Identity Backend Template — Architecture¶
Responsibilities¶
| Concern | Identity Backend | Notes |
|---|---|---|
| User store | Primary | Relational or document persistence per scaffold |
| Credentials | Primary (when local passwords used) | Hashing, lockout, recovery flows |
| Roles & claims | Primary | Issued into tokens by Authorization Server; APIs expose management |
| Interactive auth | Often here | Cookie sessions, external providers wiring |
| OAuth2 / OIDC server | Not primary | Use Authorization Server |
Clean Architecture layers¶
Identity follows the same ConnectSoft.*.DomainModel / ApplicationModel / Application / PersistenceModel.* / ServiceModel.* structure as other Layer 3 templates. Domain holds aggregates such as User, Role, Claim concepts (exact names per generated solution); Application coordinates use cases; ServiceModel exposes HTTP/gRPC as configured.
Dependency injection¶
IdentityMicroserviceRegistration (name may vary slightly by version) extends MicroserviceRegistrationBase to register:
- Identity stores, validators, and token/claims integration points
- Host pipeline pieces (middleware ordering consistent with security guidance)
- Health, caching, and observability hooks inherited from Base
Integration points¶
flowchart LR
GW[API Gateway]
Id[Identity Backend]
AS[Authorization Server]
MS[Microservices]
GW --> Id
GW --> MS
AS --> Id
MS --> AS
Hold "Alt" / "Option" to enable pan & zoom
- Authorization Server reads user state and issues tokens.
- Gateway may call Identity for BFF operations (profile, admin) or rely on JWT only—pick one pattern per product.
- Microservices trust issuer metadata (JWKS / issuer URL) configured for the Authorization Server.
Multi-tenancy¶
When enabled, tenant isolation applies to stores, APIs, and administration. Align connection and schema strategy with multitenancy and configuration alignment.