IdentityServer4.Contrib.RedisStore 4.0.0

Redis Store for operational data and for Caching of Identity Server 4

Install-Package IdentityServer4.Contrib.RedisStore -Version 4.0.0
dotnet add package IdentityServer4.Contrib.RedisStore --version 4.0.0
<PackageReference Include="IdentityServer4.Contrib.RedisStore" Version="4.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add IdentityServer4.Contrib.RedisStore --version 4.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: IdentityServer4.Contrib.RedisStore, 4.0.0"
#r directive can be used in F# Interactive, C# scripting and .NET Interactive. Copy this into the interactive tool or source code of the script to reference the package.
// Install IdentityServer4.Contrib.RedisStore as a Cake Addin
#addin nuget:?package=IdentityServer4.Contrib.RedisStore&version=4.0.0

// Install IdentityServer4.Contrib.RedisStore as a Cake Tool
#tool nuget:?package=IdentityServer4.Contrib.RedisStore&version=4.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

IdentityServer4.Contrib.RedisStore

IdentityServer4.Contrib.RedisStore is a persistence layer using Redis DB for operational data and for caching capability for Identity Server 4. Specifically, this store provides implementation for IPersistedGrantStore and ICache<T>.

How to use

You need to install the nuget package

then you can inject the operational store in the Identity Server 4 Configuration at startup using one of the overloads of AddOperationalStore:

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddIdentityServer()
    ...
    .AddOperationalStore(options =>
    {
        options.RedisConnectionString = "---redis store connection string---";
        options.Db = 1;
    })
    ...
}

And for adding caching capability you can use AddRedisCaching:

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddIdentityServer()
    ...
    .AddRedisCaching(options =>
    {
        options.RedisConnectionString = "---redis store connection string---";
        options.KeyPrefix = "prefix";
    })
    ...
}

As an alternative, you can pass ConfigurationOptions instance, which contains the configuration of Redis store:

public void ConfigureServices(IServiceCollection services)
{
    var operationalStoreOptions = new ConfigurationOptions {  /* ... */ };
    var cacheOptions = new ConfigurationOptions {  /* ... */ };

    ...

    services.AddIdentityServer()
    ...
    .AddOperationalStore(options =>
    {
        options.ConfigurationOptions = operationalStoreOptions;
        options.KeyPrefix = "another_prefix";
    })
    .AddRedisCaching(options =>
    {
        options.ConfigurationOptions = cacheOptions;
    })
    ...
}

Finally, you have the option of passing an already established connection using ConnectionMultiplexer by passing it directly like:

public void ConfigureServices(IServiceCollection services)
{
    ...

    services.AddIdentityServer()
    ...
    .AddOperationalStore(options =>
    {
        options.RedisConnectionMultiplexer = connectionMultiplexer;
    })
    .AddRedisCaching(options =>
    {
        options.RedisConnectionMultiplexer = connectionMultiplexer;
    })
    ...
}

don't forget to register the caching for specific configuration store you like to apply the caching on after registering the services, like the following:

public void ConfigureServices(IServiceCollection services)
{
    ...

    services.AddIdentityServer()
    ...
    .AddRedisCaching(options =>
    {
        options.ConfigurationOptions = cacheOptions;
    })
    ...
    .AddClientStoreCache<IdentityServer4.EntityFramework.Stores.ClientStore>()
    .AddResourceStoreCache<IdentityServer4.EntityFramework.Stores.ResourceStore>()
    .AddCorsPolicyCache<IdentityServer4.EntityFramework.Services.CorsPolicyService>()
    .AddProfileServiceCache<MyProfileService>()
    ...
}

In this previous snippet, registration of caching capability are added for Client Store, Resource Store and Cors Policy Service, and it's registered for Entity Framework stores in this case, but if you have your own Stores you should register them here in order to allow the caching for these specific stores.

Note: operational store and caching are not related, you can use them separately or combined.

