IdentityServer4 and Custom password policy
In the industrial level applications might require additional handling authentication and authorization when communicating in between multiple apps. Apps The Present world has various devices on various platforms such as web apps, mobile apps, etc.
Developers might need to put some extra effort into securing these apps with some custom or standards best practices as well as security policies. These policies might be changed as the company needs.
Security Token Service (STS), a central repository, is responsible for issuing tokens and validating claims. Therefore, all authentication and authorization logic of a particular application offloads to STS.
IdentityServer4 is a frequently used STS for .NET Core applications that implements both OpenID Connect and OAuth 2.0 protocols to solve the typical security problems of today’s mobile, native, and web applications.
The below image will describe the complex modern application architecture.
IdentityServer4 contains the features below to maintain high standards of security and implement custom security policies.
- Protect your Resources
- Authenticate the Users
- Access and Validate Tokens to Users.
This has developed on top of Asp.Net Identity and Entity Framework Core (EF Core).
You can secure your applications using this IdentityServer4 by adding a client to prevent unwanted development workloads.
Custom Password Policy
Many organizations keep their own password policies accordingly. When we provide software solutions for this kind of company, we must inherit the company password policy throughout the application
In the identity server, we have the facility to maintain the standard password policy in Startup. cs file as below
you can control limited attributes using this function. But when it comes to a large scale to maintain the password policy we can use the below steps. Add PasswordPolicyHandlerService class in startup.cs file.
In the PasswordPolicyHandlerService file inside the ValidateAsync method, you can customize your password policy as you prefer. But make sure to pass the relevant users to the method. Here I have used ApplicationUser.
