14

I am researching on this topic last weeks and unfortunately I can't figure out. I understand the difference between authentication and authorization.

I will appreciate any guidance on the topic.

What I need as general is to implement single sign on for several web sites which are driven with apis which also should handle authentication. The users should be able to register/login with username/pass or respectively through any third party service like facebook, google+, twitter etc.

In the scenario above what is the better approach? Should I use only identity server, or only authorization server or both?

Thank you in advance.

Nikola Yankov
  • 1,264
  • 1
  • 15
  • 28

3 Answers3

18

Start with IdentityServer - this is your identity management system.

AuthorizationServer in addition is a full featured OAuth2 implementation that can use IdentityServer as a user store.

http://leastprivilege.com/2013/06/16/relationship-between-identityserver-and-authorizationserver/

leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • 1
    Given client, AS, IS, API (WebApiController/MVC5). The last 3 live in separate servers. When the client is authenticated and authorized it sends a token to the API. Does the api check again the token information or if that token is valid against AS or IS or both? – mynkow Feb 02 '14 at 00:07
  • 1
    AS uses signed self contained JWT tokens - you can verify the validity in the API without needing to contact the issuer again. – leastprivilege Feb 02 '14 at 08:38
  • 10x for the response. I am new to this and I am still confused. Is it possible a client to build JWT tokens which pass validation on the API but fails against IS? Are there any samples in Thinktecture repo showing how the api could validate a token? – mynkow Feb 02 '14 at 12:22
  • 1
    In the AS repo, there is a samples folder. The flows sample shows token validation for web API and Nancy. – leastprivilege Feb 02 '14 at 15:37
  • "When Identity Server 3 was launched, it deprecated AS: The Future of AuthorizationServer, because all the AS features ase now included in IS." true? – Chazt3n Mar 04 '16 at 04:18
2

Your scenario is more like Authentication which is confirming the identity of the user. On the other hand Authorization is if a person or if a role can execute some operation.

AD.Net
  • 13,352
  • 2
  • 28
  • 47
  • 1
    The question says they already understand the difference between authentication and authorization. The question is about the difference between Thinktecture IdentityServer and Thinktecture AuthorizationServer. – Oran Dennison Oct 21 '14 at 04:07
  • Does IS3 have the same GUI management as AS? Any examples of managing WebAPIs with a Gui and database instead of inMemory Scopes and Clients? – Nate Sep 06 '16 at 21:53
2

When Identity Server 3 was launched, it deprecated AS: The Future of AuthorizationServer, because all the AS features ase now included in IS.

JotaBe
  • 38,030
  • 8
  • 98
  • 117