Last post Dec 18, 2014 08:31 AM by BrockAllen
Dec 17, 2014 11:02 PM|ASPDev200|LINK
I am here for a few suggestions from experts on Identity Management and Security Architecture of Web and Mobile applications. We are re-vamping the systems within our organization and planning to build a solid security architecture to support all the systems.
We are planning to do the following:
1. Multiple websites will be built to serve different kinds of users (say, customers and members). The websites will be built using asp.net MVC.
2. One or more Mobile App will be developed to serve the different user groups.
3. An Identity Management Server would authenticate the users and server requests like, forgot password.
4. A common Web API Layer (REST) will support all the websites and mobile apps. The API endpoints will be secured and only available to Authenticated users who are authorized (some API methods can only be accessed by authorised uses and roles).
5. API Layer will encapsulate the core business (Dynamics CRM, AX etc.) under it.
Now the questions:
1. Did anyone built systems similar to this? What kind of security solution (authentication / authorization) did you use?
2. What is the best best protocol to support identity management solution for apps and websites (all public and available over the internet)? OAuth2 or SAML? SSO (single sign on) is not a rigid requirement in our case. Although some users might be in multiple
3. Has anyone used thinktecture (http://thinktecture.github.io/) in their project? How easy (and secure) is it to implement? Would you recommend using it?
Finally, I would love hear about architectures you have used in your projects. Pointers to any good article is also welcome.
Dec 18, 2014 08:31 AM|BrockAllen|LINK
OAuth2 is the de facto standard approach for API security these days. To do it well, you should read the OAuth2 (and OpenID Connect) specs.
Also, I work on IdentityServer. I'd suggest reading the wiki on it:
If you have additional questions about it, feel free to post them to the github issue tracker.