How to create an identityuser by just having the user type in a password in the client-app

Question

When using identityserver 4, is it possible for my web app to create an identityuser by just having the user type in a password in the client-app?

In my web app the user will fill in some details about himself like name, email, and address (for the shopping cart) and after the sale has been completed I want to offer the user to create an identity based on the information he has just given.

For example, a textbox saying

Thank you for your order, 
if you want to keep a history of your transactions, 
please type in the password you want to use here: 

Then after the user presses a button an identityuser will be generated behind the scenes and the user redirected to his new profile.

So far all I can see is that I have to send the user to the identityserver for user-registration, so hoping for some better news here :)

Thanks in advance.

Answer 1

When using identityserver 4, is it possible for my web app to create an identityuser by just having the user type in a password in the client-app?

The answer is no.

And that's not because of technical issues but rather because of security issues.

The principle of least privilege prohibits clients to request user credentials. That is why the user needs to login on the IdentityServer website. The client has no access to the credentials of the user. Authentication is out-sourced to IdentityServer.

When you choose IdentityServer4 then you are choosing OpenIdConnect, not a membership system. Oidc means one account for all clients. And that's where another problem is: the client doesn't own the user. There is no relation between client and user.

So any user can use any client once authenticated. User authorization has to limit access for the user.

And it is possible that the user already has an account, used for another app. So the user may want to login with that account, instead of creating yet another account.

The only flow that supports user login in the client is the resource owner password flow. And though it may still be implemented, it is not recommended for security reasons and no longer documented as available grant type.

---

If you are not looking for oidc and SSO then you may want to implement Identity as membership system, where the app has it's own user store. In that case I wouldn't use IdentityServer.

Otherwise you can send the user to the IdentityServer website and allow the user to either login or create an account. You can customize the view by looking at the client_id for a good user experience.

Please note, the user only needs an account for login. You should persist the user information in your database, as that is where it belongs. It is part of the business context and has nothing to do with the account.

The account is add-on functionality, which only requires a link from the business user to an identity user.

Answer 2

Create an endpoint that accepts the user data you described and generates an user out of it. See here

Example, in case link gets broken

ApplicationDbContext context = new ApplicationDbContext();
var roleManager = new RoleManager<IdentityRole>(new RoleStore<IdentityRole>(context));
var UserManager = new UserManager<ApplicationUser>(new UserStore<ApplicationUser>(context));
UserManager.UserValidator = new UserValidator<ApplicationUser>(UserManager)
{
    AllowOnlyAlphanumericUserNames = false,
    RequireUniqueEmail = true
};

var user = new ApplicationUser();
user.Email = model.Email;
user.UserName = model.Username;
var result = UserManager.Create(user, model.Password);

I would advise you to sent a registration mail, that the user has to confirm in order to use the created account. Generated users that have not been confirmed after a given time should be deleted.

Also, think about encrypting the password when sending to the endpoint.