Identity Backend Template

The ConnectSoft Identity Backend Template is a specialized microservice template that extends the Base Template to provide identity and user management functionality. It includes user authentication, authorization, profile management, and multi-tenant identity support.

Overview

The Identity Backend Template generates a production-ready identity microservice that handles user management, authentication, and authorization. It extends the Base Template through the overlay composition model, adding identity-specific domain logic, APIs, and infrastructure while reusing the base microservice structure.

When to Use This Template

Use the Identity Backend Template when:

• Building identity and user management microservices
• Implementing user authentication and authorization
• Creating user profile management systems
• Building multi-tenant identity solutions
• Developing identity services for SaaS platforms
• Implementing user registration, login, and account management

When to Use Authorization Server Template Instead

Use the Authorization Server Template when:

• Building OAuth2/OpenID Connect authorization servers
• Implementing token-based authentication (access tokens, refresh tokens)
• Creating authorization servers for API access
• Building SSO (Single Sign-On) solutions
• Managing OAuth2 clients and scopes

The Identity Backend Template focuses on user identity management, while the Authorization Server Template focuses on OAuth2/OpenID Connect token issuance and validation.

Key Features

User Management

• User Registration: User account creation and registration
• User Authentication: Login and authentication flows
• User Profiles: User profile management and updates
• Password Management: Password reset, change, and recovery
• Account Management: Account activation, deactivation, and deletion

Authentication

• Multiple Authentication Methods: Username/password, email/password, social login
• Multi-Factor Authentication (MFA): TOTP, SMS, email-based MFA
• Session Management: User session handling and management
• Password Policies: Configurable password strength requirements

Authorization

• Role-Based Access Control (RBAC): Role and permission management
• User Roles: Assign and manage user roles
• Permission Management: Fine-grained permission control
• Policy-Based Authorization: Policy-driven authorization decisions

Multi-Tenant Support

• Tenant Isolation: Tenant-specific user data isolation
• Tenant Management: Tenant provisioning and configuration
• Per-Tenant Identity: Tenant-specific identity configuration
• Cross-Tenant Operations: Support for cross-tenant operations when needed

Identity Domain

• Identity Domain Model: User, Role, Permission entities
• Identity Services: Domain services for identity operations
• Identity Events: Domain events for identity changes
• Identity Specifications: Query specifications for identity data

Generated Structure

The Identity Backend Template extends the Base Template structure:

IdentityBackendTemplate/
├── base-template/                 # Git submodule → MicroserviceTemplate.Base
│   ├── src/
│   │   ├── Host/
│   │   ├── Domain/
│   │   ├── Application/
│   │   └── Infrastructure/
│   └── tests/
├── src/                          # Identity-specific code
│   ├── Identity.Api/             # Identity API controllers
│   ├── Identity.Domain/         # Identity domain model
│   │   ├── Entities/
│   │   │   ├── User.cs
│   │   │   ├── Role.cs
│   │   │   └── Permission.cs
│   │   ├── ValueObjects/
│   │   ├── Services/
│   │   └── Events/
│   ├── Identity.Application/     # Identity application layer
│   ├── Identity.Infrastructure/  # Identity infrastructure
│   │   ├── Persistence/
│   │   └── ExternalServices/
│   └── Identity.Host/            # Identity host (if separate)
├── tests/                        # Identity-specific tests
│   ├── Identity.UnitTests/
│   ├── Identity.IntegrationTests/
│   └── Identity.AcceptanceTests/
├── docs/                         # Identity-specific documentation
│   ├── identity-overview.md
│   ├── identity-auth-flows.md
│   └── identity-api.md
└── template/
    ├── identity.template.extend.json  # Extends base template.json
    ├── ide.host.json
    └── dotnetcli.host.json

Template Composition

The Identity Backend Template is composed from:

Base Template (Layer 2)

• Microservice structure (Host, Domain, Application, Infrastructure)
• Base bootstrapping and configuration
• Common health checks and resilience
• Base testing infrastructure

Identity Overlay (Layer 3)

• Identity domain model (User, Role, Permission)
• Identity APIs and controllers
• Identity services and use cases
• Identity-specific tests and documentation

Template Parameters

The Identity Backend Template extends base template parameters:

Parameter	Type	Required	Default	Description
ServiceName	string	Yes	IdentityService	Name of the identity service
RootNamespace	string	No	Company.Identity	Root namespace
SupportMultiTenant	bool	No	true	Enable multi-tenant support
EnableMFA	bool	No	true	Enable multi-factor authentication
PasswordPolicy	choice	No	Standard	Password policy strength
UseSocialLogin	bool	No	false	Enable social login (Google, Microsoft, etc.)

