Wow – we’re done! Brock and I spent the last two weeks 14h/day refactoring, polishing, testing and refining IdentityServer for ASP.NET Core…and I must say it’s the best STS we’ve written so far…
We kept the same approach as before, that IdentityServer takes care of all the hard things like protocol handling, validation, token generation, data management and security – while you only need to model your application architecture via scopes, clients and users. But at the same time we give you much more flexibility for handling custom scenarios, workflows and user interactions. We also made it easier to get started.
There are too many new features to talk about all of them in this post – but to give you an overview:
integration in ASP.NET Core’s pipeline, DI system, configuration, logging and authentication handling
complete separation of protocol handling and UI thus allowing you to easily modify the UI in any way you want
simplified persistence layer
improved key material handling enabling automatic key rotation and remote signing scenarios
allowing multiple grant types per client
revamped support for extension grants and custom protocol responses
seamless integration into ASP.NET Core Identity (while retaining the ability to use arbitrary other data sources for your user management)
support for public clients (clients that don’t need a client secret to use the token endpoint)
support for default scopes when requesting tokens
support for ASP.NET Core authentication middleware for external authentication
improved session management and authentication cookie handling
revamped and improved support for CORS
re-worked middleware for JWT and reference token validation
tons of internal cleanup
We will have separate posts detailing those changes in the coming weeks.
Where to start?
Our new website https://identityserver.io will bring you to all the relevant sites: documentation, github repo and our new website for commercial support options.
Add the IdentityServer package to you project.json:
“IdentityServer4”: “1.0.0-rc1”
and start coding ;)
We also added a number of quickstart tutorials that walk you through common scenarios:
Overview
Protecting an API using client credentials
Protecting an API using passwords
OpenID Connect authentication
External authentication
Hybrid Flow and API access
ASP.NET Core Identity
JavaScript
Everything is still work in progress, but we have the feeling we are really close to how we want the final code to look and feel.
Give it a try – and give us feedback on the issue tracker. Release notes can be found here.
Have fun!
Filed under: .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI 
