6

I've just started to implement security in our web api service (mostly as a research endeavor).
And ran across new ASP.NET Identity and quite mature Thinktecture.IdentityModel library.

As I'm not experienced with this whole bunch of authentication/authorization mechanisms it's quite confusing. Now I cannot say whether these libraries are about the same or othogonal to each other.

I would appreciate any clarification of which one should be used and when.

Pavel Voronin
  • 13,503
  • 7
  • 71
  • 137

1 Answers1

5

In short, ASP.NET Identity is an identity management framework (storing user account data, like usernames and passwords). This article goes into depth on the features and design of ASP.NET Identity: http://brockallen.com/2013/10/20/the-good-the-bad-and-the-ugly-of-asp-net-identity/

Thinktecture.IdentityModel is a security helper library for many missing features in WIF/Claims, ASP.NET, MVC and Web API. An example is security token processing in Web API v1 -- Web API had nothing like this. Another example is CORS support -- again, in Web API v1 there was no help for that.

They serve two different purposes.

Brock Allen
  • 7,385
  • 19
  • 24
  • Thanks. And a little offtopic: I can find nothing concerning ACLs. Everyone usually talks about claims or role-based security. Do you have any experience with ACLs? May be some libraries? – Pavel Voronin Oct 22 '13 at 15:46
  • Well, there are not a lot of permissions libraries out there (at least that I'm aware of). WIF/.NET has its own approach with the ClaimsAuthorizationManager, but it still leaves you to implement the logic. – Brock Allen Feb 14 '14 at 22:16