ASP.NET Identity Auth vs ServiceStack Auth

tbednarz · November 12, 2025, 4:06pm

I am very interested in the new API key feature. I was reading a bit about it and if I understood things right, it is using EF which means I need a RDBMS as data store. I was happy to say good by to RDMBSs about 10 years ago, and no one on earth can bring be back. I use MongoDB since its very early stages and also Redis. I use only ReplicaSets and clusters which are built-in features in both systems (by built-in I mean they where designed from gound up for these scenarios). RDBMSs have such features as well, but they are a hell to maintain if you talk to SysAdmins who do it.

So I have no problem in redesigning my old code base (I have forked old projects). However for productivity reasons I will focus on application functionality and not so much on ‘infrastructure’. So maybe someone can tell me a bit more about MongoDB and ASP.NET Identity Auth. Is there any way of doing it? Does someone have experience with it?

I found a community project that seems to implement it with MongoDB: GitHub - matteofabbri/AspNetCore.Identity.Mongo: This is a MongoDB provider for the ASP.NET Core 2 Identity framework. No idea how good it is and how it will be supported in the future.

Any feedback would be greatly appreceated.

tbednarz · November 12, 2025, 5:11pm

I just noticed that MongoDB has a EF provider for MongoDB. I found this blog post on how to use it with a generic ASP.NET application. I think it is not very well done, ObjectIDs can easily converted to strings and vice versa. And the post is from January, so things may have changed since then too. At least MongoDB is updating the NuGet library regularly.
So I will create and download a sample app from the ServiceStack homepage to see if it works and if I can plugin a MongoDB database instead of an RDBMS.
However, if anybody has done this and has some experience with it, I would greatly appreciate if you could share some of your experience!

mythz · November 12, 2025, 11:24pm

No, the only thing that uses EF is the ASP .NET Identity Auth classes, so we can use the exact same Identity Auth classes and features all other .NET Identity Auth Apps use.

Every other feature that doesn’t exist in ASP .NET Identity Auth uses OrmLite, like API Keys.

There’s very unlikely to be any further investments in MongoDB, I’d recommend switching to an RDBMS for new projects.

tbednarz · November 13, 2025, 8:45am

Thanks for the info, don’t like to hear that, but MariaDB for the stuff ServiceStack requires a database may be a good selection. I stay with MongoDB and Redis and Qdrant for all my app specific data.

mythz · November 13, 2025, 8:53am

I’ve not tried implementing an alternative backend yet, you should be able to use a different backend by implementing these interfaces and registering it in the IOC:

public interface IApiKeyResolver
{
    string? GetApiKeyToken(IRequest req);
}

public interface IApiKeySource
{
    Task<IApiKey?> GetApiKeyAsync(string key);
    Task<IApiKey?> GetApiKeyByIdAsync(int id);
    Task<List<IApiKey>> GetApiKeysByUserIdAsync(string? userId);
}

You can find the OrmLite implementation at:

github.com/ServiceStack/ServiceStack

ServiceStack/src/ServiceStack.Server/ApiKeysFeature.cs

66d3da92c


      
          public class ApiKeyResolver(ApiKeysFeature feature) : IApiKeyResolver
          {
              public string? GetApiKeyToken(IRequest req)
              {
                  return feature.GetApiKeyToken(req);
              }
          }
          public class ApiKeysFeatureSource(ApiKeysFeature feature) : IApiKeySource
          {
              public async Task<IApiKey?> GetApiKeyFromDbAsync(string key)
              {
                  using var db = feature.OpenDb();
                  var apiKey = await db.SingleAsync<ApiKeysFeature.ApiKey>(x => x.Key == key);
                  if (apiKey == null) 
                      return null;
                  if (apiKey.CancelledDate != null)
                      throw HttpError.Unauthorized(ErrorMessages.ApiKeyHasBeenCancelled.Localize());
                  if (apiKey.ExpiryDate != null && apiKey.ExpiryDate < DateTime.UtcNow)
                      throw HttpError.Unauthorized(ErrorMessages.ApiKeyHasExpired.Localize());
                  return apiKey;

This file has been truncated. show original