Dan Schnau

Identity Protocol improvements in ASP.NET Core 8

Last week, Jeremy Likness discussed improvements to Authentication and Identity features in ASP.NET Core 8.

I wanted to try some of it out, so I first went to install dotnet 8.0.0-preview.2. I think the downloads page looks slick.

OpenID Connect, IdentityServer, and Duende

Earlier this week, I talked about the terms Authentication vs Authorization. Now I'll use this chance to tie the terms to more technical details.

ASP.NET Core, in the past, used a third-party implementation of OpenID Connect called IdentityServer to provide authentication and authorization services. IdentityServer is an implementation of the OpenId Conect protocol, which itself is a layer over the OAuth 2.0 protocol that provides Authentication, which is a protocol for Authorization.

The Authorization story here starts with the OAuth 2.0 Authorization Framework. Oauth 2.0 is a framework for dealing with limitations of client-server authentication. There are a lot of good reasons to not implement client-server authentication. From this developer's perspective, the most attractive reason is that with OAuth, I as a software engineer, don't need to spend the time and money on implementing password security. This is because the OAuth protocol specifies an authorization layer that separates the client and server, enabling third parties to provide Authorization services.

OAuth 2.0 provides an authorization implementation. OpenID Connect provides an authentication implementation. And both are just protocols. That is - protocols that are instructions for software to implement to work with other software that implements the same protocols.

Back to the beginning. Until version 8, ASP.NET Core used a third party implementation of OpenId Connect called IdentityServer. In version 8, this dependency is removed, and developers will be able to pick from IdentityServer or any other number of OpenId Connect and OAuth 2.0 implementations.

Ostensibly, these changes will make it easier to create and ship "simple" auth systems that do things like use social logins - and I look forward to trying them out as they become available.