A comprehensive identity and access management solution built on Duende IdentityServer v7 with administrative UI for managing OAuth2/OpenID Connect clients, users, and configuration.
This project provides a complete identity management platform featuring:
- OAuth2/OpenID Connect Provider - Secure token service and authentication
- Administrative Web Interface - User-friendly UI for managing identities and clients
- REST API - Programmatic access to administrative functions
- Multi-database Support - SQL Server, PostgreSQL, and MySQL
- Container-ready - Docker compose setup for easy deployment
- Audit Logging - Comprehensive activity tracking
- Multi-tenant Ready - Configurable for various deployment scenarios
| Component | Description | Port |
|---|---|---|
| Duende.STS.Identity | Security Token Service and Identity Provider | 44310 |
| Duende.Admin | Administrative Web Interface | 44303 |
| Duende.Admin.Api | Administrative REST API | 44302 |
| Database | SQL Server/PostgreSQL/MySQL backend | 7900 |
| Nginx | Reverse proxy for containerized setup | 80/443 |
- IdentityServerConfigurationDbContext - Client and resource configuration
- IdentityServerPersistedGrantDbContext - Grants, codes, and tokens
- AdminIdentityDbContext - ASP.NET Core Identity users and roles
- AdminAuditLogDbContext - Audit trail and activity logging
- AdminLogDbContext - Application logging
- DataProtectionDbContext - ASP.NET Core Data Protection keys
- .NET 8.0 SDK
- SQL Server LocalDB (or Docker)
- Visual Studio 2022 or VS Code
- Node.js (for frontend assets)
-
Clone and Navigate
git clone <repository> cd Duende
-
Restore Dependencies
dotnet restore npm install
-
Database Setup
# Apply migrations and seed data dotnet run --project src/Duende.Admin -- /seed -
Run Applications
# Terminal 1 - Identity Server dotnet run --project src/Duende.STS.Identity # Terminal 2 - Admin UI dotnet run --project src/Duende.Admin # Terminal 3 - Admin API (optional) dotnet run --project src/Duende.Admin.Api
-
Access Applications
- Admin UI: https://localhost:44303
- Identity Server: https://localhost:44310
- Admin API: https://localhost:44302 (Swagger UI available)
-
Start with Docker Compose
docker-compose up -d
-
Access via Local Domains Add to your hosts file:
127.0.0.1 sts.skoruba.local 127.0.0.1 admin.skoruba.local 127.0.0.1 admin-api.skoruba.local -
URLs
- Admin UI: https://admin.skoruba.local
- Identity Server: https://sts.skoruba.local
- Admin API: https://admin-api.skoruba.local
Switch database providers by updating DatabaseProviderConfiguration.ProviderType in appsettings.json:
SqlServer(default)PostgreSQLMySql
Update connection strings in appsettings.json or environment variables:
{
"ConnectionStrings": {
"ConfigurationDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServerAdminDB7Master;...",
"PersistedGrantDbConnection": "...",
"IdentityDbConnection": "...",
"AdminLogDbConnection": "...",
"AdminAuditLogDbConnection": "...",
"DataProtectionDbConnection": "..."
}
}Configure OIDC client settings in AdminConfiguration section:
{
"AdminConfiguration": {
"IdentityServerBaseUrl": "https://localhost:44310",
"IdentityAdminRedirectUri": "https://localhost:44303/signin-oidc",
"ClientId": "MyClientId",
"ClientSecret": "MyClientSecret",
"AdministrationRole": "MyRole"
}
}- Update Entity Models in
Duende.Admin.EntityFramework.Shared - Add Migrations for each affected context
- Update DTOs in
Duende.Shared - Implement Services in respective projects
- Add Controllers/Views in Admin or API projects
- Update Configuration if needed
# Run unit tests
dotnet test
# Run with coverage
dotnet test --collect:"XPlat Code Coverage"# Format code
dotnet format
# Analyze code
dotnet build --verbosity normal- OAuth2/OpenID Connect compliant
- JWT Token validation
- PKCE support
- Mutual TLS ready
- Content Security Policy configured
- Audit logging for all administrative actions
- Role-based access control
Set these for production deployment:
ASPNETCORE_ENVIRONMENT=Production
ConnectionStrings__ConfigurationDbConnection=<production-db>
AdminConfiguration__IdentityServerBaseUrl=<production-sts-url>
AdminConfiguration__RequireHttpsMetadata=true- Configure proper certificates
- Enable HTTPS redirection
- Set
RequireHttpsMetadata=true
- Use connection pooling
- Configure proper backup strategies
- Monitor performance
- Configure structured logging with Serilog
- Set up centralized log aggregation
- Monitor audit logs
-
Database Connection Issues
- Verify connection strings
- Check database server status
- Ensure migrations are applied
-
Authentication Failures
- Verify client configuration
- Check redirect URIs
- Validate certificates
-
Docker Issues
- Check container logs:
docker-compose logs - Verify network connectivity
- Ensure proper host file entries
- Check container logs:
- Development:
src/*/Log/directories - Docker: Container logs via
docker-compose logs - Database: Check
AdminLogDbConnectiontables
This project is based on Duende IdentityServer and follows its licensing terms.