TL;DR: IdentityServer is a set of services and middleware which incorporated into an ASP.NET Core app creates an authentication server. A good practice is to host this server as a separate entity. All in all, IdentityServer is a very good tool – within minutes/hours you can have a server up and running that agrees with OAuth 2.0 and OpenID Connect. You get an SSO for various apps.
IdentityServer Pros
- OAuth 2.0 support (access tokens to resources, namely the sites where a user can allow an app to access the resources using the user’s credentials)
- Support for all the OAuth 2.0 Flows, i.e. you can easily authorise users in apps such as:
- websites
- mobile apps
- standalone apps
- IoT devices
- Gaming consoles like Xbox
- OpenID Connect support (user authentication tokens)
- Server configuration via a code (configuration as a code)
- Smooth integration with .NET Core, plus you get to code everything using C#
- Very useful documentation (with examples)
- Implements many specifications
- C# developers proficient in using OAuth 2.0 and OpenID Connect will be very effective
- It has templates that form the basis of a code (using CLI)
- The template code is a great base for a server that grants SSO to users in-memory (hardcode). Alternatively, you can get a user pool from a database, but you have to develop this feature
- Perfect for situations when you have various apps that can use one authentication server
- Easily extendable if you need to have:
- Ability to log-in from another service
- ‘Remind password based on XYZ’ functionality
- Some other feature because in the end all is based on .NET Core
IdentityServer Cons
- The server’s code template lacks:
- user registration
- ‘forgot password’ functionality
- MFA
- Google Recaptcha