Over the last couple of years, we’ve been working with the ASP.NET team on the authentication and authorization story for Web API, Katana and ASP.NET 5. This included the design around claims-based identity, authorization and token-based authentication.
In the Katana timeframe we also reviewed the OAuth 2.0 authorization server middleware (and the templates around it) and weren’t very happy with it. But as usual, there were deadlines and Web API needed a token-based security story, so it shipped the way it was.
One year ago the ASP.NET team decided to discontinue that middleware and rather focus on consuming tokens instead. They also asked us if IdentityServer can be the replacement going forward.
By that time there were many unknowns – ASP.NET was still in early betas and literally changing every day. Important features like x-plat crypto (and thus support for JWT) weren’t even existing. Nevertheless, we agreed that we will port IdentityServer to ASP.NET 5 and .NET Core once the builds are more stabilized.
With RC1 (and soon RC2), we decided that now would the right moment in time to start porting IdentityServer – and here it is: IdentityServer4 (github / nuget / samples)
When we designed IdentityServer3, one of our main goals was to be able to run self-hosted. At that time MVC was tied to IIS so using it for our default views was not an option. We weren’t particularly keen on creating our own view engine/abstraction, but that’s what needed to be done. This is not an issue anymore in ASP.NET 5, and as a result we removed the view service from IdentityServer4.
In IdentityServer4 you have full control over all UI aspects – login, consent, logoff and any additional UI you want to show to your user. You also have full control over the technology you want to use to implement that UI – it will be even possible to implement the UI in a completely different web application. This would allow adding OAuth 2.0 / OpenID Connect capabilities to an existing or legacy login “application”.
There will be also a standard UI that you can simply add as a package as well as templates to get you started.
Furthermore, IdentityServer4 is a “real” ASP.NET 5 application using all the standard platform facilities like DI, Logging, configuration, data protection etc, which means you have to learn less IdentityServer specifics.
What’s not new
Everything else really – IdentityServer4 has (or will have) all the features of IdentityServer3. You still can connect to arbitrary user management back-ends and there will be out of the box support for ASP.NET Identity 3.
We still provide the same architecture focused modelling around users, clients and scopes and still shield you from the low level details to make sure no security holes are introduced.
Database artifacts like reference or refresh tokens are compatible which gives you a nice upgrade/migration story.
We will not abandon IdentityServer3 – many people are successfully using it and are happy with it (so are we). We are also aware that not everybody wants to switch its identity platform to “the latest thing” but rather wait a little longer.
But we should also not forget that IdentityServer3 is built on a platform (Katana) which Microsoft is not investing in anymore – and that also applies to the authentication middleware we use to connect to external providers. ASP.NET 5 is the way forward.
We just published beta1 to nuget. There are still many things missing, and what’s there might change. We also started publishing samples (link) to showcase the various features. Please try them out, give us feedback, open issues.
Around the RC2 timeframe there will be also more documentation showing up in our docs as and the ASP.NET documentation site. At some point, there will be also templates for Visual Studio which will provide a starting point for common security scenarios.
IdentityServer3 was such a great success because of all the good community feedback and contributions. Let’s take this to the next level!
You mentioned that Microsoft not investing in Katana any more ,isn’t it the major goal of ASP.NET 5 version to replace old System.web infrastructure with OWIN ( Katana project)?
ASP.NET 5 is the replacement for Katana.
How is ASP.NET 5 a replacement for Katana? I probably just missed the news but has there been any discussion/blog posts about this?
yes you missed the news ;) it is v-next.
“We will not abandon IdentityServer3 – many people are successfully using it and are happy with it (so are we). ”
Much kudos. So many projects abandon users who are on V-1.
This is really awesome! We actually are IDS3 2.2.x in ASPNET5 and it works pretty well even in production (we started building in beta7, made the journey all the way through to RC). All the interfaces look the same so porting looks like it wont be too bad except for the CustomViewService?
There is no ViewService anymore – just use MVC.
Great Dominick This is what I was waiting for :D let me dig into it Thanks to All Gurus :D
This sounds great! Will this make it easier to use Windows Auth/AD as a provider as well?
I second this question. Any reply please?
