We are very close to an implementation of the OpenID Connect “Basic Client Profile”. This is the “OAuth2 sign-in” feature in IdentityServer that most people want – just done right. In addition we have AuthorizationServer which features a full implementation of OAuth2.
That means that the plain OAuth2 endpoints in IdentityServer are not really needed anymore. Rather use IdentityServer for IdP/authentication/identity token concerns and AuthorizationServer for R-STS/authorization/access token concerns.
That further means that we will remove the OAuth2 endpoints (apart from resource owner flow which is close enough to WS-Trust) from IdSrv in one of the next releases.
If you have concerns or feedback, please leave a comment.
We have set all of our mobile platforms to use OAuth2 and we are using the built in user store for all of our users. How will that be affected? Is there documentation on setting up Authorization Server if you’re already using Identity Server.
We use Identity Server to
1. make sure you are you
2. return your identity via a token along with your claims
3. set token lifetime to 20 minutes so we can enforce refreshing your token to ensure you are still active.
4. relying parties now use your Identity to confirm you have proper claims to be authorized to access resources.
Perhaps I’m missing the difference on authentication and authorization here. When would I use Identity Server and when would I use Authorization Server?
Thanks for the help with this. We are committed to your product right now.
AS is simply a relying party to IdSrv – have a look at the wiki