Note: for AddProfileServiceCache, you can configure it with custom key selector, the default implementation is to select sub claim value.

the solution approach

the solution was approached based on how the SQL Store storing the operational data, but the concept of Redis as a NoSQL db is totally different than relational db concepts, all the operational data stores implement the following IPersistedGrantStore interface:

public interface IPersistedGrantStore
{
    Task StoreAsync(PersistedGrant grant);

    Task<PersistedGrant> GetAsync(string key);

    Task<IEnumerable<PersistedGrant>> GetAllAsync(PersistedGrantFilter filter);

    Task RemoveAsync(string key);

    Task RemoveAllAsync(PersistedGrantFilter filter);
}

with the IPersistedGrantStore contract, we notice that the GetAllAsync(filter), RemoveAllAsync(filter) defines a contract to read based on subject id and remove all the grants in the store based on subject, client ids and/or session ids and type of the grant.

this brings trouble to Redis store since redis as a reliable dictionary is not designed for relational queries, so the trick is to store multiple key entries for the same grant, and the keys can be reached using key, subject, client ids, session ids and type.

so the StoreAsync operation stores the following entries in Redis:

  1. Key → RedisStruct: stored as key string value pairs, used to retrieve/remove the grant based on the key, if the grant exists or not expired.

  2. Key(SubjectId) → Key* : stored in a redis Set, used on retrieve all/remove all, to retrieve all the grant related to a given subject id.

  3. Key(SubjectId,ClientId) → Key* : stored in a redis set, used to retrieve all/remove all the keys that are related to a subject and client ids.

  4. Key(SubjectId,ClientId,type) → Key* : stored in a redis set, used to retrieve all/remove all the keys that are related to a subject, client ids and type of the grant.

  5. Key(SubjectId,ClientId,SessionId) → Key* : stored in a redis set, used to retrieve all/remove all the keys that are related to a subject, client ids, sessions ids.

for more information on data structures used to store the grant please refer to Redis data types documentation

Note: PersistedGrantFilter combinations are not all covered by sets persisted in Redis, if the combination used to be not mapping to an already existing set key, then the retrieval for grants will fallback to Key(SubjectId) → Key, and the evaluation of the filter will happen on client side.

since Redis has a key Expiration feature based on a defined date time or time span, and to not implement a logic similar to SQL store implementation for cleaning up the store periodically from dangling grants, the store uses the key expiration of Redis while storing entries based on the following criteria:

  1. for Key of the grant, the expiration is straight forward, it's set on the StringSet Redis operation as defined by identity server on the grant object.

  2. for Key(SubjectId,ClientId,type) it's absolute expiry time, but it will be extended every time new entry is added to the set.

  3. for Key(SubjectId), Key(SubjectId,ClientId) and Key(SubjectId,ClientId,SessionId) the expiration is sliding, and it will slide on every entry added to the set, since the same and only store type is persisting the grants regardless of their type, not like the identity server 3, where it has multiple stores for each grant type. and we are setting expiration for Key(SubjectId,clientId,type) since this set for the same grant type, and client, so the keys are consistent here.

Note: because of the sliding expiration mechanism, if Redis instance memory is full, eviction will take places based on the policy you set.

Feedback

feedbacks are always welcomed, please open an issue for any problem or bug found, and the suggestions are also welcomed.

IdentityServer4.Contrib.RedisStore

IdentityServer4.Contrib.RedisStore is a persistence layer using Redis DB for operational data and for caching capability for Identity Server 4. Specifically, this store provides implementation for IPersistedGrantStore and ICache<T>.

