Skip to content
Introducing the next era of Duende IdentityServer. Read our CEO’s announcement

User Management

This section contains a sample demonstrating Duende User Management with IdentityServer. User Management is a user store and authentication platform that ships as a NuGet package and replaces ASP.NET Identity for IdentityServer scenarios.

This sample contains the finished source code for the Getting Started with User Management tutorial.

This sample demonstrates a full IdentityServer deployment using Duende User Management for user storage and authentication. It covers multiple authentication methods working together in a single application, orchestrated by .NET Aspire.

Authentication methods demonstrated:

  • Email OTP: enter email, receive a code via SMTP, verify, and sign in (unknown emails are auto-registered)
  • Password + TOTP 2FA: email/password login with time-based one-time password as a second factor
  • Passkeys: after first OTP login, users are prompted to register a passkey for future passwordless sign-in
  • Passkey as second factor: after password verification, users can tap a passkey instead of entering a TOTP code
  • Google external login: OAuth callback creates or links a local profile automatically

Additional features:

  • User profile management using a schema-driven attribute model (extensible attributes rather than a fixed user table)
  • ASP.NET Identity migration: the Admin Import page demonstrates bulk-importing users from an existing ASP.NET Identity database, including password hash compatibility, claims-to-attributes mapping, and deterministic subject ID generation
  • Second factor state management: encrypted cookies coordinate the 2FA flow between password verification and TOTP/passkey completion

The sample uses .NET Aspire to orchestrate IdentityServer, a client application, and Mailpit (for local email testing) in a single dotnet run command.

This sample demonstrates Duende User Management functionality for passwords. It validates an OTP sent to a user’s email for initial authentication, then allows the user to set a password. It also includes Forgot Password functionality for resetting a password after validating an OTP.

Concepts demonstrated:

  • Password Configuration: Password length and complexity through the PasswordOptions configuration.
  • Custom Password Validator: An IPasswordValidator with custom logic to block passwords in a hard-coded list.
  • Unique Custom Attributes: A unique Duende.Storage.EntityAttributeValue.AttributeDefinition for the user’s email address to tie the sign-in password to the email address.
  • Custom Attribute Data: Allows the user to edit custom profile data stored in attributes through the /Account page.

The sample uses .NET Aspire to orchestrate IdentityServer and Mailpit (for local email testing) in a single dotnet run command.