What kind of authorization framework/library should we use?

Codidact requires some sort of standardized authorization framework that has all the security quirks already written in.

The main goal of this framework/library would be to authorize the user with our system.

Here are the options as far I know:

IdentityServer4 & Identity ASP.NET Core

http://docs.identityserver.io/en/latest/intro/big_picture.html
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-3.1&tabs=visual-studio
ASP.NET Core Identity:

  • Is an API that supports user interface (UI) login functionality.
  • Manages users, passwords, profile data, roles, claims, tokens, email confirmation, and more.

IdentityServer4 is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core 3.0. IdentityServer4 enables the following security features:

  • Authentication as a Service (AaaS)
  • Single sign-on/off (SSO) over multiple application types
  • Access control for APIs
  • Federation Gateway

Only Identity ASP.NET Core

Same as above only without the IdentityServer but using only Identity. Will only be running on the same server as the main server.

Only IdentityServer

Implement the tables for the users/roles/etc on our own instead of letting ASP.Identity deal with that. Manage the users on our own. Use IdentityServer for SSO and OAuth2/OpenID

Casbin.NET

https://github.com/casbin/Casbin.NET
Used this in golang, so might include it as an option.

  • Doesn’t deal with authentication at all. No user tables
  • no direct EF integration (this is both a advantage and a disadvantage)
  • Cool role management system

No Library/Framework

Simply implement an OAuth2 server on the project. Create your own tokens and workflow.

Please, add more suggestions and I’ll edit the post.
Thanks

8 Likes

Note that you don’t have to use the default system with Identity ASP.NET Core. It exposes a set of interfaces so you can write your own connections to the DB and stuff. So if you wanted to use a Mongo DB with BCrypt for password hashing, you could. See my project here for a rough example (in F#). Check the Identity folder, the Startup.cs file, and the Controllers/AuthenticationController.cs file. Note that I’m also NOT a security expert, so this may well have some flaws in the specific implementation–this isn’t running in production anywhere, though, so…

3 Likes

I know this is an option since Core but we don’t have anything special here. Also Mongo has its own Identity library so even that is not needed.

(I am literally replying to bump this thread up :joy: :joy: :joy: I am sorry)

1 Like

Cool. I didn’t realize there was an Identity library for Mongo! I do recommend sticking with the default implementation. I do like using the Identity system, though, since it ties in so well with the rest of the ASP.NET stuff.

Core Identity sounds like what we need. We should be managing our own user database rather than relying solely on external auth (i.e. Google, Facebook etc); that said, we should also not be writing the code to do it. I don’t doubt we have people here with the knowledge to do it, but in matters of security we should use the tried and tested.

8 Likes

Since there aren’t many opinions and we are all in a general agreement we should use IdentityServer/Identity.NET- please close, I’ll make an issue.

Consensus built: we’ll use IdentityServer/Identity.NET.