IdentityServer4.Contrib.RedisStore is a persistence layer using Redis DB for operational data and for caching capability for Identity Server 4. Specifically, this store provides implementation for IPersistedGrantStore and ICache.
You need to install the nuget package
then you can inject the operational store in the Identity Server 4 Configuration at startup using one of the overloads of AddOperationalStore:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddIdentityServer()
...
.AddOperationalStore(options =>
{
options.RedisConnectionString = "---redis store connection string---";
options.Db = 1;
})
...
}And for adding caching capability you can use AddRedisCaching:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddIdentityServer()
...
.AddRedisCaching(options =>
{
options.RedisConnectionString = "---redis store connection string---";
options.KeyPrefix = "prefix";
})
...
}As an alternative, you can pass ConfigurationOptions instance, which contains the configuration of Redis store:
public void ConfigureServices(IServiceCollection services)
{
var operationalStoreOptions = new ConfigurationOptions { /* ... */ };
var cacheOptions = new ConfigurationOptions { /* ... */ };
...
services.AddIdentityServer()
...
.AddOperationalStore(options =>
{
options.ConfigurationOptions = operationalStoreOptions;
options.KeyPrefix = "another_prefix";
})
.AddRedisCaching(options =>
{
options.ConfigurationOptions = cacheOptions;
})
...
}Finally, you have the option of passing an already established connection using ConnectionMultiplexer by passing it directly like:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddIdentityServer()
...
.AddOperationalStore(options =>
{
options.RedisConnectionMultiplexer = connectionMultiplexer;
})
.AddRedisCaching(options =>
{
options.RedisConnectionMultiplexer = connectionMultiplexer;
})
...
}don't forget to register the caching for specific configuration store you like to apply the caching on after registering the services, like the following:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddIdentityServer()
...
.AddRedisCaching(options =>
{
options.ConfigurationOptions = cacheOptions;
})
...
.AddClientStoreCache<IdentityServer4.EntityFramework.Stores.ClientStore>()
.AddResourceStoreCache<IdentityServer4.EntityFramework.Stores.ResourceStore>()
.AddCorsPolicyCache<IdentityServer4.EntityFramework.Services.CorsPolicyService>()
.AddProfileServiceCache<MyProfileService>()
...
}In this previous snippet, registration of caching capability are added for Client Store, Resource Store and Cors Policy Service, and it's registered for Entity Framework stores in this case, but if you have your own Stores you should register them here in order to allow the caching for these specific stores.
Note: operational store and caching are not related, you can use them separately or combined.
Note: for
AddProfileServiceCache, you can configure it with custom key selector, the default implementation is to selectsubclaim value.
the solution was approached based on how the SQL Store storing the operational data, but the concept of Redis as a NoSQL db is totally different than relational db concepts, all the operational data stores implement the following IPersistedGrantStore interface:
public interface IPersistedGrantStore
{
Task StoreAsync(PersistedGrant grant);
Task<PersistedGrant> GetAsync(string key);
Task<IEnumerable<PersistedGrant>> GetAllAsync(string subjectId);
Task RemoveAsync(string key);
Task RemoveAllAsync(string subjectId, string clientId);
Task RemoveAllAsync(string subjectId, string clientId, string type);
}with the IPersistedGrantStore contract, we notice that the GetAllAsync(subjectId), RemoveAllAsync(subjectId,clientId) and RemoveAllAsync(subjectId,clientId,type) defines a contract to read based on subject id and remove all the grants in the store based on subject, client ids and type of the grant.
this brings trouble to Redis store since redis as a reliable dictionary is not designed for relational queries, so the trick is to store multiple key entries for the same grant, and the keys can be reached using key, subject, client ids and type.
so the StoreAsync operation stores the following entries in Redis:
-
Key -> RedisStruct: stored as key string value pairs, used to retrieve the grant based on the key, if the grant exists or not expired.
-
Key(SubjectId) -> Key* : stored in a redis Set, used on the GetAllAsync, to retrieve all the grant related to a given subject id.
-
Key(SubjectId,ClientId) -> Key* : stored in a redis set, used to retrieve all the keys that are related to a subject and client ids, to remove them while calling RemoveAllAsync.
-
Key(SubjectId,ClientId,type) -> Key* : stored in a redis set, used to retrieve all the keys that are related to a subject, client ids and type of the grant, to remove them while calling RemoveAllAsync.
for more information on data structures used to store the grant please refer to Redis data types documentation
since Redis has a key Expiration feature based on a defined date time or time span, and to not implement a logic similar to SQL store implementation for cleaning up the store periodically from dangling grants, the store uses the key expiration of Redis while storing entries based on the following criteria:
-
for Key of the grant, the expiration is straight forward, it's set on the StringSet Redis operation as defined by identity server on the grant object.
-
for Key(SubjectId) and Key(SubjectId,ClientId) the expiration is not set, since the same and only store type is persisting the grants regardless of their type, not like the identity server 3, where it has multiple stores for each grant type. and we are setting expiration for Key(SubjectId,clientId,type) since this set for the same grant type, and client, so the keys are consistent here.
feedbacks are always welcomed, please open an issue for any problem or bug found, and the suggestions are also welcomed.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent