Introducing IdentityServer4 for authentication and access control in ASP.NET Core
This is a guest post by Brock Allen and Dominick Baier. They are security consultants, speakers, and the authors of many popular open source security projects, including IdentityServer.
Modern applications need modern identity. The protocols used for implementing features like authentication, single sign-on, API access control and federation are OpenID Connect and OAuth 2.0. IdentityServer is a popular open source framework for implementing authentication, single sign-on and API access control using ASP.NET.
While IdentityServer3 has been around for quite a while, it was based on ASP.NET 4.x and Katana. For the last several months we’ve been working on porting IdentityServer to .NET Core and ASP.NET Core. We are happy to announce that this works is now almost done and IdentityServer4 RC1 was published to NuGet on September 6th.
IdentityServer4 allows building the following features into your applications:
Authentication as a Service Centralized login logic and workflow for all of your applications (web, native, mobile, services and SPAs).
Single Sign-on / Sign-out Single sign-on (and out) over multiple application types.
Access Control for APIs Issue access tokens for APIs for various types of clients, e.g. server to server, web applications, SPAs and native/mobile apps.
Federation Gateway Support for external identity providers like Azure Active Directory, Google, Facebook etc. This shields your applications from the details of how to connect to these external providers.
Focus on Customization The most important part – many aspects of IdentityServer can be customized to fit your needs. Since IdentityServer is a framework and not a boxed product or a SaaS, you can write code to adapt the system the way it makes sense for your scenarios.
There are also quick-start tutorials and samples that walk you through common scenarios for protecting APIs and implementing token-based authentication.
- IdentityServer Overview
- Protecting an API using client credentials
- Protecting an API using passwords
- OpenID Connect authentication
- External authentication
- Hybrid Flow and API access
- NET Core Identity
- Configuration with EntityFramework
Give it a try. We appreciate feedback, suggestions, and bug reports on our issue tracker.