.NET Core Identity Server 4 Authentication VS Identity Authentication

I'm trying to understand the proper way to do authentication in ASP.NET Core. I've looked at several Resource (Most of which are out dated).

Some people provide altenative solutions stating to use a cloud based solution such as Azure AD, or to Use IdentityServer4 and host my own Token Server.

In Older version Of .Net one of the simpler forms of authentication would be to create an Custom Iprinciple and store additional authentication user data inside.

public interface ICustomPrincipal : System.Security.Principal.IPrincipal
    string FirstName { get; set; }

    string LastName { get; set; }

public class CustomPrincipal : ICustomPrincipal
    public IIdentity Identity { get; private set; }

    public CustomPrincipal(string username)
        this.Identity = new GenericIdentity(username);

    public bool IsInRole(string role)
        return Identity != null && Identity.IsAuthenticated && 
           !string.IsNullOrWhiteSpace(role) && Roles.IsUserInRole(Identity.Name, role);

    public string FirstName { get; set; }

    public string LastName { get; set; }

    public string FullName { get { return FirstName + " " + LastName; } }

public class CustomPrincipalSerializedModel
    public int Id { get; set; }

    public string FirstName { get; set; }

    public string LastName { get; set; }

Then you would Serialize your data into a cookie and return it back to the client.

public void CreateAuthenticationTicket(string username) {     

    var authUser = Repository.Find(u => u.Username == username);  
    CustomPrincipalSerializedModel serializeModel = new CustomPrincipalSerializedModel();

    serializeModel.FirstName = authUser.FirstName;
    serializeModel.LastName = authUser.LastName;
    JavaScriptSerializer serializer = new JavaScriptSerializer();
    string userData = serializer.Serialize(serializeModel);

    FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket(
    string encTicket = FormsAuthentication.Encrypt(authTicket);
    HttpCookie faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket);

My questions are:

  1. How can I authenticate similar to the way done in previous version's of .Net does the old way still work or is there a newer version.

  2. What are the pros and cons of using your own token server verses creating your own custom principle?

  3. When using a cloud based solution or a separate Token server how would you Integrate that with your current application, would I would still need a users table in my application how would you associate the two?

  4. Being that there are so many different solutions how can I create an enterprise application, to allow Login through Gmail/Facebook while still being able to expand to other SSO's

  5. What are some simple implementations of these technologies?

ASP.NET Core Authentication with IdentityServer4, NET Core Authentication with IdentityServer4 NET Core Identity) and provides a JWT bearer token that can be used to An example of an API resource would be a web API (or set of APIs) that require authorization to call. .NET Core Identity Server 4 Authentication VS Identity Authentication. Ask Question Asked 2 years, 11 months ago. Active 8 months ago. Viewed 38k times


I would really like to Show A Full posting on how to properly implement IdentityServer4 but I tried to fit All of the Text in but it was beyond the limit of what StackOverflow Accepts so instead I will right some tips and things I've learned.

What are the Benefits of using a Token Server Vs ASP Identity?

A token server, has a lot of benefit's but it isn't right for everyone. If you are implementing an enterprise like solution, where you want multiple client to be able to login, Token server is your best bet, but if you just making a simple website that want to support External Logins, You can get Away With ASP Identity and some Middleware.

Identity Server 4 Tips

Identity server 4 is pretty well documented compared to a lot of other frameworks I've seen but it's hard to start from scratch and see the whole picture.

My first mistak was trying to use OAuth as authentication, Yes, there are ways to do so but OAuth is for Authorization not authentication, if you want to Authenticate use OpenIdConnect (OIDC)

In my case I wanted to create A javascript client, who connects to a web api. I looked at a lot of the solutions, but initially I tried to use the the webapi to call the Authenticate against Identity Server and was just going to have that token persist because it was verified against the server. That flow potentially can work but It has a lot of flaws.

Finally the proper flow when I found the Javascript Client sample I got the right flow. You Client logs in, and sets a token. Then you have your web api consume the OIdc Client, which will verify you're access token against IdentityServer.

Connecting to Stores and Migrations I had a lot of a few misconceptions with migrations at first. I was under the impression that running a migration Generated the SQL from the dll internally, instead of using you're configured Context to figure out how to create the SQL.

There are two syntaxes for Migrations knowing which one your computer uses is important:

dotnet ef migrations add InitialIdentityServerMigration -c ApplicationDbContext

Add-Migration InitialIdentityServerDbMigration -c ApplicationDbContext

I think the parameter after the Migration is the name, why you need a name I'm not sure, the ApplicationDbContext is a Code-First DbContext in which you want to create.

Migrations use some auto-magic to find you're Connection string from how your start up is configured, I just assumed it used a connection from the Server Explorer.

If you have multiple projects make sure you have the project with the ApplicationDbContext set as your start up.

There is a lot of moving parts when Implementing Authorization and Authentication, Hopefully, this post helps someone. The easiest way to full understand authentications is to pick apart their examples to piece everything together and make sure your read the documentation

The Big Picture — IdentityServer4 1.0.0 documentation, Authentication is needed when an application needs to know the identity of the current user. The most common example for that is (classic) web applications – but native and JS-based applications also have a need NET Core application. openiddict vs identityserver4 (4) . ASP.NET Identity - this is the build in a way to authenticate your application whether it is Bearer or Basic Authentication, It gives us the readymade code to perform User registration, login, change the password and all.

