1

We have several existing applications, each having its own database (and its own users table, since different application have different customers). Each application does its own login/change password/reset password/forget password etc. Now we want to build a central authentication/authorization server with IdentityServer4 where existing applications and future new applications can all use and no longer need to do functions lie login/change password/reset password/forget password for each application again and again.

So my question is what shall we do with those existing user tables? I can see two options:

  1. Keep existing user tables When a customer tries to login to an application, he will be redirected to the identity server and it will look up that existing user table. When a different customer of a different applications comes, it will look up a different existing user table.

  2. Merge all those existing user tables to a single user table in the new database in identity server, and delete all those existing user tables. But in those applications, after user logged in, program might still need to access those user tables. How can we solve this problem if we merge to the new table in identity server? We cannot directly access that user table in identity server, right?

I feel option 2 is the right way to go, but don't know exactly why and how. Can anyone explain to me? Thanks.

martial
  • 3,773
  • 8
  • 33
  • 43
  • Are these current applications using ASP.NET Identity or are these custom user tables? – aaronR Oct 23 '17 at 19:47
  • some applications use ASP.NET Identity, some don't (we can convert these to use ASP.NET Identity and probably will do so) – martial Oct 24 '17 at 18:15
  • But even we use Identity, existing USERS table is still there since there are lots of information in this USERS table and many existing logic referencing this table. – martial Oct 24 '17 at 19:33
  • You would create a new USERS table to sit on top of all of the other User tables. – aaronR Oct 24 '17 at 19:35

1 Answers1

0

Here is my recommendation:

  1. Create New User Table
  2. Create New User to Old App Users Table
  3. Populate the new user table

Create New User Table

Create a new user table with all of the common fields from your individual application user tables. Something like this example.

CREATE TABLE [USERS](
    [ID]  [bigint] IDENTITY(1,1)  NOT NULL
    [FIRST_NAME] [char](15) NOT NULL,
    [LAST_NAME] [char](30) NOT NULL,    
    [PASSWORD] [char](15) NOT NULL,
    [PHONE] [char](12) NOT NULL,
    [PHONE_EXT] [char](4) NOT NULL,
    [EMAIL] [char](50) NOT NULL,
    [STATUS] [char](1) NOT NULL,    
    [UPD_TSTAMP] [datetime] NOT NULL,
    [UPD_USER] [char](8) NOT NULL
)

If your applications have other fields that aren't common across all applications you can write code to look up those details in the corresponding application. You would not want to include that in the common table.

Create New User to Old App Users Table

This table will allow you to continue to use any special logic in your applications that could be tied to the old user ids.

The second thing this will allow you to do is to track the mapping of new user Id's to the old user ids during the migration process.

WARNING - You should make sure your existing user ids are of the same type. This example will assume that they are all bigint types.

The UserID is a Foreign Key to the Users.ID column from the first table.

CREATE TABLE [USER_APPS](
    UserID [bigint] NOT NULL,
    AppName  [char](30) NOT NULL,
    AppUserID [bigint] NOT NULL
)

Populate New User Table

When a user attempts to log in search the new table first. If there is no record then search through each application's user table to see if you find a match. If there is no match prompt the user to follow your registration process. If you find a match create a new record in the USERS and USER_APPS tables. Show the user a secondary screen and ask the user if they use one of your other applications with a different user id and password combination. If they do have another account, attempt to authenticate them. If they succeed enter a corresponding record to the USER_APPS table. You would continue this flow until the user has no more applications to log into. Once they are done ask them to update their password. As part of the update password logic, you may want to update all of the applications passwords that you have mapped in the USER_APPS table.

Follow my instructions on this question as to how you can have IdentityServer4 use an existing database to authenticate users.

aaronR
  • 1,557
  • 2
  • 16
  • 26
  • Thanks. (1) Is the last step 'populate new user table' done through a separate, new application? This new application has two purpose: one, populate USERS and USER_APPS tables; two, serve as portal - so in the future this is the only place customers will come to. – martial Oct 24 '17 at 19:40
  • (2) if we use ASP.NET Identity in our existing applications, does that mean your USERS table should be AspNetUsers table? – martial Oct 24 '17 at 19:41
  • I would make this part of your login logic called from your IdentityServer implementation. Specifically as part of the UserManager implementation. – aaronR Oct 24 '17 at 19:43
  • Regarding (2), since you added in your comments above that you have some ASP.NET Identity I would make the new 'master' users table support that functionality and I'd probably put that in a new schema to prevent naming collisions. – aaronR Oct 24 '17 at 19:46
  • (3) In this portal, if customer tries to login, it will first contact IdentityServer4 to try to login which means check the new USERS table, if succeed, user is logged in; if fail, we start this 'populate new user table' step. So IdentityServer4 only deals with this new USERS table, it doesn't deal with any existing users tables or USER_APPS table. Right? – martial Oct 24 '17 at 19:46
  • IdentityServer4 doesn't own or care about the actual users table that is on you to build and tie in. This is typically part of the IUserManager Interface and class implementation. – aaronR Oct 24 '17 at 19:49
  • Thanks. But if there is no such portal, where does 'a secondary screen' come from? from my understanding IdentityServer4 is a server and have to have a client to work, and the portal is the client. Also, after both USERS and USER_APPS tables are populated, what is the URL that user use to login? Is it not the portal? Or are you suggesting user still go to the old links of each applications and still login there - but now use IdentityServer4? – martial Oct 24 '17 at 20:09
  • You would add the new secondary screen(s) in the identityserver4 project alongside the login page. Typically when users log into an application they go to that application, which becomes a client to IdentityServer4. The application redirects them to the IdentityServer4 login page. Once authenticated they are brought back to the original application. – aaronR Oct 24 '17 at 20:15
  • very very helpful, really appreciated! Mark as answer. – martial Oct 24 '17 at 20:24
  • Please reach out to me if you have more questions! – aaronR Oct 24 '17 at 20:24