SSRD.IdentityUI

IdentityUI

IdentityUI is a simple platform for administrative management of users and admins with a graphical interface. It is easy to set up, has a clean API, and runs on all recent. NET Core releases.

Nuget

Install SSRD.IdentityUI NuGet package.

AppSettings:

"IdentityUI": {
  "BasePath": "http://localhost:5000",
  "HomeAddress": "/",
  "Database": {
    "Type": "PostgreSql",
    "ConnectionString": "UserID={User};Password={Password};Host={IP};Port={Port};Database={DatabaseName};Pooling=true;"
  },
  "Settings": {
      "RegisterEnabled": "{Enable registration for user. Options: true || false}",
      "GroupRegistrationEnabled": "{Enable registration for group. Options: true || false}",
      "AuthenticatorIssuer": "IdentityUI",
      "NumberOfRecoveryCodes": "{Number of recovery codes. Number}",
      "BypassTwoFactorOnExternalLogin": "{Bypass TwoFactor on external login. Options: true || false}",
      "UseEmailAsUsername": "{Use Email sam as username. Options: true || false}",
      "ShowAuditToUser": "{Show audit to user. Options: true || false}",
      "CanChangeGroupName": "{ an group name be changed. Options: true || false}",
      "CanRemoveGroup": "{Can remove group. Options: true || false}",
      "CanRemoveUser": "{Can remove user. Options: true || false}",
      "AllowImpersonation": "{Allow Impersionation. Options: true || false}",
      "DefaultLockoutTimeSpan": "{Default Lockout Timespan. Number}",
      "CreateUserOnInvite": "{Create user on invite. Options: true || false}",
      "Optional2FA": "{Optional Two Factor Authentication: true || false}",
    },
  "PasswordOptions": {
    "RequireDigit": "{Require digit. Options: true || false}",
    "RequiredLength": "{Required length of password. Number}",
    "RequiredUniqueChars": "{Required unique chars. Number}",
    "RequireLowercase": "{Require lowercase. Options: true || false}",
    "RequireUppercase": "{Require uppercase. Options: true || false}",
    "RequireNonAlphanumeric": "{Require non alphanumeric. Options: true || false}",
    "RequireConfirmedEmail": "{Require confirmed email. Options: true || false}",
    "RequireConfirmedPhoneNumber": "{Required confirmed phone number. Options: true || false}",
    "AllowedForNewUsers": "{Allowed for new users. Options: true || false}",
    "MaxFailedAccessAttempts": "{Max failed access attempts. Number}",
  },
  "Admin": {
    "Username": "{Admins username}",
    "Password": "{Admins password}"
  },
  "EmailSender": {
    "Ip": "{Ip}",
    "Port": "{Port}",
    "Username": "{Username}",
    "Password": "{Password}",
    "SenderEmail": "{Sender}",
    "SenderDisplayName": "{Friendly name}"
  },
  "AuthCertificate": {
      "EncryptionCertificate": "{Base64 string}",
      "EncryptionCertificatePassword": "{Certificate password}",
      "SigningCertificate": "{Base64 string}",
      "SigningCertificatePassword": "{Certificate password}"
    },
  "GroupOptions": {
      "AdminRole": "{Default Grou admin role | Default: GroupAdmin}"
    },
  "ThemeOptions": {
      "Theme": "{Path to theme}",
      "ThemeName": "{Theme name}",
      "ThemeEmail": "{Theme email}"
    },
  "WebhookOptions": {
      "Enabled": "{Enabled. Options: true || false}",
      "User": {
        "Enabled": "{Enabled. Options: true || false}",
        "Url": "{Endpoint where to send webhook}",
        "TokenHeaderKey": "{Token header key for authorization}",
        "Token": "{Token}"
      },
      "Group": {
        "Enabled": "{Enabled. Options: true || false}",
        "Url": "{Endpoint where to send webhook}",
        "TokenHeaderKey": "{Token header key for authorization}",
        "Token": "{Token}"
      },
      "GroupUser": {
        "Enabled": "{Enabled. Options: true || false}",
        "Url": "{Endpoint where to send webhook}",
        "TokenHeaderKey": "{Token header key for authorization}",
        "Token": "{Token}"
      }
    },
  "ExposedApiOptions": {
    "AllowedOrigin": "{Allowed origins}",
    "IsOriginDnsEntry": "{Is Origin Dns Entry. Options: true || false}",
    "Token": "{Token}",
    "TokenHeaderKey": "{Token header key for authorization}"
  },
  "SmsGateway": {
    "Sid": "{Username/account ID}",
    "Token": "{Password/API access token}",
    "FromNumber": "{Phone number}"
  },
  "Microsoft": {
    "ClientId": "{ClientId}",
    "ClientSecret": "{ClientSecret}"
  },
  "Google": {
    "ClientId": "{ClientId}",
    "ClientSecret": "{ClientSecret}"
  },
  "Facebook": {
    "AppId": "{ClientId}",
    "AppSecret": "{ClientSecret}"
  },
  "Twitter": {
    "ConsumerKey": "{ConsumerKey}",
    "ConsumerSecret": "{ConsumerSecret}",
    "RetrieveUserDetails": "{RetrieveUserDetails}"
  },
  "WsFederation": {
    "MetadataAddress": "{MetadataAddress}",
    "Wtrealm": "{Wtrealm}"
  },
  "ReCaptcha": {
    "SiteKey": "{SiteKey}",
    "SiteSecret": "{SiteSecret}"
  }
}

