CODEWITHSUNDEEP
c#.netidentityserver3
Yamil Ortega
Yamil Ortega

Reputation: 351

Change password remotely through API for Identity server

I just received an .Net API that uses Identity server for Authentication. I have never used Identity server before. So I'm lost looking for info. Here is my code for authentication:

[HttpPost]
public async Task<IHttpActionResult> Post([FromBody] Login loginInfo)
        {
            OperationResult<string> result = new OperationResult<string>();
            result = await GetAuth(loginInfo);

            return Ok(result);       
        }


 private async Task<TokenResponse> GetAuth(Login loginInfo)
            {
                var client = new TokenClient(Constants.IdSrvToken, Constants.ClientId, Constants.ClientSecret);
                
                return await client.RequestResourceOwnerPasswordAsync(loginInfo.Usuario, loginInfo.Password, Constants.Scope);
            }

This works ok. But I need to create a new API method that receives the current and a new password and change it. The TokenClient class doesn't have any useful methods that I can use, and can't find information related to how implement the password change. Any suggestions where I can find info?

Upvotes: 0

Views: 407

Answers (1)

sellotape
sellotape

Reputation: 8325

There will not be one. The whole point of using Identity Server - and other providers like it - is to delegate responsibility for authentication to it, primarily so that apps and APIs have no visibility of user credentials. IS also has very little awareness of "users"; they’re just an abstract concept to it. Something like ASP.NET Identity is more focused on users.

Using resource-owner flow is quite counter to the whole intent of OAuth2, and should not be used in virtually all circumstances. If you’re using IS just for that, adding it to the equation is largely pointless. It doesn’t solve most of the problems OAuth2 was designed to solve, and you also get no Single Sign On.

In practice usually you would have web pages on (or alongside, on the same server) IS that provide the password change functionality, and you would give users a link or redirect them to those pages. I suspect most people using IS who want to manage users either integrate something like ASP.NET Identity or add their own pages. There are many articles written on the former; here is one as a starting point. It’s not exactly trivial but quite doable.

If what you have is a legacy app that is unlikely to migrate to using OAuth2 as intended, then ultimately your code just needs to change the stored password (or hash as it hopefully is) wherever the users are stored; e.g. a database table somewhere. IS won’t help with that though; you need to write your own code for that.

Upvotes: 0

Related Questions