How to use

You need to install the nuget package

then you can inject the operational store in the Identity Server 4 Configuration at startup using one of the overloads of AddOperationalStore:

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddIdentityServer()
    ...
    .AddOperationalStore(options =>
    {
        options.RedisConnectionString = "---redis store connection string---";
        options.Db = 1;
    })
    ...
}

And for adding caching capability you can use AddRedisCaching:

public void ConfigureServices(IServiceCollection services)
{
    ...
    services.AddIdentityServer()
    ...
    .AddRedisCaching(options =>
    {
        options.RedisConnectionString = "---redis store connection string---";
        options.KeyPrefix = "prefix";
    })
    ...
}

As an alternative, you can pass ConfigurationOptions instance, which contains the configuration of Redis store:

public void ConfigureServices(IServiceCollection services)
{
    var operationalStoreOptions = new ConfigurationOptions {  /* ... */ };
    var cacheOptions = new ConfigurationOptions {  /* ... */ };

    ...

    services.AddIdentityServer()
    ...
    .AddOperationalStore(options =>
    {
        options.ConfigurationOptions = operationalStoreOptions;
        options.KeyPrefix = "another_prefix";
    })
    .AddRedisCaching(options =>
    {
        options.ConfigurationOptions = cacheOptions;
    })
    ...
}

Finally, you have the option of passing an already established connection using ConnectionMultiplexer by passing it directly like:

public void ConfigureServices(IServiceCollection services)
{
    ...

    services.AddIdentityServer()
    ...
    .AddOperationalStore(options =>
    {
        options.RedisConnectionMultiplexer = connectionMultiplexer;
    })
    .AddRedisCaching(options =>
    {
        options.RedisConnectionMultiplexer = connectionMultiplexer;
    })
    ...
}

don't forget to register the caching for specific configuration store you like to apply the caching on after registering the services, like the following:

public void ConfigureServices(IServiceCollection services)
{
    ...

    services.AddIdentityServer()
    ...
    .AddRedisCaching(options =>
    {
        options.ConfigurationOptions = cacheOptions;
    })
    ...
    .AddClientStoreCache<IdentityServer4.EntityFramework.Stores.ClientStore>()
    .AddResourceStoreCache<IdentityServer4.EntityFramework.Stores.ResourceStore>()
    .AddCorsPolicyCache<IdentityServer4.EntityFramework.Services.CorsPolicyService>()
    .AddProfileServiceCache<MyProfileService>()
    ...
}

In this previous snippet, registration of caching capability are added for Client Store, Resource Store and Cors Policy Service, and it's registered for Entity Framework stores in this case, but if you have your own Stores you should register them here in order to allow the caching for these specific stores.

Note: operational store and caching are not related, you can use them separately or combined.

Note: for AddProfileServiceCache, you can configure it with custom key selector, the default implementation is to select sub claim value.

the solution approach

the solution was approached based on how the SQL Store storing the operational data, but the concept of Redis as a NoSQL db is totally different than relational db concepts, all the operational data stores implement the following IPersistedGrantStore interface:

public interface IPersistedGrantStore
{
    Task StoreAsync(PersistedGrant grant);

    Task<PersistedGrant> GetAsync(string key);

    Task<IEnumerable<PersistedGrant>> GetAllAsync(PersistedGrantFilter filter);

    Task RemoveAsync(string key);

    Task RemoveAllAsync(PersistedGrantFilter filter);
}

with the IPersistedGrantStore contract, we notice that the GetAllAsync(filter), RemoveAllAsync(filter) defines a contract to read based on subject id and remove all the grants in the store based on subject, client ids and/or session ids and type of the grant.

this brings trouble to Redis store since redis as a reliable dictionary is not designed for relational queries, so the trick is to store multiple key entries for the same grant, and the keys can be reached using key, subject, client ids, session ids and type.

so the StoreAsync operation stores the following entries in Redis:

  1. Key → RedisStruct: stored as key string value pairs, used to retrieve/remove the grant based on the key, if the grant exists or not expired.

  2. Key(SubjectId) → Key* : stored in a redis Set, used on retrieve all/remove all, to retrieve all the grant related to a given subject id.

