IdentityServer4 together with User management as a service?

Created on 19 Oct 2017  路  5Comments  路  Source: IdentityServer/IdentityServer4

I'm writing a authentication/authorization solution for our microservice architecture setup. The solution will work with human users as well as other services, granting them access to required services/features. Currently I have __IdentityServer4__ and __ASP.NET Identity__ as a one service and a second service __Identity Management__ providing basically CRUD functionality on entities like users, clients, scopes, claims, API resources etc. Those two services share the database, the users created through Identity Management API can login on Identity Server login page.

Question: What is the preferrable approach

  1. Have two separate services sharing database. Database would be preferrably MongoDb, as a service, both services access the data through MongoDb API.
  2. Merge both services into one, avoiding sharing the database, but losing benefits of having two separate development lifecycles, separate teams, etc.
  3. Any other suggestions, hints, advices?
question
Source
picture mpabis

Most helpful comment

Well - I personally like the fact that the IS application itself has a pretty low attack surface.

Adding more screens (and more DB access) changes that. I like to keep things separate - also from a deployment point of view.

picture leastprivilege on 20 Oct 2017
👍6

All 5 comments

I personally would keep them separate - mainly because of

two separate development lifecycles, separate teams, etc.

leastprivilege picture leastprivilege on 19 Oct 2017

Let's say team is same for both services.
Service with IdentityServer 4 is small, there is almost no development going on.

  • They are using same source of data, what is also not best solution - two microservices sharing one database.

Are there any other reasons, technical reasons from IS4 point of view, why it should be separated @leastprivilege ?
What about mongodb and IS4? Do you have any production experience with that?

ondrejtomcik picture ondrejtomcik on 19 Oct 2017

Well - I personally like the fact that the IS application itself has a pretty low attack surface.

Adding more screens (and more DB access) changes that. I like to keep things separate - also from a deployment point of view.

leastprivilege picture leastprivilege on 20 Oct 2017
👍6

@leastprivilege I know that issue is closed but I don't want to duplicate and I have additional question.

As I understand IS separated application has own database. Should client operate on data in IS server through some dedicated API? Or this things should be done differently?

I'm looking for guidelines which addresses this subject on documentation but I could find it (pity, it could be great addition to the docs). Maybe do you have some links to point me in proper direction?

dario-l picture dario-l on 16 Oct 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 10 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

garymacpherson picture garymacpherson  路  3Comments
eshorgan picture eshorgan  路  3Comments
krgm03 picture krgm03  路  3Comments
wangkanai picture wangkanai  路  3Comments
brockallen picture brockallen  路  3Comments