Not sure what you mean with “easier” – we have the windows authentication service that we use successfully.
There might be new opportunities with the new IIS platform handler. But this is a bit up in the air right now (like many other details of asp.net core). It will def be Windows only.
Will you update your Workshop on DEV-Intersection to include this new development?
Will this be a hands-on training?
Looking forward to seeing you in Florida!
Don’t know yet.
Do you have any idea about final release date? Spring, summer, fall… ?
We try to be ready by the time asp.net 5 ships – or shortly after that.
So we’re only talking a few months, awesome :)
btw I posted the same q on twitter because I got an error when posting it here, but I guess it got through anyways.
Hi Dominick !
I have to use IdentityServer4 with Asp.net Identity3. As you mentioned it has out of box support for Identity3 but don’t know how to make it work? can you please guide me ?
Hi Abubakar, i’m also waiting for this feature. But as far as he mentioned there “will be” out of the box support for ASP.net v3 instead of already is.
Oh, I see, Alright :)
But as far as “arbitrary user management” is concerned, I am still not able to use Users from a DB table regardless of AspNet Identity. Because I couldn’t find “IdentityServerServiceFactory” (used in IdentityServer3 samples to register IUserService) in IdentityServer4.
So “arbitrary user management” is added or will be added ?, I am confused. Because there is written “You still can connect to arbitrary user management back-ends”
So we are able to achieve the goal ? or we will be able to achieve?
Firstly, IdentityServer4 is an outstanding contribution. “Most excellent”!
I was wondering if the Thinkecture team have tried deploying IdentityServer4 onto the Linux platform using the docker integration that comes with Asp.NET 5 / MVC 6 / dnx?
Thanks in advance,
We haven’t tried it yet since we are focusing on the code right now. But give it a try and let us know!
FYI: Got it running in a Docker container on an Ubuntu Linux VM. It’s issuing tokens to my .Net and Node client apps now.
The only change (apart from creating the Dockerfile) was to the Host’s project.json file:
“web”: “Microsoft.AspNet.Server.Kestrel –server.urls http://*:5000/”
i.e. adding the server and port parameters.
@Michael McDowell It’d be great if you’ve blogged about how you set up IdSrv4 in a Docker container … !?
Here’s a sample – it is bit outdated – but shows the general approach
great. thanks for letting me know!
Thanks for IdentityServer4. I have updated this blog to use it now:
I’m new to identityserver, which docs should I read to get started using v4 with asp.net5?
No idsrv4 specific docs yet – too early. I’d start with idsrv3 docs and the idsrv4 samples. Or wait with aspnet5 until it is released.
@Abubakar – you can today. Check the samples. It is not fully done yet but totally possible. I would also suggest to move this discussion to the github issue tracker.
Yes Sir, I also created issue that time :)
How can i go about using custom user from DB ? CORS ?
I am missing IdentityServerServiceFactory from which UserService , CorsPolicyService are used
It is all based now on the asp.net 5 built-in DI. Check our sample host and the extension methods.
It is best to use the github issue tracker for discussions.
Will Identity server 4 support mixed mode (Windows, Individual User Account & Social Logins) authentication?
This all depends how well ASP.NET itself will support this scenario.
Quick question: where might I go to find documentation describing how to implement SSO using OpenID Connect, ideally based upon the Thinnktecture AG IdentityServer4v 4?
Thanks in advance,
It’s just “IdentityServer4” ;)
check our docs website
Is there a document on how to run the IdentityServer4 samples? I am trying to look at flow:
User to Server1 to Server2. User token/credentials/claims should flow to Server2
There are no 4 specific samples or docs. 4 is very similar to 3. So all 3 docs apply.
Thank you Dominick. I will go through the Identityserver3 docs. I could not able to run SampleApi in Client4 solution in VS 2015, looks like I need to host this in IIS.
Another question: Does IdentityServer4 supports On Behalf flow?
All samples work fine with IIS Express.
No the “on behalf on/act as” spec is not done yet.
Ok, we will discuss further “on behalf on / act as” later.
