Identityserver4: Custom user store with IdentityServer4

That's a main difference in IS3 and IS4 -- in IS4 that's entirely up to you UI code.

Thank you,
I understand that in web scenario I should implement something like example AccountController (https://github.com/IdentityServer/IdentityServer4.Quickstart.UI/tree/release/Quickstart/Account).

My case is other.
I implement mobile apps (one for android and one for ipad). In my mobile apps I want to use my API in REST and protect them with authentication and I want every user works in own context (authenticates with own username/password). Also I don't want authentication in browser (mobile app->browser->mobile app). I need input login and password in mobile app.

I'm just starting to deal with authentication with OpenId Connect. I've read lots articles. All of these say that OpenId Connect abstracts from how server authenticates user but I still can't imagine what should be flow for mobile/native application.

Do I think correctly?

1. User inputs username/password into mobile app
2. Mobile app sends with POST method AuthN Request together with username and password data (over SSL) to IdentityServer
3. IdentityServer validates username and password. How to add custom validation over my own user stores?
4. IdentityServer sends response with ID Token
5. ID Token will be stored on device and use to authenticate in services (until token expires)

ps.
Sorry for my english..

That's essentially the resource owner password flow. You would need to implement the IResourceOwnerPasswordValidator interface.

Thank you for the answer.

In documentation (https://identityserver4.readthedocs.io/en/release/quickstarts/2_resource_owner_passwords.html) is written:
_The spec recommends using the resource owner password grant only for “trusted” (or legacy) applications. Generally speaking you are typically far better off using one of the interactive OpenID Connect flows when you want to authenticate a user and request access tokens._

I understand, that if mobile app is our implementation than we can treat it as "trusted" application?
Is there any other possibility for non-browser authentication with OpenId Connect except ResourceOwnerPassword?

That's the only user-based non-browser login flow. The browser offers lots of additional security features, and that's why it's recommended.

Thank a lot for claryfing!
So, I will use OpenAuth resource owner grant.

@brockallen
What are interfaces that we have to implement for custom user store if we only have to implement Implicit flow?

I have found something like that https://damienbod.com/2017/04/14/asp-net-core-identityserver4-resource-owner-password-flow-with-custom-userrepository/
Maybe it will help

URL @gr4b4z meant to link, https://damienbod.com/2017/04/14/asp-net-core-identityserver4-resource-owner-password-flow-with-custom-userrepository/

@wonix Indeed, "href" fixed.

@m-shanti I was wandering if you have seen this url: https://stackoverflow.com/questions/35304038/identityserver4-register-userservice-and-get-users-from-database-in-asp-net-core

There are some code samples there that could help you out

I am also having an issue implementing a custom (non-aspnet identity) user store/authentication that uses the authorization code flow.

Most of the example I found seems to suggest implementing the IResourceOwnerPasswordValidator which doesn't seem to be called for authorization code flow.

Is there another interface that I need to use instead for the authorization code flow? Any info/link to an example would be much appreciated. Thanks!

Maybe https://mcguirev10.com/2018/01/02/identityserver4-without-entity-framework.html (code at https://github.com/MV10/IdentityServer4.AdoPersistence) by @MV10 and https://www.scottbrady91.com/Identity-Server/Creating-Your-Own-IdentityServer4-Storage-Library .

There are probably others, but these seem to work with quickly trying. If someone does something similar and can share a link to a repo, would nice, naturally.

thanks @veikkoeeva for your comment. I've gone through all of those links (and more!) and none seems to fit my scenario which seems pretty basic. All I needed to do is to get authorization code flow working with a custom user store .

Good news though! I finally managed to figure this out. The problem was that I was using the QuickStart IdentityServer template provided and after looking at the AccountController source code by default it is only validating the users inside TestUserStore.

The solution is to simply replace the TestUserStore provided with my own authentication implementation based on an interface (e.g. IAuthenticateUserCommand) that performs user validation against my user database. I also then implemented the IProfileService for retrieving the user claims (e.g. role, etc).

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.