Squidex.Identity for dummies


We’ve fallen in love with Squidex and have set up an instance in Azure: “https://companyname-dev.azurewebsites.net/app

We’ve created apps for the different test environments for the customer: dev, test, and stage

Our Swagger spec then looks like this:
“host”: “company-dev.azurewebsites.net
“paths”: “/content/{environment}/bookings” (example for the booking schema)

We would like to connect native apps to the APIs. Ad-hoc users should be able to register with e.g. phone number + OTP + PIN or email + password. We will not use any third party providers. This must be done by native code and we will not use webview for this.

The clients (native apps) needs to be able to create new users and log them in - get an access token. These users will be given a set of claims and we want to protect certain schemas in the CMS for the ad-hoc users. They should e.g. not be able to guery the user table or PUT/POST data in certain tables.

I’m a PM and needs to map out the complexity, architecture and implementation of handling security.

Our initial thoughts were to pipe some of the APIs through Azure API Management and do initial claim validation there. This would enable us to have control over the APIs we publish and restrict access.

I would love to get a step-by-step implementation guide how to do this with our setup.

  1. Do we need to install a second instance of Squidex like e.g. https://companyname-identity-dev.azurewebsites.net/app"? I’ve seen ambiguous proposals regarding this. Or should we setup identity apps within our instance (https://companyname-dev.azurewebsites.net/app) for dev, test and stage?

  2. Which APIs will we use for creating new users and getting access tokens for the different environments (apps)?

  3. It would be good to understand how we should fill out the template schemas in the identity app.

  4. How can we restrict access to apis by user claims?

I would be extremely happy if anybody can help me out here so we can map out the complete structure, authentication, and authorisation for our apps/environments.

Thanks in advance for spending time helping us out.



the permission management in Squidex is not very sophisticated yet, if your instance is accessible from the outside I always recommend an API proxy such as Azure API Management.

About your questions:

  1. I would use several apps, this is what apps are for.

  2. The generated APIs for your identity app. Squidex Identity does not provide any API yet, but it might be a good idea to add it.

  3. The identity server documentation can help here, we can also make a skype session or so: https://identityserver4.readthedocs.io/en/release/reference/api_resource.html

  4. For identity server, an API is called a resource. A resource can define which claims should be added to the identity token, e.g. Squidex has an internal identity server as well and the API needs the role and email address: https://github.com/Squidex/squidex/blob/master/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs#L86 Given the role you can just use validation attributes in your API to check if the user has the permissions.