Redeon.SuperSiteEngineCore.Web.Eltheon.Core.Features.Identity

Purpose

The Identity feature extends ASP.NET Core Identity with Eltheon-specific repositories, managers, runtime permission evaluation, typed permissions, events and metrics. It centralizes Identity ownership so hosts can keep project-specific UI while using the same authorization and event surface.

Building Blocks

• v1/Extensions registers the feature through AddEltheonIdentityCore().
• v1/Interfaces define repositories (IAuthRepository) and runtime permission managers (IEltheonPermissionManager).
• v1/Manager contains Identity-owned orchestration such as EltheonPermissionManager and EltheonSignInManager.
• v1/Permissions exposes typed User/Role admin permission sets.
• v1/Cache owns runtime permission cache abstraction and the default memory-cache implementation.
• v1/WebUi adapts Identity permission checks to Core.WebUi.
• v1/ExternalAuth contains provider-neutral external authentication contracts, options, diagnostics managers, conservative group-to-role mapping, provisioning, an in-memory directory cache with managed sync service and the LDAP/AD provider foundation.
• v1/Models (AuthRole, RolePermission, Permission) capture role metadata and grant matrices that can be serialized, seeded or exposed via APIs.
• Converter and enum types (PermissionTypeConverter, PermissionType) make it simple to map between persisted values and domain friendly enums.

Usage

1. Register the Identity feature alongside ASP.NET Core Identity in your host:

builder.Services.AddDefaultIdentity<IdentityUser>()
    .AddRoles<AuthRole>()
    .AddEntityFrameworkStores<AuthDbContext>()
    .AddDefaultTokenProviders();

builder.Services.AddEltheonIdentityCore();
builder.Services.AddEltheonIdentitySecurityDefaults(options =>
{
    options.Registration.AllowPublicRegistration = false;
});

For DB-backed ExternalAuth management, hosts with an EF-backed auth context also register the concrete store:

builder.Services.AddEltheonExternalAuthenticationDbStore<AuthDbContext>();

2. Register the feature Razor Class Library application part when configuring Razor Pages and MVC:

builder.Services.AddRazorPages()
    .AddEltheonIdentityApplicationPart();

builder.Services.AddMvc()
    .AddEltheonIdentityApplicationPart();

3. Reference the shared models in Razor pages, controllers or APIs when exposing role/permission settings.
4. Use the provided converters when persisting or reading permission values from configuration stores.

External Authentication

External authentication is disabled by default. Register provider-neutral services through AddEltheonIdentityCore() and enable providers explicitly:

builder.Services.AddEltheonExternalAuthentication(options =>
{
    options.Enabled = true;
    options.Mode = ExternalAuthMode.LocalFirstThenExternal;
});

builder.Services.AddEltheonLdapExternalAuthentication(options =>
{
    options.Host = "dc.example.test";
    options.BaseDn = "DC=example,DC=test";
});

LDAP defaults to LDAPS on port 636. Plain LDAP is rejected unless AllowInsecurePlainLdap is explicitly enabled. Bind credentials are accepted as options for bootstrap/fallback, but the management UI stores provider secrets through ASP.NET Core DataProtection and never returns, logs or emits cleartext/protected secret values.

External Authentication Management

The Identity RCL owns the Admin ExternalAuth shell pages under /Admin/Identity/ExternalAuth/* and the API surface under /api/v1/admin/identity/external-auth/*. The DB-backed store is the source of truth for runtime settings, providers, group mappings and diagnostics. Options remain defaults and fallback only.

The package also registers ExternalDirectorySyncService as an IEltheonManagedService. The service can be triggered through the existing Services admin surface and refreshes sanitized directory group caches for active provider instances. Auto-refresh stays disabled by default and can be enabled through EltheonExternalAuthOptions.DirectoryCache.AutoRefreshEnabled.

Integration Notes

• Runtime permission caching uses IMemoryCache through IIdentityPermissionCache.
• The package does not configure ASP.NET Identity stores itself. Continue to call AddIdentity / AddDefaultIdentity in your host and then call AddEltheonIdentityCore().
• The package owns the Admin Users pages, Admin Roles page, Admin Roles API and User Profile edit page through its RCL. Account pages under /Identity/Account/* remain host-owned so themes can stay host-specific while PageModels delegate to Identity managers.
• Hosts that persist role-permission matrices provide an IIdentityRolePermissionStore adapter. The Identity package does not reference the concrete Permissions feature or host database context.
• External directory integrations use Identity-owned provider contracts and ASP.NET Identity external-login links. The management phase adds AuthDbContext tables for ExternalAuth settings, providers, group mappings and diagnostics; directory group cache data remains in memory only.
• Identity references Core.WebUi only for the permission evaluator adapter. Domain permission evaluation stays in EltheonPermissionManager.
• The package is designed to be consumed by both web hosts and plugins, allowing consistent enforcement of authorization policies.
• Defines canonical Identity event names, metadata and safe payload/options contracts. Hosts that already reference the Eltheon event bus can publish these signals from the mutation owner without including passwords, reset tokens, confirmation tokens, reset links or raw email addresses.

Security Defaults

AddEltheonIdentitySecurityDefaults() registers EltheonIdentityOptions and applies conservative ASP.NET Core Identity, cookie and token-provider defaults:

• public registration and development confirm links are disabled by default
• password reset tokens default to short lifetimes
• sign-in requires confirmed accounts
• application cookies use stable paths, HttpOnly, SameSite=Lax and sliding expiration
• Identity events are sanitized before publishing

Production hosts should configure persistent DataProtection key storage outside of the app directory and use a shared key ring for multi-node deployments. The option model exposes this baseline, but the host remains responsible for selecting the environment-specific key store.

Diagnostics

Loggers are injected throughout repository and manager classes. Enable the category Redeon.SuperSiteEngineCore.Web.Eltheon.Core.Features.Identity to observe user, role or permission operations during troubleshooting.

Metrics

• eltheon_identity_login_attempts_total{outcome="success|failed|lockedout|requires2fa"} – emitted by EltheonSignInManager for every sign-in attempt.
• eltheon_identity_user_registered_total – emitted on successful registration.
• eltheon_identity_roles_created_total{outcome="success|failed"} – emits when roles are created via AuthRepository.
• eltheon_identity_user_role_assignments_total{outcome="success|failed"} – emits when users are added to roles via AuthRepository.

Identity records metrics through Core.Abstractions.v1.Metrics.IMetrics; no concrete metrics feature is required.

Events

Identity event emission is enabled by default through IdentityEventOptions.EnableEvents.

Canonical events currently prepared for hosts and templates:

• Eltheon.Identity.UserCreated
• Eltheon.Identity.UserUpdated
• Eltheon.Identity.UserDeleted
• Eltheon.Identity.RoleCreated
• Eltheon.Identity.RoleUpdated
• Eltheon.Identity.RoleDeleted
• Eltheon.Identity.UserRoleAssigned
• Eltheon.Identity.UserRoleRemoved
• Eltheon.Identity.LoginSucceeded
• Eltheon.Identity.LoginFailed
• Eltheon.Identity.PasswordResetRequested
• Eltheon.Identity.PasswordResetCompleted