need. So it's an option for you instead of doing a "home grown" solution.

[chassq]

Hey @brockallen ,

I guess its perspective. I think I was more talking about implementation than security in general. Agreed security is part of requirements. But I see ASP NET Identity/IDS4 today as a frameworks a dev can employ, not quite like custom business specific logic to meet a set of consumer feature requirements. Much like we put custom logic in using frameworks (e.g. EF Core is to data access as Identity is to auth/auth).

Trying to be pragmatic I find most decision makers do not think like I do when it comes to this stuff. They just assign value to consumer features that they can see and take for granted the ones they cannot (e.g. security) until its too late. So making the identity implementation more straightforward without a bunch of ceremony makes for a far better story to your boss and dev team. For example, app security will take us 4 hrs vs. 4 days of coding and testing. My thoughts are not necessarily about one implementation vs another I guess just more about the need for more straight forward identity implementations that are easy to follow, put in place and transfer to other devs on a team.

[brockallen]

From the client app perspective, I think you're right and that can be achieved in the templates or just by adding the AddOpenIdConnect authentication handler into DI. It's minimal code, so in a sense, there's already not much ceremony to it.

[Ponant]

Well, then it is maybe a good time to sell IdentityServer to MS :) Cheers

[Bartmax]

@Ponant it's free...

[Ponant]

@Bartmax , their expertise is not for free and valuable. Anyway, that was a (half) joke to stop turning in circles until MS clarifies or outputs a "template".