  3. Key(SubjectId,ClientId) → Key* : stored in a redis set, used to retrieve all/remove all the keys that are related to a subject and client ids.

  4. Key(SubjectId,ClientId,type) → Key* : stored in a redis set, used to retrieve all/remove all the keys that are related to a subject, client ids and type of the grant.

  5. Key(SubjectId,ClientId,SessionId) → Key* : stored in a redis set, used to retrieve all/remove all the keys that are related to a subject, client ids, sessions ids.

for more information on data structures used to store the grant please refer to Redis data types documentation

Note: PersistedGrantFilter combinations are not all covered by sets persisted in Redis, if the combination used to be not mapping to an already existing set key, then the retrieval for grants will fallback to Key(SubjectId) → Key, and the evaluation of the filter will happen on client side.

since Redis has a key Expiration feature based on a defined date time or time span, and to not implement a logic similar to SQL store implementation for cleaning up the store periodically from dangling grants, the store uses the key expiration of Redis while storing entries based on the following criteria:

  1. for Key of the grant, the expiration is straight forward, it's set on the StringSet Redis operation as defined by identity server on the grant object.

  2. for Key(SubjectId,ClientId,type) it's absolute expiry time, but it will be extended every time new entry is added to the set.

  3. for Key(SubjectId), Key(SubjectId,ClientId) and Key(SubjectId,ClientId,SessionId) the expiration is sliding, and it will slide on every entry added to the set, since the same and only store type is persisting the grants regardless of their type, not like the identity server 3, where it has multiple stores for each grant type. and we are setting expiration for Key(SubjectId,clientId,type) since this set for the same grant type, and client, so the keys are consistent here.

Note: because of the sliding expiration mechanism, if Redis instance memory is full, eviction will take places based on the policy you set.

Feedback

feedbacks are always welcomed, please open an issue for any problem or bug found, and the suggestions are also welcomed.

Release Notes

Supports Identity Server 4 v4.

NuGet packages (4)

Showing the top 4 NuGet packages that depend on IdentityServer4.Contrib.RedisStore:

Package Downloads
LDFCore.Authorized
Package Description
BizzPo.IdentityServer
Package Description
LDFCore.Net5.Authorized
Package Description
MySoft.ServiceCenter.Core.IdentityServer
用于微服务器框架的核心库

GitHub repositories (1)

Showing the top 1 popular GitHub repositories that depend on IdentityServer4.Contrib.RedisStore:

Repository Stars
geffzhang/NanoFabric
基于Consul + .NET Core + Polly + Ocelot + Exceptionless + IdentityServer等开源项目的微服务开发框架

Version History

Version Downloads Last updated
4.0.0 41,643 7/3/2020
4.0.0-RC 447 6/25/2020
3.1.2 19,027 6/25/2020
3.1.1 26,555 2/20/2020
3.1.0 976 2/12/2020
3.0.2 26,937 10/12/2019
3.0.0 15,081 9/24/2019
3.0.0-preview2 224 9/9/2019
3.0.0-preview1 175 8/24/2019
2.1.2 9,993 10/12/2019
2.1.0 21,167 6/6/2019
2.0.0 40,318 11/22/2018
2.0.0-preview1 405 10/30/2018
1.4.5 11,260 10/2/2018
1.4.4.1 983 9/10/2018
1.4.4 584 9/8/2018
1.4.3 423 9/8/2018
1.4.2 5,752 6/18/2018
1.4.1 1,120 6/2/2018
1.4.1-rc1 478 6/1/2018
1.3.0 2,710 4/12/2018
1.2.0 1,478 2/28/2018
1.2.0-beta5 1,220 2/12/2018
1.2.0-beta2 536 2/8/2018
1.2.0-beta 469 2/7/2018
1.0.1 2,406 12/21/2017
1.0.0 865 9/5/2017
0.9.8-preview 560 8/29/2017
0.9.7-preview 591 8/28/2017
0.9.6-preview 555 8/24/2017