docs/en/modules/identity-server-pro.md
//[doc-seo]
{
"Description": "Explore the Identity Server Module (Pro) for ABP Framework, enabling easy management of clients, identity resources, and API resources."
}
You must have an ABP Team or a higher license to use this module.
This module provides integration and management functionality for Identity Server;
See the module description page for an overview of the module features.
Identity Server is pre-installed in the startup templates. So, no need to manually install it.
This module follows the module development best practices guide and consists of several NuGet and NPM packages. See the guide if you want to understand the packages and relations between them.
You can visit Identity module package list page to see list of packages related with this module.
Identity Server module adds the following items to the "Main" menu, under the "Administration" menu item:
AbpIdentityServerMenuNames class has the constants for the menu item names.
Clients page is used to manage Identity Server clients. A client represent applications that can request tokens from your Identity Server.
You can create new clients or edit existing clients in this page:
Identity resource page is used to manage identity resources of Identity Server. Identity resources are data like user ID, name, or email address of a user.
You can create a new identity resource or edit an existing identity resource in this page:
This page allows creating standard identity resources (role, profile, phone, openid, email and address) using "Create standard resources" button.
Identity Server module allows to manage API resources. To allow clients to request access tokens for APIs, you need to define API resources.
You can create a new API resource or edit an existing API resource in this page:
This module adds some initial data (see the data seed system) to the database when you run the .DbMigrator application:
You can delete or edit created standard identity resources in the identity resource management page. You can also re-create standard identity resources in the identity resource management page using "Create standard resources" button.
AbpIdentityServerBuilderOptions can be configured in PreConfigureServices method of your Identity Server module. Example:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
PreConfigure<AbpIdentityServerBuilderOptions>(builder =>
{
//Set options here...
});
}
AbpIdentityServerBuilderOptions properties:
UpdateJwtSecurityTokenHandlerDefaultInboundClaimTypeMap (default: true): Updates JwtSecurityTokenHandler.DefaultInboundClaimTypeMap to be compatible with Identity Server claims.UpdateAbpClaimTypes (default: true): Updates AbpClaimTypes to be compatible with identity server claims.IntegrateToAspNetIdentity (default: true): Integrate to ASP.NET Identity.AddDeveloperSigningCredential (default: true): Set false to suppress AddDeveloperSigningCredential() call on the IIdentityServerBuilder.IIdentityServerBuilder can be configured in PreConfigureServices method of your Identity Server module. Example:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
PreConfigure<IIdentityServerBuilder>(builder =>
{
builder.AddSigningCredential(...);
});
}
This module follows the Entity Best Practices & Conventions guide.
API Resources are needed for allowing clients to request access tokens.
ApiResource (aggregate root): Represents an API resource in the system.
ApiSecret (collection): secrets of the API resource.ApiScope (collection): scopes of the API resource.ApiResourceClaim (collection): claims of the API resource.Clients represent applications that can request tokens from your Identity Server.
Client (aggregate root): Represents an Identity Server client application.
ClientScope (collection): Scopes of the client.ClientSecret (collection): Secrets of the client.ClientGrantType (collection): Grant types of the client.ClientCorsOrigin (collection): CORS origins of the client.ClientRedirectUri (collection): redirect URIs of the client.ClientPostLogoutRedirectUri (collection): Logout redirect URIs of the client.ClientIdPRestriction (collection): Provider restrictions of the client.ClientClaim (collection): Claims of the client.ClientProperty (collection): Custom properties of the client.Persisted Grants stores AuthorizationCodes, RefreshTokens and UserConsent.
PersistedGrant (aggregate root): Represents PersistedGrant for identity server.Identity resources are data like user ID, name, or email address of a user.
IdentityResource (aggregate root): Represents and Identity Server identity resource.
IdentityClaim (collection): Claims of identity resource.This module follows the Repository Best Practices & Conventions guide.
Following custom repositories are defined for this module:
IApiResourceRepositoryIClientRepositoryIPersistentGrantRepositoryIIdentityResourceRepositoryThis module follows the Domain Services Best Practices & Conventions guide.
Identity Server module doesn't contain any domain service but overrides services below;
AbpProfileService (Used when AbpIdentityServerBuilderOptions.IntegrateToAspNetIdentity is true)AbpClaimsServiceAbpCorsPolicyServiceThis module doesn't define any settings.
ApiResourceAppService (implements IApiResourceAppService): Implements the use cases of the API resource management UI.IdentityServerClaimTypeAppService (implement IIdentityServerClaimTypeAppService): Used to get list of claims.ApiResourceAppService (implements IApiResourceAppService): Implements the use cases of the API resource management UI.IdentityResourceAppService (implements IIdentityResourceAppService): Implements the use cases of the Identity resource management UI.All tables/collections use the IdentityServer prefix by default. Set static properties on the AbpIdentityServerDbProperties class if you need to change the table prefix or set a schema name (if supported by your database provider).
This module uses AbpIdentityServer for the connection string name. If you don't define a connection string with this name, it fallbacks to the Default connection string.
See the connection strings documentation for details.
See the AbpIdentityServerPermissions class members for all permissions defined for this module.
In order to configure the application to use the identity server, you first need to import provideIdentityServerConfig from @volo/abp.ng.identity-server/config to root configuration. Then, you will need to append it to the appConfig array.
// app.config.ts
import { provideIdentityServerConfig } from '@volo/abp.ng.identity-server/config';
export const appConfig: ApplicationConfig = {
providers: [
// ...
provideIdentityServerConfig()
],
};
The identity server module should be imported and lazy-loaded in your routing module. It has a static creatRoutes method for configuration. Available options are listed below. It is available for import from @volo/abp.ng.identity-server.
// app.routes.ts
const APP_ROUTES: Routes = [
// other route definitions
{
path: 'identity-server',
loadChildren: () =>
import('@volo/abp.ng.identity-server').then(c => c.createRoutes(/* options here */)),
},
];
<h4 id="h-identity-server-module-options">Options</h4>If you have generated your project via the startup template, you do not have to do anything, because it already has both files configured.
You can modify the look and behavior of the module pages by passing the following options to createRoutes static method:
Identity Server module services and models are generated via generate-proxy command of the ABP CLI. If you need the module's proxies, you can run the following command in the Angular project directory:
abp generate-proxy --module identityServer
eIdentityServerComponents enum provides all replaceable component keys. It is available for import from @volo/abp.ng.identity-server.
Please check Component Replacement document for details.
The Identity Server module remote endpoint URL can be configured in the environment files.
export const environment = {
// other configurations
apis: {
default: {
url: 'default url here',
},
AbpIdentityServer: {
url: 'Identity Server remote url here'
}
// other api configurations
},
};
The Identity Server module remote URL configuration shown above is optional. If you don't set a URL, the default.url will be used as fallback.
This module defines events for Client aggregate and ClientCorsOrigin entity. When a Client or ClientCorsOrigin changes, AllowedCorsOriginsCacheItemInvalidator invalidates the cache for AllowedCorsOriginsCacheItem. See the standard distributed events for more information about distributed events.