Last post Apr 28, 2020 01:57 AM by Sherry Chen
Apr 27, 2020 03:26 PM|kmcnet|LINK
Hello everyone and thanks for your help in advance. I am new to .Core and in the premilitary stages of migrating an intranet along with some external facing api services. My first task is reading up on security and trying to make sure I have a grasp on
how things work. First, is it generally best practices to separate any type of MVC web application from any api function? I have always done this in the past, but don't really see anything explicitly stating this other than the MVC app would work on the
Identity framework and the api would be secured by Identity Server 4. I have read the documents https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio and https://auth0.com/blog/how-to-build-and-secure-web-apis-with-aspnet-core-3/
as well as the corresponding Microsoft doc, but wanted to make sure I understood basic concepts. Any insight would be appreciated.
Apr 27, 2020 03:53 PM|mgebhard|LINK
Identity and Identity server to two very different services with totally different purposes. Identity Server is a centralized OAuth/OIDC token server. Identity is an API for managing user accounts. Identity Server might use Identity to manage accounts.
Apr 28, 2020 01:57 AM|Sherry Chen|LINK
Hi kmcnet ,
IdentityServer = token encryption and validation services via OAuth 2.0/OpenId-Connect
Identity Framework = current Identity Management strategy in ASP.NET
Identity Framework uses a backing store like SQL Server to hold user information like username, password (hashed), email, phone and easily be extended to hold FirstName, LastName or whatever else. So, there really no reason to encrypt user information into
a cookie and pass it back and forth from client to server. It supports notions like user claims, user tokens, user roles, and external logins.
For more details about the comparison between Identity Framework and Identity Server, you could refer to the below thread