Quick Start

Step 1: Create Identity Backend

dotnet new connectsoft-identity-backend \
  --name MyIdentityService \
  --service-name "IdentityService" \
  --support-multi-tenant true \
  --enable-mfa true

Step 2: Configure Identity Settings

Update appsettings.json with identity configuration:

{
  "IdentityService": {
    "Database": {
      "ConnectionString": "..."
    },
    "Authentication": {
      "JwtSecret": "...",
      "TokenExpiration": "01:00:00"
    },
    "PasswordPolicy": {
      "MinLength": 8,
      "RequireUppercase": true,
      "RequireLowercase": true,
      "RequireDigit": true,
      "RequireSpecialChar": true
    },
    "MultiTenant": {
      "Enabled": true,
      "TenantIsolationMode": "DatabasePerTenant"
    }
  }
}

Step 3: Register Services

// In Program.cs
builder.Services.AddIdentityOptions(builder.Configuration);
builder.Services.AddIdentityServices();
builder.Services.AddIdentityApi();

Step 4: Use Identity APIs

The template generates REST APIs for:

• POST /api/users/register - User registration
• POST /api/users/login - User login
• GET /api/users/{id} - Get user profile
• PUT /api/users/{id} - Update user profile
• POST /api/users/{id}/password/change - Change password
• POST /api/users/{id}/password/reset - Reset password
• GET /api/users/{id}/roles - Get user roles
• POST /api/users/{id}/roles - Assign roles

Architecture

Identity Domain Model

classDiagram
    class User {
        +Guid Id
        +string Email
        +string Username
        +string PasswordHash
        +bool IsActive
        +DateTime CreatedAt
        +List~Role~ Roles
    }

    class Role {
        +Guid Id
        +string Name
        +string Description
        +List~Permission~ Permissions
    }

    class Permission {
        +Guid Id
        +string Name
        +string Resource
        +string Action
    }

    User "many" --> "many" Role
    Role "many" --> "many" Permission

Hold "Alt" / "Option" to enable pan & zoom

Design Principles

• Domain-Driven Design: Identity domain model with entities, value objects, and services
• Clean Architecture: Separation of concerns across layers
• Security-First: Secure by default with password hashing, MFA, and RBAC
• Multi-Tenancy: Tenant isolation and management built-in
• Event-Driven: Identity events for user lifecycle changes
• Observability: Comprehensive logging and monitoring

Integration with AI Factory

The Identity Backend Template is used by:

• Identity Platform Generator: Generates identity microservices
• Security Architect Agent: Designs identity architecture
• Platform Generator Agent: Includes identity in platform projects
• Backend Developer Agent: Uses identity service in microservice development

Integration with Other Templates

Authorization Server Template

The Identity Backend Template can work alongside the Authorization Server Template:

• Identity Backend: Manages users, profiles, and authentication
• Authorization Server: Issues OAuth2/OpenID Connect tokens
• Integration: Identity Backend authenticates users, Authorization Server issues tokens

Platform Template

The Identity Backend Template is often included in Platform Templates:

• Provides identity services for the platform
• Manages users across platform services
• Enables single sign-on across platform services

Best Practices

Security

• Password Hashing: Use strong password hashing (bcrypt, Argon2)
• Token Security: Secure JWT token generation and validation
• MFA: Enable multi-factor authentication for sensitive operations
• Rate Limiting: Implement rate limiting for login and registration
• Audit Logging: Log all identity-related operations

User Management

• Email Verification: Require email verification for new accounts
• Account Lockout: Implement account lockout after failed login attempts
• Password Policies: Enforce strong password policies
• Profile Validation: Validate user profile data

Multi-Tenancy

• Tenant Isolation: Ensure strict tenant data isolation
• Tenant Context: Pass tenant context through all operations
• Cross-Tenant Queries: Prevent cross-tenant data access
• Tenant Provisioning: Automate tenant provisioning

Related Documents

• Base Template - Foundation template
• Authorization Server Template - OAuth2/OpenID Connect server
• Security-First Architecture - Security principles
• Template Architecture - Template architecture overview
• Microservice Template - Full microservice template