IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core that acts as a centralized Security Token Service (STS). By integrating NCache as the underlying data provider, IdentityServer4 can handle massive loads of authentication requests by storing configuration data (clients and resources) and operational data (tokens and codes) in a distributed, high-performance cache cluster. Most multi-tier applications involve multi-level communications, such as browsers interacting with different web APIs, which in turn communicate with other web APIs on behalf of the users. To ensure secure communication, authentication and authorization protocols are essential, requiring additional handling. However, this can be challenging to maintain because any change in API usage necessitates adjustments in the logic governing authorized access. This can lead to testing and deployment bottlenecks, particularly when managing microservices.
To address this issue, a Security Token Service (STS) can be used as a central repository to offload authorization logic from various components of the application. The primary role of STS is to issue tokens and validate claims, thereby managing scoped access to resources and streamlining authorization processes.
Key Takeaways
Scalability for STS: NCache eliminates the performance bottlenecks of disk-based databases by providing a distributed, in-memory store for IdentityServer4.
Flexible Integration: NCache can be implemented as either a standalone Configuration/Operational Store or as a Caching Layer on top of existing relational databases.
Direct Integration: Native extension methods like AddNCacheConfigurationStore and AddNCacheCaching allow for integration within the ASP.NET Core dependency injection pipeline.
Performance Optimization: Storing configuration data (clients, resources) and operational data (tokens, grants) in RAM ensures sub-millisecond response times during high-concurrency authentication requests.
Let us look at the diagram below to get the overall idea of the security token service being used.
Figure 1: IdentityServer4 Integration as a Security Token Service
Using IdentityServer4 with NCache
IdentityServer4 is a frequently used STS in .NET Core applications. It implements the OpenID Connect and OAuth 2.0 protocols. The IdentityServer4 API provides the flexibility to use any external custom storage, be it a relational database, a NoSQL solution, a file system, or even an in-memory data store like NCache. Moreover, IdentityServer4’s support for Entity Framework (EF) Core simplifies the process of using various databases as storage for its configuration and operational data.
NCache, being a distributed, scalable in-memory key-value store, is a great fit for IdentityServer4. It can be used with IdentityServer in either of the following ways.
- NCache can be used as a cache store for IdentityServer4 configuration and operational data to speed up operations through in-memory caching as well as reduce database hits.
- To further increase the application performance, NCache can be used as a configuration and persistent grant store by eliminating the need to get data from a disk. The in-memory contents of the cache can then be periodically persisted to disk, significantly decreasing the average time taken to get the data.
You can use NCache, as a caching layer for storing configuration or as a standalone store for operational data. All this is implemented using the IdentityServerBuilder NCache extension methods used during ASP.NET Core dependency injection.
- Configuration store: A store where static data is kept which does not change as such.
- Operational store: A store where the operational data is kept on which operations are performed and is more likely to be frequently modified.
The upside of it is that it allows data to be stored in memory, resulting in faster access times. Before delving into the implementation details, it is important to address a few prerequisites to ensure a smooth setup process.
Prerequisites
- .NET Core 6.0 and 8.0 SDK and runtimes.
- NCache Enterprise 5.0 SP1 or onwards running on your server(s).
- Refer to the GitHub solution to get the information on application being used. Throughout the blog, the code changes are explained according to the same application.
Once your environment meets these prerequisites, you must decide which integration strategy best fits your architecture. The table below highlights the key differences between using NCache as a standalone store versus a caching layer.
| Feature | NCache as Primary Store | NCache as Caching Layer |
|---|---|---|
| Best For | Maximum speed; eliminating DB hits. | Speeding up an existing SQL/NoSQL DB. |
| Data Persistence | Optional persistence to disk. | Data remains in your primary database. |
| Architecture | Simplified (IdentityServer → NCache). | Tiered (IdentityServer → NCache → DB). |
| Implementation | .AddNCacheConfigurationStore() | .AddNCacheCaching() |
Scenario 1: NCache as an In-Memory IdentityServer4 Store
NCache can store various types of data for IdentityServer, including client information, API resources, identity resources (configurations), as well as persisted grants and device flow codes (operations). This demonstrates NCache’s versatility as a storage solution.
