Wow – we’re done! Brock and I spent the last two weeks 14h/day refactoring, polishing, testing and refining IdentityServer for ASP.NET Core…and I must say it’s the best STS we’ve written so far…
We kept the same approach as before, that IdentityServer takes care of all the hard things like protocol handling, validation, token generation, data management and security – while you only need to model your application architecture via scopes, clients and users. But at the same time we give you much more flexibility for handling custom scenarios, workflows and user interactions. We also made it easier to get started.
There are too many new features to talk about all of them in this post – but to give you an overview:
- integration in ASP.NET Core’s pipeline, DI system, configuration, logging and authentication handling
- complete separation of protocol handling and UI thus allowing you to easily modify the UI in any way you want
- simplified persistence layer
- improved key material handling enabling automatic key rotation and remote signing scenarios
- allowing multiple grant types per client
- revamped support for extension grants and custom protocol responses
- seamless integration into ASP.NET Core Identity (while retaining the ability to use arbitrary other data sources for your user management)
- support for public clients (clients that don’t need a client secret to use the token endpoint)
- support for default scopes when requesting tokens
- support for ASP.NET Core authentication middleware for external authentication
- improved session management and authentication cookie handling
- revamped and improved support for CORS
- re-worked middleware for JWT and reference token validation
- tons of internal cleanup
We will have separate posts detailing those changes in the coming weeks.
Where to start?
Our new website https://identityserver.io will bring you to all the relevant sites: documentation, github repo and our new website for commercial support options.
Add the IdentityServer package to you project.json:
“IdentityServer4”: “1.0.0-rc1”
and start coding ;)
We also added a number of quickstart tutorials that walk you through common scenarios:
- Overview
- Protecting an API using client credentials
- Protecting an API using passwords
- OpenID Connect authentication
- External authentication
- Hybrid Flow and API access
- ASP.NET Core Identity
- JavaScript
Everything is still work in progress, but we have the feeling we are really close to how we want the final code to look and feel.
Give it a try – and give us feedback on the issue tracker. Release notes can be found here.
Have fun!
Filed under: .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI
