IdentityServer4 vs Auth0

Question

We want to build a central authority to do authentication and authorization for our various applications (.net). We see IdentityServer4 is open source and free, while Auth0 cost money. Does anyone use both of these? Can anyone provide suggestion which one to choose and why?

Answer 1

IdentityServer is a library that implements various authentication (not authorization!) protocols and let's you consolidate access control into a single system. You can host it in a typical ASP.NET webapp, console app or anything else, as long as the HTTP endpoints are available. It also lets you store the user data anywhere you want, whether in-memory, databases, flat files, the asp.net core membership system, or anywhere else.

Auth0 is a company that provides a managed service that handles authentication for you. They run the infrastructure and provide access through their website and APIs. It's similar to having someone run IdentityServer4 for you and there are several competitors like Okta for Devs, AWS Cognito, Azure AD B2C, Google Cloud Identity/Firebase, and more.

Choose IdentityServer if:

• You want free open-source software.
• You have the time and effort to run it yourself.
• You want to control the backing data store (SQL database, Redis, JSON file, etc).
• You want to manage all the data yourself due to regulations, privacy, etc.
• You need complete control and flexibility around what happens during authentication (for example, merging user accounts in your database when someone signs in). It's all just C# code so you can do whatever you want.

Choose Auth0 if:

• You want to save time and effort on implementation and operation.
• Price is not an issue (as it can get expensive for some features).
• The limited customizations offered by Auth0 are enough for your app.
• You want the other features they offer like password-breach monitoring.
• You don't want to manage user data, or don't mind having it stored by them.

Update as of Oct 2020 - IdentityServer is now a product from Duende Software with a new commercial open-source license to sustain development. There are other alternatives like OpenIddict that are still free.

Answer 2

Identity Server means building a server application to handle authentication and authorization, which can replicate what Auth0 does for OpenIdConnect (OIDC) there will be a few things to implement even if you use IdentityServer4. You will need to build that first, then integrate your application.

Auth0 allows you to integrate immediately with OIDC with additional & enterprise features.