IdentityServer3用户注册 [英] IdentityServer3 User Registration

问题描述

我正在编写一个HTML/Angular应用程序，并使用隐式流向IdentityServer3进行身份验证.我已经完成设置并可以正常工作，但我担心的是允许用户注册.

I'm writing an Html/Angular app and am authenticating with IdentityServer3 using the implicit flow. I have that setup and working, but what I'm concerned about is allowing users to register.

我知道我可以将注册链接添加到登录流程中，但这不是我感兴趣的.我希望用户进行注册，然后向他们发送确认电子邮件，等等.

I know I can inject a register link into the login flow, but that's not what I'm interested in. I would like users to register, then send them a confirmation email, etc.

这是我当前的设置:

1)xyz.com(有角前端)

1) xyz.com (angular frontend)

2)api.xyz.com(webapi后端)

2) api.xyz.com (webapi backend)

3)account.xyz.com(身份服务器)

3) accounts.xyz.com (identityserver)

我知道我可以通过调用api端点来进行用户注册，但是我担心它可能并不安全.那时，我将没有令牌，也不会获得XSRF令牌，因为我没有使用ASP.NET MVC.我可以在注册端点上设置CORS，使其仅接受来自xyz.com的请求，但我认为可以很轻松地解决该问题.

I know I can do user registration by calling an api endpoint, but I'm worried that it might not be secure. At that point in the flow, I won't have a token nor can I get an XSRF token because I'm not using ASP.NET MVC. I can setup CORS on my registration endpoint to only accept requests from xyz.com, but I think that can be worked around pretty easily.

所以我的问题可以归结为:

So my question boils down to this:

我应该在前端用MVC替换我的有角度的应用程序，并对任何公共形式(即在用户登录之前)使用防伪令牌吗?

Should I replace my angular app with MVC on the frontend and use anti-forgery tokens for any public forms (i.e. before the user is logged in)?

还有另一种方法/示例，可以在IdentityServer上执行此操作并获得干净的UI流程吗?

Is there another approach/example where I can perform this on IdentityServer and have a clean UI flow?

这是应该在IdentityServer之外执行的操作，仅允许IdentityServer登录吗?

Is this something that should be done outside of IdentityServer and leave for IdentityServer logging in only?

推荐答案

解决此问题的一种方法是让API专门负责注册用户帐户.验证调用API的客户端是否具有必要的权限以将用户注册到系统中，这一点非常重要.当然，前端应用程序仍将需要UI进行注册，但实际的实现方式将是在注册API中.因此，前端应用程序将不必处理发送帐户验证电子邮件，用户名/电子邮件唯一性等的开销.

One way to solve this problem would be to have a API solely responsible for registering user accounts. It is very important to validate that the client invoking the API has the necessary permissions to register users into the system. Of course, front-end applications will still require a UI for registration, but the actual implementation would be in the registration API. Therefore, front-end applications would not have to deal with the overhead of sending account verification emails, username/email uniqueness, etc.

此API是内部的，因此仍需要在前端具有负责调用此API的服务器端应用程序.请记住，凭据只能在服务器端，而不能在任何前端代码中.

This API would be internal, so it would still be required to have a server-side app on the front-end that would be responsible for calling this API. Keep in mind that the credentials must only be on the server-side, and not in any front-end code.

这篇关于IdentityServer3用户注册的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！