I can not understand the difference between the two, ASP.NET Identy is based on OWIN and does not introduce a middleware while IdentityServer introduced him, I'm confused ..
ASP.NET Identity is a user store/identity management library. It includes some OWIN helper classes to hook into the OWIN security middleware, but otherwise has nothing to do with authentication.
IdentityServer is an OpenID Connect provider, that acts as a central authentication server for multiple applications. It has nothing to do with user storage or identity management.
Related
I am trying to create a login mvc application in .NET through which any identity provider that supports OpenIdConnect for authentication and Oauth2.0 for authorization should be able to communicate. The objective is all my microservices will then call the login service ( which will act as a proxy) to perform single login and single logout and authorization via different identity providers such as Ping Identity or Okta or perhaps Azure AD.
Which Nuget package will be best to use in my login mvc application? Microsoft.AspNetCore.Authentication.OpenIdConnect or Microsoft.Owin.Security.OpenIdConnect. If there is any other library please shed some light. I am new in OpenIdConnect and IDP providers so please help me out here.
I would use Microsoft.AspNetCore.Authentication.OpenIdConnect for ASP.NET Core projects and Microsoft.Owin.Security.OpenIdConnect if you are using .NET Framework.
I have a single ASP.NET Core 3.1.8 web application which uses ASP.NET Identity.
Now I've added some externally callable REST API.
I am stuck on how to add token(?) based authentication to my API.
It seems that ASP.NET Identity does not support API authentication. In my old .NET Framework Web App I used
app.UseOAuthBearerTokens(OAuthOptions);
so I had a token endpoint, where external client could ask for a valid token.
Now I read about to have API authentication I should use either AD or AD B2C or IdentityServer 4. I am OK with IdentityServer 4 option, but something is not clear
IdentityServer will completely replace my ASP.NET Identity? I still want to use the login UI and my existing interactive login logic and UI.
I've read about plug in ASP Identity to IdentityServer 4. So do I have to integrate my existing ASP Identity with IdentityServer 4?
Is it OK to host IdentityServer 4 within the very same Web App, where the UI, and the API is hosted?
I've tried to read the ASP.NET Core repo's source both the 3.1.8 and 5.0.0-rc.1, to get some direction. I would not like to go in some direction what will be considered as suboptimal in the next .NET 5 release. I know that there is a complete another way to solve this: AD or AD B2C, and I also have a solution template for that. As an alternative I would like to have a "self contained" solution too, so that's why I invested to ASP Identity. What would be the righ future direction in this track (self-contained) to implement external API authentication?
To protect the API itself you typically use the following:
services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false
};
});
I recommend that if you use IdentityServer, you should put it on its own service, because otherwise its really hard to figure out what's going on and who is doing what.
IdentityServer does not deal with users, so you need to implement the user database (signup/forgotten password...) by yourself. You can use ASP.NET Identity for that.
IdentityServer will completely replace my ASP.NET Identity?
I would say that it depends on your needs, in some cases IdentityServer replaces ASP.NET Identity, and in some cases not. If you just have a single service to protect, then IdentityServer is probably overkill, because there's a lot to learn.
What is the proper way to configure and use Asp.Net Core Identity in Web Api application?
I've looked at the documentation, but looks like it demonstrates cookie based authentication in View-based MVC Web apps, not Web Apis. I know in Asp.Net Core the MVC Web Apps and the Web Api applications follow the same middleware pipeline, but what if I don't want cookie based authentication?
Does it make sense to use Identity at all if I want to use JWT bearer token for authentication? I've walked through a few tutorials which use JWT bearer token for authentication and also uses Identity. I've explored the sample codes, and looks like they are using Identity solely to take advantage of the built-in UserManager and RoleManager classes for the ease they provide with data access.
Do you use Asp.Net Core Identity in your Web Api application when you are using bearer token for authentication? If yes, what purposes does it serve in your application?
I'm porting a web application from ASP.Net to ASP.Net Core and need to support both Windows Integrated Authentication and Cookie Authentication with users stored in the apps database (the app is self-hosted by customers and different customers use different authentication methods and sometime migrate from one to the other).
In order to share as much code as possible between the authentication methods I'm using a ClaimsTranformer to add claims to the Windows Auth Users that match those that Cookie Auth (using ASP.Net Core Identity) gives me. However, I would like these claims to be stored in a cookie (in a secure way, like Identity does for the cookie auth) so that I don't have to be hitting the database on every request. Is there a way to do this?
In ASP.Net, I used to look up the user details for the Windows user on the first request and then SignIn with ASP.Net Identity cookie auth; The app would then just use cookie auth the same as if the user had been authenticated with user/password. Unfortunately in Core, it seems that as soon as I call services.AddIdentity in Startup.ConfigureServices, it disables Windows Integrated Authentication.
I'm using ASP.Net Core 2.1 on .Net Framework 4.7 (although we have plans to migrate to .Net Core in a future version, when we can remove some dependencies).
I have following scenario. I write asp.net core web api which will be used by mobile and web (asp.net core mvc web app) apps.
I authenticate user using asp.net core identity framework class SignInManager (add account controller and related classes manually) and then generate oauth token which will be used by client applications. By doing so I have 2 identities associated with the user. one is created by after I login using SignInManager.PasswordSignInAsync and second is created by generating oauth JWT token.
Is this correct approach or not?
Thanks
https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/
that might shed some light on what direction to go. there is also another blog post about using IdentityServer4 (3rd party) works well.
https://blogs.msdn.microsoft.com/webdev/2017/01/23/asp-net-core-authentication-with-identityserver4/