35

In an attempt to understand what I may use for OpenId Connect Server implementation, I have looked into what each of them is:

  • IdentityServer4:

    an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2.

  • AspNet.Security.OpenIdConnect.Server:

    is an advanced OAuth2/OpenID Connect server framework for both ASP.NET Core 1.x/2.x and OWIN/Katana 3.x/4.x, designed to offer a low-level, protocol-first approach.

  • OpenIddict:

    OpenIddict aims at providing a simple and easy-to-use solution to implement an OpenID Connect server in any ASP.NET Core 1.x or 2.x application.

    OpenIddict is based on AspNet.Security.OpenIdConnect.Server to control the OpenID Connect authentication flow and can be used with any membership stack, including ASP.NET Core Identity.

  • Also have checked that all of them use well the ASP.NET Core Identity as a membership system.

And so my current understanding is that IdentityServer4 and OpenIdConnect.Server are two alternative frameworks that solve the same problem. The main difference is the list of supported ASP.NET Core versions.

Regarding Openiddict - it is a kind of extension to simplify server creation based on AspNet.Security.OpenIdConnect.Server.

Have I missed something, or this is how things in general are?

Set
  • 47,577
  • 22
  • 132
  • 150

1 Answers1

38

EDIT (01/28/2021): as part of the 3.0 update, AspNet.Security.OpenIdConnect.Server and OpenIddict were merged to form a single/unified codebase under the OpenIddict umbrella, which should offer the best of both worlds: you still have the same experience as before, but can now opt in for the degraded mode, giving advanced users the same lower-level approach as AspNet.Security.OpenIdConnect.Server.

And so my current understanding is that IdentityServer4 and OpenIdConnect.Server are two alternative frameworks that solve the same problem. The main difference is the list of supported ASP.NET Core versions.

Actually, I believe the most important difference is that these two libs don't share the same objective. ASOS' only mission is to help you deal with the raw OAuth 2.0/OIDC protocol details: everything else is totally out of scope. Concretely, this means that concepts like users, applications or stores - that you can find in OpenIddict and IdentityServer - are completely inexistant in ASOS (which means you're free to bring your own implementation... and your own abstraction).

While IdentityServer will expose many abstractions and services allowing to configure specific features, ASOS - that was forked from Katana's OAuthAuthorizationServerMiddleware - has a centralized low-level events-based API (named OpenIdConnectServerProvider) that behaves exactly the same way as the ASP.NET Core security middleware developed by MSFT.

When working with ASOS, you have to deal with raw OpenID Connect requests and implement potentially sensitive things like client authentication (e.g using a database containing the client credentials) and that's why ASOS' core target is people who understand how the OAuth2/OIDC protocol work. OpenIddict and IdentityServer, on the other hand, will implement these things for you.

Regarding Openiddict - it is a kind of extension to simplify server creation based on AspNet.Security.OpenIdConnect.Server.

Initially, that's indeed how I was asked to design it. OpenIddict was created for non-experts who don't feel super comfortable with the protocol details of OAuth 2.0 and OpenID Connect.

While it will give you full flexibility to implement the user authentication part (e.g in your own authorization controller, using ASP.NET Core Identity or your own authentication method), it will handle the complex request validation process and make it transparent for your app, without drowning you with tons of configuration options.

Unlike ASOS (that tries to be as flexible and as close to the specifications as possible), OpenIddict generally comes with more restrictive validation routines that I personally consider as best practices. For instance, it will automatically reject authorization requests that contain response_type=token if the client is a confidential application, even if that's not prohibited by the OpenID Connect specification.

Kévin Chalet
  • 39,509
  • 7
  • 121
  • 131
  • 3
    Can you please tell me why I should choose Openiddict over IdentityServer4? – graycrow Oct 26 '17 at 11:09
  • 5
    @graycrow unfortunately I can't do that as "opinion-based" answers are not allowed on StackOverflow. Why not giving both IdSrv and OpenIddict a try and choosing the one you prefer based on your own feeling? – Kévin Chalet Oct 26 '17 at 11:19
  • @aaronR was there anything in my answer that made you think it didn't? – Kévin Chalet Oct 26 '17 at 20:49
  • @Pinpoint it was a statement that was made by Set that wasn't addressed. – aaronR Oct 26 '17 at 20:50
  • @aaronR good point. That said, I don't think this statement was made by Set, who probably simply quoted the documentation, that clearly says that `IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 2` (http://docs.identityserver.io/en/release/). If that's not true, it would be better to fix the invalid documentation. – Kévin Chalet Oct 26 '17 at 20:58
  • @Pinpoint at the bottom left is an option to read the documentation for the prior version of IdentityServer4. The current release of IdetityServer4 2.x libraries targets .NET Core 2.0 where the previous release of IdentityServer4 1.x supports .NET Core 1.x – aaronR Oct 26 '17 at 21:01
  • I feel like OpenIddict is for OpenID Connect only and IdentityServer4 is for both OpenID Connect and OAuth2 –  May 05 '20 at 06:06
  • @reiniellematt haha no, don't be fooled by the name: OpenIddict will work fine with OAuth 2.0-only clients too. – Kévin Chalet May 05 '20 at 09:26
  • 13
    Early 2022 IdentityServer4 will no longer be supported and the replacement will no longer free to use in commercial settings. That might sway some people's decision. https://devblogs.microsoft.com/aspnet/asp-net-core-6-and-authentication-servers/ – jon antoine Jun 25 '21 at 14:18