I am in the process of adding an Identity Server 4 implementation to serve authentication and authorization for a ASP.NET Core Web API. Clients will be a native iOS app, and MVC web app and potentially an Angular SPA later down the line.
I am able to provide tokens on an « offline access » basis to the iOS client using AppAuth - which is great.
I am just not sure about some of the architectural choices to make:
1/ where should the registration of new users take place? The literature recommends that the IS4 server be limited to login and logout endpoints, for security purposes. Does that mean that the clients or the APIs should handle creation of users in the store? I thought the whole point of IS4 was that clients and APIs don’t have access to the store? It would seem logical that the addition and modification of users be handled by the only part of the system that has access to the store, no?
2/ is it safe to persist (1) tokens (2) the user store and (3) business data ok the same database - different tables but same database on same server? Is it better to separate databases?
3/ is it safe to have the Identity server app hosted on a sub domain to the domain where the client app will live? The API is already on another sub domain on this same domain.
Thanks
1/ where should the registration of new users take place? The literature recommends that the IS4 server be limited to login and logout endpoints, for security purposes. Does that mean that the clients or the APIs should handle creation of users in the store? I thought the whole point of IS4 was that clients and APIs don’t have access to the store? It would seem logical that the addition and modification of users be handled by the only part of the system that has access to the store, no?
You can extend IDS4 to add user management. Per IDS4 docs it is a middleware that adds the spec compliant OpenID Connect and OAuth 2.0 endpoints to an arbitrary ASP.NET Core application. But this doesnt mean that you can not extend it. Here is a sample.
2/ is it safe to persist (1) tokens (2) the user store and (3) business data ok the same database - different tables but same database on same server? Is it better to separate databases?
This depends more to your deployment model and your considerations for availability and scalability rather than safety. I suggest you to read more here to be able to make the best decision.
3/ is it safe to have the Identity server app hosted on a sub domain to the domain where the client app will live? The API is already on another sub domain on this same domain.
This again has nothing to do with safety as is more of availability/scalability matter