Identity Server

Eintrag zuletzt aktualisiert am: 24.05.2021

Identity Server ist ein .NET-basierter Authentifizierungsserver, der OpenID Connect (OIDC) und OAuth 2.0 anbietet und als Middleware für Token-basierte Webservices dient.

Entwicklung
v1: Früherer Name: StarterSTS (auf Basis Windows Idenity Foundation, mit WS-Federation und WS-Trust), UI mit ASP.NET Webforms
v2: Identity Server 2 mit MVC-UI
v3: Identity Server 3 mit ASP.NET & Katana, ohne WS-*, dafür OpenID Connect (OIDC) und OAuth 2.0
v4: Identity Server 4 auf Basis ASP.NET Core
v5: Duende Identity Server 5

Duende Identity Server 5 ist nur noch für den Einsatz in Open Source-Projekten und kleinere Firmen (< 1 Mio US-Dollar Umsatz) kostenfrei. Für andere Projekte vertreibt die Firma Duende Software Lizenzen. Die Preise fangen bei 1.500 US-Dollar pro Jahr für drei Client-Anwendungen an und reichen bis 12.000 US-Dollar pro Jahr für eine Enterprise-Lizenz für ein unlimitierte Anzahl von Client-Anwendungen.

Microsoft integriert seit .NET Core 4.0 Identity Server 4 (JWT Token) in ASP.NET Core & Blazor: NuGet Microsoft.AspNetCore.ApiAuthorization.IdentityServer
Microsoft will trotz der Lizenzänderung in .NET 6 verfahren wie bisher.

Geschichte von identity Server

Quelle: https://leastprivilege.com/2020/10/01/the-future-of-identityserver/

"The very first version of IdentityServer, which was called StarterSTS, was a collection of 7 aspx files with embedded code-behind. At the time, the project was considered a “WebSite Project” (Remember those?) and was hosted on CodePlex. Though StarterSTS was very simple, thanks to WIF, it was a pretty decent starting point for implementing WS-Federation and WS-Trust.

StarterSTS was the outcome of reimplementing token service solutions for a handful of customers and subsequently noticing a pattern in boilerplate and customer-specific usage. This was around 2009.

A lot has happened since then. I began working with Brock, whom I knew from teaching for DevelopMentor, and together we created IdentityServer1 and IdentityServer2. Both were ready-to-use web applications built with WebForms and then later MVC. Through it all, our basic idea never changed: give people a starting point for building a security token service. At one point, we attempted to make certain things configurable from the UI, but we quickly realized that IdentityServer’s real value was ist customizability. Driving everything from a configuration UI just didn’t work.

Enter IdentityServer3. This is when we made the decision to become a framework. We realized that C# was the ultimate configuration DSL. At the same time, ASP.NET had become more modular (with Katana) and IdentityServer became a middleware/engine for implementing OpenID Connect and Oauth 2-based token services. We dumped WS-* and focused on modern identity and access control. This turned out to be a great decision.

At this point, it was apparent to us that OpenID Connect and Oauth were becoming the standard for building SSO and API access. It was also clear that none of the off-the-shelf products or SaaS solutions were flexible enough to fulfill many of our customers’ needs. This is still the case.

IdentityServer4 was a logical progression. Brock and I became better as a team, ASP.NET became better with ASP.NET Core, and IdentityServer became more useful and popular.

Today IdentityServer4 is used by thousands of companies and has achieved over 12 million total downloads on Nuget, and has become the de facto standard for .NET-based token services. In addition, it is used as the token plumbing for Microsoft’s Angular, React and Blazor templates for ASP.NET Core."