We have an IdentityServer4 project, A web Api project (.net core 5) and an SPA front project (Vue.js). User creation will be done when SPA send a register request to IS4 project local endpoint. Then we have a createCompany endpoint which need to create a a company in webApi project and update CompanyId in IdentityServer4 project.

The question is how it is better to be implemented ? Should webApi directly call IdentityServer4 endpoint to update companyId or front end should send seperate request to IS4 for update companyId ?

What is the best way to access UserManager from webApi ? for example get the list of users with specific CompanyId ? Or specific EmailAddress ? Should I create a separate local endpoint for each one of them in IS4 ? Is there any way to fully manage users from webapi directly without creating many endpoints for user management in Identityserver4 ?

CodePudding user response：

So, if understand correctly, you want to create a user and save it to IS4. Then you want to call webApi to create a company and finally you must pass companyId to IS4 in the new user.

If you don't need to pass data from IS4 to webapi to create company you can just call webApi first to create company and after that call IS4 passing companyId. (I don't prefer this solution)

If webApi have many transactions with identity it's better to call identity from webApi rather than from SPA. It's more easiest and safety directly from webApi.

CodePudding user response：

I think you're missing some info on how IdentityServer4, OAuth 2.0, and OpenID Connect works. IdentityServer4 is an OAuth and OpenID Connect implementation. IdentityServer4 does not have any way to manage a user database or authenticate users. It is for generating OAuth 2 and OpenID Connect compliant tokens using a user store of your choice behind it.

Some options for managing users includes:

1. ASP.NET Core Identity
2. Your own homegrown solution
3. Services such as Okta, Auth0, Azure AD B2C, etc.
4. Don't handle users at all in the traditional sense, and use OpenID Connect with Google Authentication, Facebook Authentication, etc. (this is where you see on websites "Log in with Google" and things like that).

Read a little more here at the updated IdentityServer4 project, Duende IdentityServer.

You'll need to use one of these to manage users and I'd recommend not tying a ton of custom logic to IdentityServer4 specifically unless you really need to. Keep it for authorization and leave everything else to your own API or one of these other solutions mentioned.

Keep in mind, IdentityServer4 is almost end of life and will not be updated after November 2022 and is only receiving critical security bug fixes.