Redeon.SuperSiteEngineCore.Web.Eltheon.Core.Features.Identity

Purpose

The Identity feature extends ASP.NET Core Identity with Eltheon-specific repositories, managers, runtime permission evaluation, typed permissions, events and metrics. It centralizes Identity ownership so hosts can keep project-specific UI while using the same authorization and event surface.

Building Blocks

• v1/Extensions registers the feature through AddEltheonIdentityCore().
• v1/Interfaces define repositories (IAuthRepository) and runtime permission managers (IEltheonPermissionManager).
• v1/Manager contains Identity-owned orchestration such as EltheonPermissionManager and EltheonSignInManager.
• v1/Permissions exposes typed User/Role admin permission sets.
• v1/Cache owns runtime permission cache abstraction and the default memory-cache implementation.
• v1/WebUi adapts Identity permission checks to Core.WebUi.
• v1/Models (AuthRole, RolePermission, Permission) capture role metadata and grant matrices that can be serialized, seeded or exposed via APIs.
• Converter and enum types (PermissionTypeConverter, PermissionType) make it simple to map between persisted values and domain friendly enums.

Usage

1. Register the Identity feature alongside ASP.NET Core Identity in your host:

builder.Services.AddDefaultIdentity<IdentityUser>()
    .AddRoles<AuthRole>()
    .AddEntityFrameworkStores<AuthDbContext>()
    .AddDefaultTokenProviders();

builder.Services.AddEltheonIdentityCore();
builder.Services.AddEltheonIdentitySecurityDefaults(options =>
{
    options.Registration.AllowPublicRegistration = false;
});

2. Register the feature Razor Class Library application part when configuring Razor Pages and MVC:

builder.Services.AddRazorPages()
    .AddEltheonIdentityApplicationPart();

builder.Services.AddMvc()
    .AddEltheonIdentityApplicationPart();

3. Reference the shared models in Razor pages, controllers or APIs when exposing role/permission settings.
4. Use the provided converters when persisting or reading permission values from configuration stores.

Integration Notes

• Runtime permission caching uses IMemoryCache through IIdentityPermissionCache.
• The package does not configure ASP.NET Identity stores itself. Continue to call AddIdentity / AddDefaultIdentity in your host and then call AddEltheonIdentityCore().
• The package owns the Admin Users pages, Admin Roles page, Admin Roles API and User Profile edit page through its RCL. Account pages under /Identity/Account/* remain host-owned so themes can stay host-specific while PageModels delegate to Identity managers.
• Hosts that persist role-permission matrices provide an IIdentityRolePermissionStore adapter. The Identity package does not reference the concrete Permissions feature or host database context.
• Identity references Core.WebUi only for the permission evaluator adapter. Domain permission evaluation stays in EltheonPermissionManager.
• The package is designed to be consumed by both web hosts and plugins, allowing consistent enforcement of authorization policies.
• Defines canonical Identity event names, metadata and safe payload/options contracts. Hosts that already reference the Eltheon event bus can publish these signals from the mutation owner without including passwords, reset tokens, confirmation tokens, reset links or raw email addresses.

Security Defaults

AddEltheonIdentitySecurityDefaults() registers EltheonIdentityOptions and applies conservative ASP.NET Core Identity, cookie and token-provider defaults:

• public registration and development confirm links are disabled by default
• password reset tokens default to short lifetimes
• sign-in requires confirmed accounts
• application cookies use stable paths, HttpOnly, SameSite=Lax and sliding expiration
• Identity events are sanitized before publishing

Production hosts should configure persistent DataProtection key storage outside of the app directory and use a shared key ring for multi-node deployments. The option model exposes this baseline, but the host remains responsible for selecting the environment-specific key store.

Diagnostics

Loggers are injected throughout repository and manager classes. Enable the category Redeon.SuperSiteEngineCore.Web.Eltheon.Core.Features.Identity to observe user, role or permission operations during troubleshooting.

Metrics

• eltheon_identity_login_attempts_total{outcome="success|failed|lockedout|requires2fa"} – emitted by EltheonSignInManager for every sign-in attempt.
• eltheon_identity_user_registered_total – emitted on successful registration.
• eltheon_identity_roles_created_total{outcome="success|failed"} – emits when roles are created via AuthRepository.
• eltheon_identity_user_role_assignments_total{outcome="success|failed"} – emits when users are added to roles via AuthRepository.

Identity records metrics through Core.Abstractions.v1.Metrics.IMetrics; no concrete metrics feature is required.

Events

Identity event emission is enabled by default through IdentityEventOptions.EnableEvents.

Canonical events currently prepared for hosts and templates:

• Eltheon.Identity.UserCreated
• Eltheon.Identity.UserUpdated
• Eltheon.Identity.UserDeleted
• Eltheon.Identity.RoleCreated
• Eltheon.Identity.RoleUpdated
• Eltheon.Identity.RoleDeleted
• Eltheon.Identity.UserRoleAssigned
• Eltheon.Identity.UserRoleRemoved
• Eltheon.Identity.LoginSucceeded
• Eltheon.Identity.LoginFailed
• Eltheon.Identity.PasswordResetRequested
• Eltheon.Identity.PasswordResetCompleted