0

I have a requirement to NOT allow the Web(MVC Core 2) layer to hit the DB and I have not had to separate .net identity into layers before and I was thinking of doing it like this but do not see anything posted with the latest core technology. I was planning on having IdentityServer4 with .NET Core Identity be the middle/App layer. The middle/App server will be behind the firewall. The web will only make server-side calls to the Identity server(no Ajax). I was using this tutorial http://docs.identityserver.io/en/release/quickstarts/6_aspnet_identity.html. After getting a working example, the MVC Web site wants to redirect to the identity server expecting the Identity server is public facing using cookies. My questions are:

1) How can I can I keep this server-side only no redirects or is there a better way to do it?
2) How can I reuse the 2factor and password management from the middle layer? Do I have to write wrappers for each server call like 

var response = client;
PostAsync("http://localhost:xxxxx/account/LoginWith2fa", content).Result;


From here: https://forums.asp.net/t/1988569.aspx?Call+post+Api+from+controller+in+MVC+at+server+side
3) For the data layer, should this be a separate project from the auth server or is it bad practice to have the auth and data layer together?

prisar
  • 3,041
  • 2
  • 26
  • 27
Sammy Hashim
  • 21
  • 2
  • Not sure I understood you correctly, but seems you are on a wrong way. Identityserver is a web application by design. The only way to block it for access from client browser access is to use Resource Owner Password flow and implement it's own login screen in each web app. And that's definitely not the recommended approach. What is more appropriate for your requirements is to implement your custom service-based UserStore or repository and use it in your IProfileService implementation. Then such repository should call the API based on ASP.Net.Identity and sitting behind the firewall. – d_f Aug 14 '18 at 16:54
  • Thanks for the response. Maybe you are right and I am over solutioning this since the middle/app server will be always be behind the firewall. So if I leave Id4 out of the picture, then what would be the best approach to have the front end MVC (web) authenticate and use the methods from the middle/app MVC app running asp.net identity with all the features from a standard MVC project setup using individual account authentication with direct dB access stored in SQL. Basically how to implement all the account features from the middle(app) on the front (web) MVC project? Separating the two – Sammy Hashim Aug 15 '18 at 05:09
  • If you have more than one front end web app, then Identityserver is definitely for you. You need just one instance, and it should be front end app as well. What you only need to fulfill your firewalling requirement is to separate data from front end. Namely you have to customize UserProfileService and (optionally) PersistedGrantStore and ClientStore. In that services/stores you have to call some API from your backend. Then you are ready to authenticate users. – d_f Aug 15 '18 at 10:34
  • If you need to follow the same approach for user management, the simplest might be to take "all in one" solution and cut in the middle by exposing an API and calling it. – d_f Aug 15 '18 at 10:35

0 Answers0