Compliant Implementation of RP on ASP.NET
Full Name and Status
Version 2 of the Relying party example is called Controls as it can fill the function of user data controller, resource controller or just a generic Relying Party. It is based on Microsoft open source solution ASP.NET core 2.2 and should be able to run on any common server platform.
Version 1 which was built to the IDEF baseline functional requirements is now archived at this site. This example is completely new, but still seeks to comply with the IDEF BFR as well as other standards from the Kantara Initiative and the OpenID foundation on interoperability, privacy and security.
This page is designed to assist designers and developers of relying party (RP) web sites, meaning those Web Sites that rely upon other Identifier or Attribute Providers. Technical terms are used to convey the information that they will need to perform their task that may not be familiar to the casual reader.
For a less technical document that shows the design specifications for this example see the wiki page Best Practice and Example Relying Party.
This is still a work in progress. Do not expect full functional code at this time.
This example was originally created in Microsoft ASP.NET core version 1.1. It is currently being revised to run on ASP.NET core version 2.2 so there are likely some parts of this wiki page that are not fully converted.
Access to the Example
Currently a working draft of the Relying Party example web site is available here.
Building the Example from GitHub
Note that the core 1.1 version is on Bitbucket. It will be retired after the new version on GitHub with core 2.2 is fully functional.
Building an ASP.NET solution from scratch
- From Visual Studio add new project with: C#, MVC razor pages, Change Identifier to Individual.
- Take control of the user information by overriding the IdentityUser with a local name, here we use the name UserObject to align with terminology in this wiki.
- It is common to include UserGroup as well as UserObject in the definition if the admin or other types of user will be included in the same database.
- Scaffold Identity in ASP.NET Core 2 projects.
- for this example choose the instructions labled "Scaffold identity into a Razor project without existing authorization"
- In the project right-click select add -> scaffold -> Identity and override all files, type in layout cshtml name, DB name and UserObject
- If you have your own definition of the user before scaffolding, you might wind up with two definitions; delete one.
- Make a choice about enabling Two factor authentication. If enabled put .AddDefaultTokenProivders() in startup and add email and/or phone providers.
- For ASP.NET Core 2.2 the razor page format includes the view model and controller in the code behind file, not in a separate controller file.
Set up goals and start to build examples and best practices for all of the roles in an ID ecosystem.
- Now that the IDEF has established a self assessment, work on enabling the ID ecosystem needs enable relying parties and other entities to comply.
- Promote a Trustmark with UX collateral, images of various sizes for web sites.
- The Kantara web site itself should be an example of Guidelines.
- There is an IdP which shows the Guidelines for that industry. (The roles of IdP generates identity tokens. It may consume input from user credentials, but not identity tokens.)
- The UXC work on suggestions for the look and feel of a Guidelines RP.
- Move the example RP into broad adoptions for relying parties.
- Preliminary work on the IdP has begun.
- The best practice protocol for inter op between IAPs and RPs is the OpenID Connect protocol.
Questions and Answers for Designers and Developers
Will need to build for best practices:
- Are there specific ToU and PP provisions that demonstrate how the IDEAL RP might deal with User Private Information in their policies.
UX Questions Specific to the RP example code
- Demo verification of email (or cell phone) address - will be needed to support Recovery and Notification.
- What are the canonical terms for identification?
- logon logout register resign
- login logoff create remove
- signin signout signup signoff
- User roles - how to model - note that one user can have multiple roles
- Join email list (no role)
- Registered as a member (has applied)
- Accepted as a member (partially manual)
- Suspended Member
- member of an organization
- voting member of an organization
- Officers of the site
- Site Admin
Other issues to look at:
- Some method for creating a strong web site identity, e.g. EV Certs or the new proposal taking shape at Google Chrome.
- Recording devices that are under the control of the user together with the device capabilities for data capture and display
- While all content on this page is covered by the IPR rules, it should be clear that the content on pages linked from this site may have different ownership rights asserted.
References and Coordination
- The page at Best Practice and Example Relying Party gives a more architectural and design approach to creating a compliant RP site.
- The Microsoft web site has a description of the Namespaces in ASP.NET Core that can be used as an alternate identity schema. It was the precursor for the schema used here.
- this site describes how to debug this app if running an Azure. Other scenarios are available near where that link goes.
- source code for Microsoft IdentityModel OpenIDConnect
Issues and Comments
- Any comments, suggestions or issues with the best practices or code can be tracked at this site. You must have a sign in method for GitHub.
- General comments about this web page can be made on the "Discussion" tab at the top of the page. You must be a registered member of this site to make comments here.
- Impact of deprecation of Google+