On running samples, I am getting the following message (I tried the SampleApi project)
The selected debug option is IIS Express but this project is not a web project. To use IIS Express you need to add the wwwroot attribute to project.json
So is there a problem with project.json file deployed with samples?
works fine for me. Are you on RC1-update1 ??
also – please move that discussion to issue tracker on github
Sure Dominick, I moved this disc to github (posted this as an issue). Yes I am using RC1-Update1.
Please check it.
if there a sample to run the identity server 4 on a asp.net core mvc web application? I am trying to have 1 project that has it all and allows cookies on mvc side.
It only creates session cookies for idsrv – I want to create a persisted cookie when I SignInAsync on that authentication type.
Am I missing tsomething – it seems to be ignoring the cookie options I am setting
My startup in configservices
//setup for IdentityServer Service Component Middleware
//setup signing cert
var cert = new X509Certificate2(Path.Combine(_appEnv.ApplicationBasePath + @”\Infrastructure\IdentityServer\Cert”, “idsrv4test.pfx”), “idsrv3test”);
var cookieopt = new CookieAuthenticationOptions
AutomaticAuthenticate = true,
AutomaticChallenge = true,
AuthenticationScheme = IdentityServer4.Core.Constants.PrimaryAuthenticationType,
CookieDomain = “/”,
CookieHttpOnly = true,
CookieName = “TestCookie”,
LoginPath = “/Account/Login”,
LogoutPath = “/Account/Logout”,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromMinutes(4)
var builder = services.AddIdentityServer(options =>
options.SigningCertificate = cert;
options.SiteName = “Test Site”;
options.AuthenticationOptions.CookieAuthenticationOptions = cookieopt;
please use the github issue tracker.
I am using the latest version of identity server 4 beta 1 update 1 (from beta 1)
my code breaks…
No UserServiceBase class for DB authetication ?
Is there any guidence (even for Identity Server 3 would do right now) on how to
– Connect with custom identity providers
– Creating a custom identity provider or Making sure that Identity Server can talk to an already existing Identity Provider (SAML based)
Sure check the docs and samples
Hi Dominick, I have been using identity server 3, with membership reboot, and its awesome. I was wondering if membership reboot integration is possible with identity server 4, at this moment or should i wait.
I am sure it is possible. But I haven’t tried it.
Hey, i’m trying to run it in a Docker container, but im having a hard time. Any help with it?
This has been done before – but not by me personally.
anywhere i can find it ?
Google? or ask on the issue tracker / SO
I have been reading your blog a lot lately trying to understand open id connect/oauth but truthfully I have been struggling even with what direction to go down.
The code base is Angular 2 front end, with ASP.net Core API. I want my users to login via google or facebook (eventually to pull their friends list down). Obviously I don’t want to store any usernames/password but I would need to access data stored to their account (so I would need a UserId of some sort to build on top of).
This seems overall like a simple idea but I can’t find any examples or guides. All the examples I see are creating your own Oauth server (which I don’t need), or logging into google/facebook via a cookie(which doesn’t sound like the right approach since I will be using Angular and an API).
Do you have any quick tips or suggestions? Identity server seems like overkill but maybe I am wrong.
Thank you so much for the blog and reading this!
Well – the issue is, this is not a simple scenario.
I would use identityserver.
Dominick, I just wanted to say thanks. I had struggled making any progress on this for months (its just a fun/side project). I am also new to C# in general. However I learned a ton about open id connect, oauth and security in general. But your comment and just flat out saying what I was doing “was not a simple scenario” made me feel much better. I did end up going Identity server 3 not 4 but Identity server made everything so much easier! I am not fully done… need to figure out if I am using refresh tokens correctly :-p But overall using identity server just made things so much easier!
Again thank you so much for taking the time out of your day to reply and send me a helpful link! I don’t know how you make time for it all but I did want to show you my appreciation for your help and let you know I was successful.
one question on “we will port IdentityServer to ASP.NET 5 and .NET Core”
What do you mean by porting IdentityServer to ASP.NET 5 and .NET core?
You mean IdentityServer would available as part of the ASP.NET 5? or .NET Framework?
Actually Identity Server is like an STS, nothing specific to web applications, right? I should be able to use IdentityServer with web, windows or any kind of application and get the token and claims.
