IIS OAuth Authentication

Question

• I can secure a directory on my IIS with Basic authentication by using the IIS "Basic Authentication" feature
• I can secure a directory on my IIS with Windows authentication by using the IIS "Windows Authentication" feature

I now want to secure other directories on my IIS using OAuth2 authentication (against Google accounts), and easiest would be to use an IIS "OAuth authentication" feature, if available.

There is no OAuth feature available for selection from Windows Server 2012 Server Manager ("Install Roles and Features") under "IIS -> Authentication".

Can I download and install such an IIS feature from somewhere else, and/or is such an IIS feature already implemented in or planned for a newer version of IIS?

Answer 1

No, IIS does not support OAuth2 and most likely never will. IIS is a web server, not an authorization server.

You can add OAuth2 or OpenID Connect support to a web application protecting access to these directories by supporting token based authentication and delegating to an authorization server like IdentityServer or Azure AD B2C.

Answer 2

Of course it's possible - See:

https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/external-authentication-services

https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server