We want to build a central authority to do authentication and authorization for our various applications (.net). We see IdentityServer4 is open source and free, while Auth0 cost money. Does anyone use both of these? Can anyone provide suggestion which one to choose and why?
Asked
Active
Viewed 1.5k times
29
-
From what I read about Identity Server it's free if you decide to hard code your users and clients, but IS4 it's not working with a custom database => so you have to buy their product: Admin UI so you can keep all the users in a database. Please correct me if I am wrong. – Alexandra Damaschin Jul 09 '18 at 09:02
-
4@AlexandraDamaschin: I'll correct you: IS4's demo's are all in memory, but you are free to use a custom implementations of the user-store, client-strore, managment etc. There are some build in features for e.g. Asp.Identity, but it is provided at a minimal basis. If you want a full-blown-up-and-running-out-of-the-box implementation, it'll cost you some bucks. – Stefan Nov 12 '18 at 13:44
-
4@AlexandraDamaschin That is incorrect. IdentityServer is just a library that implements various authentication schemes and is very extensible. It has no requirements on *where* you actually store your users, clients and API info and offers several templates including in-memory (for simple apps), databases, files, or even using the ASP.NET membership framework. – Mani Gandham Feb 02 '19 at 21:23
3 Answers
37
IdentityServer is a library that implements various authentication (not authorization!) protocols and let's you consolidate access control into a single system. You can host it in a typical ASP.NET webapp, console app or anything else, as long as the HTTP endpoints are available. It also lets you store the user data anywhere you want, whether in-memory, databases, flat files, the asp.net core membership system, or anywhere else.
Auth0 is a company that provides a managed service that handles authentication for you. They run the infrastructure and provide access through their website and APIs. It's similar to having someone run IdentityServer4 for you and there are several competitors like Okta for Devs, AWS Cognito, Azure AD B2C, Google Cloud Identity/Firebase, and more.
Choose IdentityServer if:
- You want free open-source software.
- You have the time and effort to run it yourself.
- You want to control the backing data store (SQL database, Redis, JSON file, etc).
- You want to manage all the data yourself due to regulations, privacy, etc.
- You need complete control and flexibility around what happens during authentication (for example, merging user accounts in your database when someone signs in). It's all just C# code so you can do whatever you want.
Choose Auth0 if:
- You want to save time and effort on implementation and operation.
- Price is not an issue (as it can get expensive for some features).
- The limited customizations offered by Auth0 are enough for your app.
- You want the other features they offer like password-breach monitoring.
- You don't want to manage user data, or don't mind having it stored by them.
Update as of Oct 2020 - IdentityServer is now a product from Duende Software with a new commercial open-source license to sustain development. There are other alternatives like OpenIddict that are still free.
Mani Gandham
- 7,688
- 1
- 51
- 60
-
In your "Auth0 if" list, price not being a factor and saving time sounds a bit mutually contradicting to me. Setting up identity server, getting it to run, customizing it, and then running it all mean time and money. Even for a basic scenario, IdSrv will requires some hours of work and some infrastructure to run on. At which point does the costs of each balance is still a mystery to me... – Carl Fauteux Feb 11 '19 at 19:22
-
3@CarlFauteux That's why it says "you dont mind running it yourself", but I'll make it more explicit. How much work it takes and what pricing you get with Auth0 is subjective to your scenario so I can't provide any more of a comparison. – Mani Gandham Feb 12 '19 at 01:44
2
Identity Server means building a server application to handle authentication and authorization, which can replicate what Auth0 does for OpenIdConnect (OIDC) there will be a few things to implement even if you use IdentityServer4. You will need to build that first, then integrate your application.
Auth0 allows you to integrate immediately with OIDC with additional & enterprise features.
Mark Redman
- 24,079
- 20
- 92
- 147
-
Thanks. So Auth0 is more like Azure AD - it's out of box but limits customization ability? – martial Nov 01 '17 at 16:01
-
Yes, its has it own login screen if you want to let Auth0 handle all the authentication, there are also ways to have you own login page – Mark Redman Nov 01 '17 at 16:03
-
1IdentityServer will also redirect you to its login page, but because its in your control you can customise the look & feel of that login page, but they all work in the same way as that is how OIDC works. – Mark Redman Nov 01 '17 at 16:04
-
@MarkRedman So I'm still confused by your answer-- Can IS4 be used as a centralized authorization "server" that will contain user claim information for multiple disparate applications? Like the OP, I have multiple .net apps that use Windows Authentication and would like to use IS4 as a distinct authorization server to send back user claim info. What I had in mind was that IS4 exposes a restful API that send's back a particular user's claims given the username and application that the user is accessing. Looking at the documentation, I'm not sure how one would implement something like this. – Los Morales Nov 01 '17 at 20:37
-
@los morales: it’s probably worth going through the IdentityServer or auth0 quickstarts and reading up on OAuth and OIDC. There is a lot involved and requires some understanding of how every hangs togetherness. – Mark Redman Nov 01 '17 at 22:41
-
@MarkRedman Thanks. Do you know if IdentityServer4 is good enough for production use, or is it only for developer hobby and/or internal use? – martial Nov 02 '17 at 12:56
-
Yes, it's mature and on version 4, but you will need to decide for yourself if that is the best solution fro you. It's certainly more work than Auth0. – Mark Redman Nov 02 '17 at 13:29
2
Both of them implement federated protocols i.e. WS-Fed, SAML and OpenID Connect.
In order to use them your apps. need the appropriate client-side stack.
If they don't have this, you can't use the products.
The only alternative is pass-through, i.e. Auth0.
Or look at ADFS which has pass-through via the ADFS WAP.
If you do have the stacks, both will do the job.
idsrv4 does not have a user management portal e.g. create user, add group to users OOTB.
Auth0 does.
idsrv4 essentially adds features by code. Auth0 has config. via wizard.
idsrv4 is open source so you can customise to your heart's content. I find it really useful to bridge systems.
Azure AD is another option.
rbrayb
- 46,440
- 34
- 114
- 174