Identityserver4 definition concept

IdentityServer4 Is for ASP.NET Core 2. A series of tailor-made based on OpenID Connect and OAuth 2.0 Certification framework .

take identityserver Deploy in your app , It has the following characteristics

Certification services

Can be for your application （ Such as website 、 Local applications 、 Mobile 、 service ） Do centralized login logic and workflow control .IdentityServer It's completely realized OpenID Connect Protocol standard .

Single sign on log out (SSO)

In various types of applications to achieve single sign on logout .

API Access control

For a variety of clients access token token , Such as the communication between services 、 Web application 、SPAS And local apps or mobile apps .

Federated gateway

Support from Azure Active Directory, Google, Facebook Identity authentication for these well-known applications , You can protect your app without having to care about the details of connecting to these apps .

Focus on customization

most important of all identityserver Can be self-developed according to requirements to adapt to changes in the application .identityserver It's not a framework 、 It's not a boxed product or a saas System , You can write code to adapt to a variety of scenarios .

Mature open source system

IdentityServer Have apache 2 licensing , Allow to build commercial applications , It's also .net One of the members of the foundation , It doesn't provide legal support .

Free and business support

If you need help building and running your authentication platform , There are several ways we can help you .

IdentityServer4 summary
IdentityServer4 What is a ？
When you need to use IdentityServer4
authentication （Authentication）
API visit
OpenID Connect and OAuth 2.0 – Better together
IdentityServer4 How to help
A few terms we need to know
IdentityServer
user
client
resources
identity （ identification ） token
The access token
Official documents and source code

This article is the translation of some official articles and my own notes
IdentityServer4 What is a ？
IdentityServer4 Is used for ASP.NET Core Of OpenID Connect and OAuth 2.0 frame . It enables the following functions in your application ：

Authentication service
All applications （Web, This machine , Move , service ） Centralized login logic and workflow .IdentityServer yes OpenID Connect The official certification of .

Single sign on / sign out
Single sign on for multiple application types / Cancellation .

API Access control
For various types of clients （ for example , Server to server ,Web Applications ,SPA And this machine / Mobile applications ） Of API Issue access token .

Federated gateway
Support for external identity providers , for example Azure Active Directory,Google,Facebook etc. . This insulates your application from the details of how to connect to these external providers .

Focus on customization
The most important part -IdentityServer Many aspects of can be customized to meet your needs . because IdentityServer It's the frame , Not boxed products or SaaS, So you can write code to make the system fit your scenario , To meet the needs of the system .

Mature open source
IdentityServer licensed Apache 2 license , This license allows commercial products to be built on it . So is it .NET Foundation Part of , The .NET Foundation Provide governance and legal support .

Free and business support
If you need help building or running an identity platform ,IdentityServer Officials can help you in many ways .

When you need to use IdentityServer4
Most modern applications look more or less like this ：

The most common interaction is ：

Browser and Web Application communication
Web Application and Web API signal communication （ Sometimes I write by myself , Sometimes on behalf of users ）
Browser based applications and Web API signal communication
Native application and Web API signal communication
Server based applications and Web API signal communication
Web API And Web API signal communication （ Sometimes it's independent , Sometimes on behalf of users ）
Usually , Each layer ( front end 、 Middle tier and back end ) Must protect resources and implement authentication and / Or authorized —— Usually store for the same user . Outsourcing these basic security functions to a security token service can prevent duplication between these applications and endpoints .

Restructuring the application to support security token services will result in the following architectures and protocols :

This design divides the safety problem into two parts ：

authentication （Authentication）
When the application needs to know the identity of the current user , Authentication required . Usually , These applications manage data on behalf of the user and ensure that the user can only access the data he is allowed to access . The most common example is ( classic )web Applications , But local and based JS The application also needs authentication .

The most common authentication protocol is SAML2p、WS-Federation and OpenID Connect（SAML2p Is the most popular and widely deployed ）.

OpenID Connect It's the latest of the three , But it is considered the future direction , Because it has the greatest potential in modern applications . It was built from the start for mobile application scenarios , And designed for API friendly .

API visit
There are two kinds of applications API The basic way of communication ： Use the application identity or delegate user id . Sometimes these two methods need to be used together .

OAuth2 It's a protocol , It allows applications to request access tokens from the security token service , And use them with API signal communication . Because authentication and authorization can be centralized , This delegation reduces client applications and API Complexity .

OpenID Connect and OAuth 2.0 – Better together
OpenID Connect and OAuth 2.0 Very similar （ actually OpenID Connect yes OAuth 2.0 An extension above ）. Authentication and API Access these two basic security issues are combined into one protocol （ It is usually a single round trip of a security token service ）.

We believe that OpenID Connect and OAuth 2.0 The combination of is the best way to protect modern applications in the foreseeable future .IdentityServer4 It's the implementation of these two protocols , And highly optimized , Can solve today's mobile 、 Native and web Typical security issues for applications .

IdentityServer4 How to help
IdentityServer Will be in line with the norms OpenID Connect and OAuth 2.0 Endpoint added to any ASP.NET Core Middleware for applications .

Usually , You build ( Or reuse ) A page containing login and logout ( It may also be agreement —— It depends on your needs ) Applications for ,IdentityServer The middleware adds the necessary protocol headers to it , So that client applications can communicate with it using these standard protocols .

Managed applications can be as complex as you expect , But we usually recommend that you include only authentication related UI To minimize the scope of the attack .

A few terms we need to know
IdentityServer Specifications in 、 Document and object models use certain terms , We should know something about .

IdentityServer
IdentityServer yes OpenID Connect Provider - It has achieved OpenID Connect and OAuth 2.0 agreement . Different literatures use different terms for the same role （ You may also find security token Services 、 Identity provider 、 Authorization server 、IP-STS etc. ）. But to put it simply , They are all the same ： A software that issues security tokens to clients .

IdentityServer It has many jobs and functions ：

Protect your resources
Authenticate users using local account storage or through an external identity provider
Provides session management and single sign on
Manage and authenticate clients
Issue identity and access token to client
Authentication token
user
A user is a person who uses a registered client to access resources .

client
client （ Such as Web Applications , Mobile or desktop applications ,SPA, Server process, etc ） It is a kind of from IdentityServer The software requesting the token —— For authenticating users ( Request identification token ) Or access resources ( Request an access token ). The client must first be in IdentityServer Register in , The token can then be requested .

resources
Resources are what you want to use IdentityServer Something to protect （ Such as the user's identity data or API）, Each resource has a unique name （ Clients use this name to specify the resources they want to access ）.

identification （ identity ） data ： Identity information about the user （ Also known as claims）, Such as a name or E-mail address .
API：API Resources represent the functions that the client wants to call （ Usually modeled as Web API, But not necessarily ）.
identity （ identification ） token
identity （ identification ） The token represents the result of the authentication process . It contains at least the user's identifier （ go by the name of sub, It's also called subject claim） And information about how and when users authenticate . It can contain other identities （ identification ） data .

The access token
The access token allows access to API resources . The client requests the access token and forwards it to API. The access token contains information about the client and the user （ If there is ） Information about .API Use this information to authorize access to its data .

Official documents and source code
Click to see ：IdentityServer4 Source code
Click to see ：IdentityServer4 Official website
Click to see ：IdentityServer4 file