Nearly every application needs either identity management or authorization. Aggravating adds that with the popularity of the internet, also the attacks on identity management have increased drastically. Therefore, an application developer should consider the security of such sensitive data with the start of the development process.

The user plays a vital role, too. With every new unique account, needed to buy online goods, streaming episodes, or paying bills, it is more likely that a user chooses weak passwords. Besides, the likelihood that one stolen password give introducers access to many accounts is high.

OpenID is an approach to solve these problems by providing specifications on how developers can handle these complicated and very security-relevant topics. Moreover, many popular web services like Facebook, Microsoft, or Twitter, to name only a few, implemented those specifications in a way, that other applications can use their authentication infrastructure. This approach eliminates the need to save sensitive data, such as passwords.


This post uses OpenID and OAuth2 interchangeable, which is technically not correct. Another post focuses on similarities and differences.

This series focuses on a widely used .NET Core implementation of many OpenID specification, called IdentityServer. The OpenId foundation has certified this project. Identiyserver has excellent documentation and a lot of examples plus productivity tools, such as project templates. The IdentityServer project team offers quick stater guides, which are a solid choice to get a technology overview.

This tutorial focus not an IdentityServer as an isolated technology. Instead, IdentityServer is embedded in an example application, and the interaction with surrounding technologies like .NET Core Identity is explained in detail. Furthermore, the tutorial provides unit tests and if applicable integration tests.

The sample project is a small smart home hub. The focus of this series is authentication and authorization, so the sensor and actors are virtualized. The next post gives an introduction to the application.

This series is still in development, so the following table of content may change over time

  • Introducing the Smart Home Control Centre
  • Adding Authentication
    •  Getting started with IdentityServer
    • See in detail how IdentityServer (and other) handle the OpenId specification
  • Adding Authorisation
    • How Authorisation is handled using IdentityServer
    • Handling authorization internal but still use IdentityServer for authentication
  • About User Accounts
    • Storing own Accounts with ASP.NET Core Identity
    • Using a Radius for authentication as an example of the integration of different authentication provider
    • Using other OpenId/OAuth providers for authentication like Google
  • Handling API request
    • How to use IdentityServer if you have a service-to-service communication
    • Using a ‘light’ Javascript client to access protected API resources
    • More advanced features like silent refresh in a SPA (Angular)
  • Authentication using the hybrid flow
    • How to use Identity Server and Xamarin.Forms to add authentication in a cross-platform way
  • Using persistence storage for IdentityServer assets like clients
0 CommentsClose Comments

Leave a comment