Search code examples
c#identityserver4identityextensibilitycustom-authentication

IdentityServer4: What is the Idiomatic Way to Integrate a Custom Source for Authentication and Profile Retrieval?

Let's say I have to integrate with a legacy enterprise system which maintains users. Assume this enterprise system provides a C# SDK with two methods as follows:

  1. Authentication: sdk.Authenticate("Region", "Username", "Password") Note that Region is an additional parameter selected by the user at login. So I need to be able to read this custom parameter in addition to the user credentials too. (Yes login would be interactive).

  2. Profile Retrieval: sdk.GetProfile(UserId)

I want to use IdentityServer to generate tokens in the usual manner but use these two methods to implement custom authentication and profile retrieval.

I can see that extending the IProfileService I should be able to integrate profile retrieval and population of custom claims. However I see the following multiple extensibility points in the docs but not sure what the best way would be;

  1. Quick Start UI's Account Controller's Login(LoginInputModel model, string button) method: I should be able to place the sdk.Authenticate("Region", "Username", "Password") logic here and just call _signInManager.SignInAsync to sign in the user. But it does not feel as if I'm directly extending IdentityServer4 to add support for another custom authentication provider.

  2. IExtensionGrantValidator: This answer and IdentityServer Docs explain a way to do a custom grant which I should be able to use to call sdk.Authenticate("Region", "Username", "Password"). But this would mean I'd be using a custom grant type. I need to be able to support existing grant types such as Hybrid. I see support for custom parameters via context parameter in the ValidateAsync(ExtensionGrantValidationContext context) method

  3. IResourceOwnerPasswordValidator: This IdentityServer doc explains how to implement a custom password validator for the Resource Owner flow. But I need to be able to support existing grant types such as Hybrid. I see support for custom parameters via context parameter in the ValidateAsync(ResourceOwnerPasswordValidationContext context) method

  4. External Authenticators: This IdentityServer doc explains how to add external authenticators. But I see no .AddCustom method for non-standard authenticators. I only see support for popular authenticators such as Google.

What am I missing?

Solution

  • I chose to go with the first option mentioned in the question which is: Quick Start UI's Account Controller's Login(LoginInputModel model, string button) method