Perhaps the question I am about to ask is very obvious and simple, but as a beginner in IdentityServer4 and more or less in oAuth2, OpenID and API's in general, I find it quite hard to understand.
Our company's goal is to move to a more secure application building way (Visual Studio 2017, C#, .NET Core 2) using Authentication and Authorization. After some days of research I ended up with using IdentityServer4 (also because the documentation is really great).
After following the IdentityServer Documentation (https://media.readthedocs.org/pdf/identityserver4/release/identityserver4.pdf) up till chapter 7, I have one remaining.
I am trying to build a MVC application (web) with an API backend for retrieving / inserting the data so that I can later use the API for other applications, like a SPA / Xamarin application. For the IdentityServer host I went for IdentityServer with asp.net identity. I got it running and it all works great, however the following question remains:
What are the disadvantages of hosting my API, in which I want to handle Database operations, together with the IdentityServer host? It doesn't seem logical to me to have so many different projects while (so far as I can tell) these 2 (the API and IdentityServer host) can be joined together perfectly fine.
In (almost) all the examples found of IdentityServer4 the IdentityServer host and API's are separate projects, what are the advantages of hosting the two as separate projects.
It's designed to provide a common way to authenticate requests to all of your applications, whether they're web, native, mobile, or API endpoints. IdentityServer can be used to implement Single Sign-On (SSO) for multiple applications and application types.
This class models an OAuth scope. Enabled. Indicates if this resource is enabled and can be requested. Defaults to true.
Why do we need IdentityServer4? ASP.NET Identity can receive a security token from a third-party login provider like Facebook, Google, Microsoft and Twitter. But If you want to issue a security token for a local ASP.NET Identity user you need to work with a third-party library like IdentityServer4, OpenIddict.
The current version (IdentityServer4 v4. x) will be the last version we work on as free open source. We will keep supporting IdentityServer4 until the end of life of . NET Core 3.1 in November 2022.
I would say Single Responsibility.
Treat it like this - Identity Server is a framework, that provides you the authentication against your clients/API's. That's it! (of course this is all done based on your rules, policies etc).
It is not Identity Servers' purpose to add/edit/delete users from your database. It is not Identity Servers' purpose to give roles to this users. And most important - it is not Identity Servers' purpose to authorize this users.
All these must be done in your clients/api's.
In your case - you need a separate API that will take care for the users (and other data that you need), but I guess that you want this API to be protected by Identity Server.
This is where the separation comes and should be kept - Identity Server should not authenticate its own API against himself.
There is a reason that all the examples, articles and etc are with separated projects.
PS: Of course there are some examples of achieving this (damienbod's one is good).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With