Would like to get more details on the IdentityServer and ASP.NET 5 relation.
You must host our middleware somehow. Right now we use Katana. The next version will use ASP.NET Core.
Thanks for reply Dominick. I am wondering why MS is not providing this middleware as out of the box software. I am looking for support on validating the usage of IdentityServer in our product. I have the POC done, but not quite sure though whether we are doing it right way. For example, I am still figuring out how to validate the token… first of all is it required to validate it explicitly?
Is there any other support available apart from support forums? Thanks.
There will be more info on Microsof documentation sites as well. Right now there are different priorities.
If you are looking for commercial support – shoot us an email at email@example.com
Thanks for IdentityServer4, really great stuff.
Can you give us some guidance on how the shift to CLI for ASP.NET Core RC2 might be affecting the delivery schedule for IdentityServer4. Are you waiting for clarity about ASP.NET CLI and RC2 before you can make further progress or will we be seeing some new beta releases soon?
I understand that the shift at MS away from dnx is causing lots of ripples, just looking to get a little sense of how much it has affected you guys.
Thanks for all the work.
Our plan is to ship close to the date asp.net core ships. Given the changes that will happen in RC2 – we will have to wait until that is released first.
Understood. I figured that was the case. Hopefully, for everyone, we will get some clarity on RC2 fairly soon and we can all get going. I am looking forward to your next release.
Keep it coming as soon as you can.
This week marks four months since this post, with no follow-up. And while there are samples, those are better suited for people familiar with IdentityServer 3. For teams (like ours) that migrate from legacy WebForms application with legacy membership database to ASP.NET Core / AngularJS, absence of even the most trivial User-Agent flow tutorial is quite frustrating. “Hello, Authenticated User – Logout, Authenticated User” is all we ask!
Oh, well – I hope you are timing opening the floodgate to the release of RC2. For now, we are just mocking the authentication :sigh:
This almost sounds a little bit like I am responsible for teaching you how things work?! You might have the wrong expectations.
We have a lot of samples and docs for released and supported technologies – aka IdentityServer3 and Katana. We had more important things to do than keeping up with the changes to AspNetCore in the last months.
If you want to use bleeding edge technology than you have to figure out things yourself – deal with it.
Thank you. Very illuminating.
Whats wrong in you teaching us? why not a updated Pluralsight course for IdentityServer4? Don’t you think?
There is nothing wrong with that. When I have the time I will do it.
But how about finishing IdentityServer4 first, before thinking about training? Btw – we run several workshops across the year in both Europe and the US.
Could we use identity server 4 with Windows authentication in same way as it was possible with Identity Server 3? Thanks!
No – because WS-Fed is not supported in ASP.NET core (yet). Windows auth coordination works slightly different now due to the changes to IIS hosting. I haven’t looked into it yet.
Thanks – we just started working on new Portal with Angular 2.0 front end and ASPNET Core Web API. We are planning to use Identity Server 4 as it would allow as to use ASPNET Core everywhere. We need WS-FED for windows authentication of internal users and identity server for external users. Would you recommend us to wait till windows authentication will be support in Identity Server 4 or just use Identity Server 3 at this time? Going to Identity Server 3 is just a step back but it could be the only choice now. How other people are moving into this direction? Thanks!
WS-Fed is not a requirement for Windows authentication – it is just how IdentityServer3 handled it. As I said I haven’t looked into Windows AuthN for ASP.NET Core yet.
Is ScopeAuthorize attribute works for identity server 4?
If you are talking about the attribute that checks for a claim of type scope. I think so.
Does anyone know where I can get more information or documentation specifically about being able to implement the Login in a different web application to specifically support legacy or existing applications
This is not yet supported and nothing we are focusing on for v1. Unless you want to make your legacy app an external identity provider.
We would like to implement IdentityServer4.0 to future proof new applications, however, we have older clients written in ASP.net 4.5/6. Would we be able to implement an instance of IdentityServer using IdentityServer4.0 yet use a mixture of client side packages i.e. older IdentityServer3 clients that don’t rely on .net Core and IdentityServer4 for newer ones in order to communicate with the server?
yes. that works.