ASP.NET Identity - this is the build in a way to authenticate your application whether it is Bearer or Basic Authentication, It gives us the readymade code to perform User registration, login, change the password and all.

Now consider we have 10 different applications and it is not feasible to do the same thing in all 10 apps. that very fragile and very bad practice.

to resolve this issue what we can able to do is centralize our Authentication and authorization so whenever any change with this will not affect all our 10 apps.

The identity server provides you the capability to do the same. we can create one sample web app which just used as Identity service and it will validate your user and provide s some JWT access token.

ASP.NET Core and API access — IdentityServer4 1.0.0 documentation, So far we only asked for identity resources during the token request, once we identity token containing the information about the authentication and session,� Has the advantage to easily implement 3rd party authentication like Facebook. You can easily use the ASP.NET Core identities to authorize your API based on roles. Custom (simple) JWT authentication. Reference: ASP.NET Core Token Authentication Guide. With this approach you have to make your own identity user and fetch it from a database.

I have always used the built in ASP.NET Identity (and previously Membership) authorisation/authentication, I have implemented Auth0 recently (https://auth0.com) and recommend this as something else to try.

Sign-in — IdentityServer4 1.0.0 documentation, IdentityServer registers two cookie handlers (one for the authentication For example: NET Core to issue the authentication cookie and sign a user in. ASP.NET Core Identity also supports two-factor authentication. For authentication scenarios that make use of a local user data store and that persist identity between requests using cookies (as is typical for MVC web applications), ASP.NET Core Identity is a recommended solution. Authenticate with external providers

Social logins are not hard to implement with Identity, but there is some initial setup involved and sometimes the steps you find online in the docs are not identical, usually you can find help for that under the developers section of the platform you are trying to setup the social logins for. Identity is the replacement of the old membership functionality found in legacy versions of the .net framework.What I have found surprising is that edge use cases, like passing a jwt token you already have to a web api are not covered anywhere in the examples online even on pluralsight, I am sure you don't need your own token authority to do this but I have not found a single example on how to pass data in a get or post that isn't dealing with a self-hosted server.

Getting Started with IdentityServer 4, NET Core 3.1.300 and Visual Studio 2019 enable HTTPS and use no authentication. dotnet add package IdentityServer4 In this example, the only permitted scope� To add a persistent store for users, IdentityServer 4 offers out of the box integration for ASP.NET Core Identity (aka ASP.NET Identity 3). ASP.NET Identity includes the basic features you’d need to implement a production-ready user authentication system, including password hashing, password reset, and lockout functionality.

User Authentication and Identity with Angular, Asp.Net Core and , OpenID Connect (OIDC) is a simple identity and authentication protocol NET Core SDK 3.1; Angular 8; IdentityServer4 3.0.1; SQL Server� This is a guest post by Mike Rousos In my post on bearer token authentication in ASP.NET Core, I mentioned that there are a couple good third-party libraries for issuing JWT bearer tokens in .NET Core. In that post, I used OpenIddict to demonstrate how end-to-end token issuance can work in an ASP.NET Core application.

Working with Identity Server 4 - Simple Talk, Identity Server is a popular authentication framework for .NET, and NET Core, which is 3.0.100 at the time of this writing. For example:� We will revisit the pgAdmin dashboard once the setup is completely done and a database with Asp.Net Core 3.1 membership authentication related schema will appear here. Update Visual Studio 2019 with .NET Core 3.1. To get latest .NET Core 3.1, for that open Visual Studio Installer and update the installer itself if it prompts for an update.

Token Authentication in ASP.NET Core 2.0, NET Core, the full token authentication story was a confusing jumble. in a JSON Web Key Set (JWKS) on the authorization server (here's an example JWKS ). NET Core Identity and want to generate tokens for your users.

  • This question is too broad and also highly opinion based. There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue that can be answered in a few paragraphs. Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise.
  • @Nkosi sorry the phrase was that way. I clarified this to be more specific
  • Please show an example of implementing authentication in core
  • The ASP.NET Core docs show the canonical example: docs.microsoft.com/en-us/aspnet/core/security/authentication/….
  • If you can please post a simple example of authentication. With out a link so people have a resource to access, I will be posting an in depth answer on how to set up IdentityServer4
  • For IdentityServer, does this have the example you are looking for: identityserver4.readthedocs.io/en/dev/quickstarts/… ?
  • For ASP.NET Identity, doesn't this have the example, or is that what you are saying is out of date? docs.microsoft.com/en-us/aspnet/core/security/authentication/…
  • the name after add-migration is the reference related to your release/changes you made. same name will be used to add migration script Up &Down.
  • @Jay Thanks for that clarification
  • Configuration db context of Identity server is still not as good as IdentityDbContext. creating custom implementation is a pain. Identityserver 4 is now seems not much active to release new updates following .core updates.
  • The Auth0 .net core example is pretty quick and simple to implement, but using all the features requires a fair bit of work, I have implemented Auth0 integrating a lot of features and it works well, but like all these things, its needs there is a bit of work and some frustration.
  • When I get one authentication working well I will post an in depth answer on it. I've just been working on authentication this past week. And nothing is as strait forward as it should be
  • perhaps you are after this docs.identityserver.io/en/release/quickstarts/…