EmailSender options are optional if you provide custom implementation of IEmailSender or don't want to use an EmailSender.

If you want to restrict access to certain endpoints for users without 2FA setup, set Optional2FA to false and use the [Authorize(Policy = 'RequireMfa')] attribute. When Optional2FA is set to false, these endpoints will not be accessible unless 2FA is enabled

Startup

In the ConfigureServices method add:

services.ConfigureIdentityUI(Configuration) // Configures IdentityUI. You can pass in your own identityUI options.
    .UsePostgre() // Adds dbContext. You can choose between UsePostgre or UseSqlServer.
    .AddIdentityUI() // Adds IdentityManagement core services.
    .AddAuth() // Adds Authentication. You can pass in your own CookieAuthenticationOptions.
    .AddEmailSender() // Optional if you provide  custom implementation of IEmailSender
    .AddIdentityAdmin() // Adds services for IdentityAdminUI
    .AddAccountManagement(); // Adds services for AccountManagement.

In the Configure method add:

app.UseIdentityUI(); // Adds IdentityUI

If you are using .NET Core 2 you need to configure the MVC setup by adding or updating:

  app.UseMvc(routes => 
  {
    /* your code */
    routes.MapAccountManagement(); // Adds AccountManagement UI
    routes.MapIdentityAdmin(); // Adds IdentityAdmin UI
  });

You can seed an admin user by calling app.SeedIdentityAdmin("admin", "Password");.

Important: If you are using .NET Core 3 remove app.UseAuthorization();

IdentityAdmin Dashboard: {server}:{port}/IdentityAdmin/ Account management: {server}:{port}/Account/Manage/

Database

Supported databases: PostgreSQL, SQL Server, InMemory (only for testing).

InMemory database provider may not be able translate all the queries and cause exceptions.

To create database:

serviceProvider.RunIdentityMigrations();

To seed IdentityUI required entities:

serviceProvider.SeedSystemEntities();

or

serviceProvider.SeedMissingSystemEntities();

All of this functions are available as extensions on IServiceProvider, IHost, IWebHost or IApplicationBuilder

Groups

From version 2.0, we are supporting a group/multi-tenant management. For this purpose, we created multiple group roles that are linked to permission inside group/tenant management.

Permission	Description
group_can_manage_attributes	Can manage group attributes
group_can_manage_roles	User can assign roles inside the group
group_can_manage_invites	Can see and edit invites
group_can_manage_user_details	User can manage another user details
group_can_manage_settings	User can view/change group settings
group_admin_access	User has access to GroupAdmin
group_can_access_dashboard	User has access to group dashboard
group_can_access_user_details	User can access another user details
group_can_see_users	User can see other members in group
group_can_see_history	User can see login history of users
group_can_view_audit	User can view audit logs for the group
group_can_remove_users	Can remove users from group
group_can_invite_users	Can invite new users to this group
identity_ui_can_manage_groups	Can add new groups and can edit existing groups
group_can_add_existing_users	Can add existing users. Note: This will expose all users from Identity server!
group_can_impersonate_user	User can impersonate another user