Let’s explore how NCache integrates into this system:
Figure 2: Flexible Storage Configurations for IdentityServer4 with NCache
To use NCache for the configuration and operational data follow the steps mentioned below:
Step 1: Updating StartupNCache File
In the cs of your project, add UseStartup() method and add the following code in the StartupNCache.cs file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
public void ConfigureServices(IServiceCollection services) { services.AddControllersWithViews(); var builder = services.AddIdentityServer() .AddTestUsers(TestUsers.Users) .AddNCacheConfigurationStore(options => { options.CacheId = _configuration["CacheId"]; var serverList = _configuration["Servers"].Split(',') .Select(x => x.Trim()) .ToList() .Select(y => new NCacheServerInfo(y, 9800)) .ToList(); options.ConnectionOptions = new NCacheConnectionOptions { ServerList = serverList, EnableClientLogs = true, LogLevel = NCacheLogLevel.Debug }; }) //.. rest of the code } |
Step 2: Modifying AppSettings File
In the appsettings.json file, modify the value of the CacheId key to the name of the cache you are using. Furthermore, for the multiple Servers keys, use a comma-separated list of one or more IP addresses belonging to the NCache servers making up the NCache cluster.
|
1 2 3 4 |
{ "CacheId": "democache", "Servers": "20.200.20.45,20.200.20.50", } |
Step 3: Modifying AppSettings File
To observe how NCache functions as a configuration and operational store for IdentityServer4, run the applications IdentityServer, MvcClient, Api, and JavaScriptClient. Ensure that the demonstration cache, which serves as both a configuration and operational store, is active and connected to the IdentityServer sample application before running these applications.
Scenario 2: NCache as IdentityServer4 Cache Implementation
NCache primarily serves to cache data from your data source, enhancing access speed and overall performance. You can use NCache as a data store or place it between your data store and application, caching both configuration and operational data while retaining it in the data store.
The figure illustrates how NCache operates as a cache with IdentityServer4.
Figure 3: NCache as an IdentityServer4 Caching Layer
To implement NCache as a configuration store while also persisting the configuration and operational data in the data store, follow the steps mentioned below.
Step 1: Updating StartupNCache File
Add the UseStartup<StartupEFCore>() method and add the following code in the StartupEFCore.cs file.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
public void ConfigureServices(IServiceCollection services) { ... var builder = services.AddIdentityServer() .AddTestUsers(TestUsers.Users) .AddNCacheCaching(options => { options.CacheId = _configuration["CacheId"]; var serverList = _configuration["Servers"].Split(',') .Select(x => x.Trim()) .ToList() .Select(y => new NCacheServerInfo(y, 9800)) .ToList(); options.ConnectionOptions = new NCacheConnectionOptions { ServerList = serverList }; options.DurationOfBreakInSeconds = 120; }); //.. rest of the code } |
Step 2: Modifying AppSettings File
In the appsettings.json file, modify the value of the CacheId key to the name of the cache you will be using. Furthermore, for the multiple Servers keys, use a comma separated list of one or more IP addresses belonging to the NCache servers making up the NCache cluster. Also, provide the connection string of the SQL Server.
|
1 2 3 4 5 6 7 8 |
{ "CacheId": "democache", "Servers": "20.200.20.45,20.200.20.50", "ConnectionStrings": { "db": "server=;database=IdentityServer4.EntityFramework;UserId=userid;Password=password;" } } |
Step 3: Modifying AppSettings File
Run applications IdentityServer, MvcClient, Api, JavaScriptClient to see how NCache operates as a caching mechanism for the configuration store, the persisted grant store as well as the IProfileService default implementation. Make sure that the cache used as a configuration store and persisted grant store cache is running and can be connected to the IdentityServer sample application.
Conclusion
In summary, IdentityServer handles the necessary authentication at each network hop in your application, and NCache complements this by storing configuration and operational data for faster access. Additionally, NCache can serve as a primary data store for both types of data, potentially eliminating the need for other data sources. This functionality is easily implemented using the extension methods provided by NCache.
Frequently Asked Questions (FAQ)
Q: Can NCache be used as the primary data store for IdentityServer4?
A: Yes. NCache can function as a standalone in-memory configuration and operational store. This implementation is ideal for microservices where you want to remove the dependency on a relational database for authentication data to achieve maximum speed and linear scalability.
Q: Does NCache support IdentityServer4 integration with Entity Framework Core?
A: Yes. NCache provides a dedicated caching provider that sits between IdentityServer4 and your Entity Framework Core data source. This allows you to retain your persistent database while offloading heavy read traffic to the cache.
Q: What is the difference between a Configuration Store and an Operational Store in this context?
A: A Configuration Store in NCache holds static data like client information and API resources that rarely change. An Operational Store manages frequently modified data, such as issued tokens, persisted grants, and device flow codes.
Q: How do I configure multiple NCache servers in my application settings?
A: In your appsettings.json file, you can provide a comma-separated list of IP addresses for the “Servers” key. This allows the IdentityServer4 application to connect to a multi-node NCache cluster for high availability.