Advanced configuration

Configure IdentityUI

ConfigureIdentityUI(Configuration, endpoints => 
{
    endpoints.Home = "/";

    endpoints.Login = "/Account/Login/";
    endpoints.Logout = "/Account/Logout/";
    endpoints.AccessDenied = "/Account/AccessDenied/";

    endpoints.Manage = "/Account/Manage/";
    endpoints.ConfirmeEmail = "/Account/ConfirmEmail";
    endpoints.ResetPassword = "/Account/ResetPassword";
}) // These are the default endpoints options.

Identity policy

AddIdentityUI(options =>
{
    options.Password.RequireDigit = false;
    options.Password.RequiredLength = 6;
    options.Password.RequiredUniqueChars = 0;
    options.Password.RequireLowercase = true;
    options.Password.RequireUppercase = true;
    options.Password.RequireNonAlphanumeric = false;

    options.SignIn.RequireConfirmedEmail = true;
    options.SignIn.RequireConfirmedPhoneNumber = false;

    options.Lockout.AllowedForNewUsers = true;
    options.Lockout.MaxFailedAccessAttempts = 5;
    options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
}) // These are the default identity options.

Identity options

AddAuth(options => 
{
    options.Cookie.HttpOnly = true;
    options.LoginPath = "/Account/Login/";
    options.AccessDeniedPath = "/Account/AccessDenied/";
    options.SlidingExpiration = true;
    options.LogoutPath = "/Account/Logout/";
}) // These are the default cookie options.

Configuring SMS gateway

To be able to use SMS sending functionality within IdentityUI you fill first need to configure the system to communication with your SMS gateway. In this example we will show how the Twilio API can be configured.

First you will need to create a Twilio account. You can do that here. When your account is ready, you will need update the appsettings.json file with API access token. For example:

"IdentityUI": {
  "SmsGateway": {
    "Sid": "",
    "Token": "",
    "FromNumber": ""
  }
}

The names of the property can differ from provider to provider, but in general:

• Sid should contain the username/account ID
• Token should contain the password/API access token
• FromNumber should contain the phone number, which is used to send the SMS messages

After updating the appsettings.json file, you need to add and implementation of the ISmsSender interface to your project. A simple Twilio implementation can look something like this:

public class TwilioSmsSender : ISmsSender
{
    private readonly PhoneNumber _from;

    public TwilioSmsSender(string sid, string token, string from)
    {
        TwilioClient.Init(sid, token);
        _from = new PhoneNumber(from);
    }

    public Task<Result> Send(string to, string message)
    {
        try
        {
            MessageResource result = MessageResource.Create(
                from: _from,
                to: new PhoneNumber(to),
                body: message);

            return Task.FromResult(Result.Ok());
        }
        catch (Exception ex)
        {
            return Task.FromResult(Result.Fail("twilio_error", "Sending SMS failed"));
        }
    }
}

// add the class to the DI container
services.AddScoped<ISmsSender, TwilioSmsSender>(options =>
{
    string sid = Configuration["IdentityUI:SmsGateway:Sid"];
    string token = Configuration["IdentityUI:SmsGateway:Token"];
    string from = Configuration["IdentityUI:SmsGateway:FromNumber"];

    return new TwilioSmsSender(sid, token, from);
});

Finally, you need to tell the system that the sms gateway is configured. To do that, you need to update the configuration in the Setup.cs file and adding the following line:

services.ConfigureIdentityUI(Configuration, endpoints =>
{
  endpoints.UseSmsGateway = true;
})

With that, you should have SMS sending functionality available in your system.

Setting up an SMS gateway also enables SMS two-factor authentication for the users of your system.

Customization

Add own theme to IdentityUI. Check out Customization documentation

Custom pages

Check out custom pages documentation and define page structure and styles on your own!

Deployment

Check out deployment documentation and deploy on your own!

Tutorial

Check out Tutorial documentation.

Support

For custom feature request or technical support contact us at identity[at]ssrd.io

Credits

• RoyalUI-Free-Bootstrap-Admin-Template