Thinktecture Identity server vs Authorization server

Asked 18/1, 2014 at 18:17 Answered 8/6, 2015 at 15:16

I am researching on this topic last weeks and unfortunately I can't figure out. I understand the difference between authentication and authorization.

I will appreciate any guidance on the topic.

What I need as general is to implement single sign on for several web sites which are driven with apis which also should handle authentication. The users should be able to register/login with username/pass or respectively through any third party service like facebook, google+, twitter etc.

In the scenario above what is the better approach? Should I use only identity server, or only authorization server or both?

Thank you in advance.

Haeckel answered 18/1, 2014 at 18:17 Comment(0)

Start with IdentityServer - this is your identity management system.

AuthorizationServer in addition is a full featured OAuth2 implementation that can use IdentityServer as a user store.

http://leastprivilege.com/2013/06/16/relationship-between-identityserver-and-authorizationserver/

Iatrogenic answered 20/1, 2014 at 8:13 Comment(5)

Given client, AS, IS, API (WebApiController/MVC5). The last 3 live in separate servers. When the client is authenticated and authorized it sends a token to the API. Does the api check again the token information or if that token is valid against AS or IS or both? – Valor 2/2, 2014 at 0:7

AS uses signed self contained JWT tokens - you can verify the validity in the API without needing to contact the issuer again. – Iatrogenic 2/2, 2014 at 8:38

10x for the response. I am new to this and I am still confused. Is it possible a client to build JWT tokens which pass validation on the API but fails against IS? Are there any samples in Thinktecture repo showing how the api could validate a token? – Valor 2/2, 2014 at 12:22

In the AS repo, there is a samples folder. The flows sample shows token validation for web API and Nancy. – Iatrogenic 2/2, 2014 at 15:37

"When Identity Server 3 was launched, it deprecated AS: The Future of AuthorizationServer, because all the AS features ase now included in IS." true? – Pelkey 4/3, 2016 at 4:18

Your scenario is more like Authentication which is confirming the identity of the user. On the other hand Authorization is if a person or if a role can execute some operation.

Labium answered 18/1, 2014 at 18:47 Comment(2)

The question says they already understand the difference between authentication and authorization. The question is about the difference between Thinktecture IdentityServer and Thinktecture AuthorizationServer. – Psychological 21/10, 2014 at 4:7

Does IS3 have the same GUI management as AS? Any examples of managing WebAPIs with a Gui and database instead of inMemory Scopes and Clients? – Flowering 6/9, 2016 at 21:53

When Identity Server 3 was launched, it deprecated AS: The Future of AuthorizationServer, because all the AS features ase now included in IS.

Sustentation answered 8/6, 2015 at 15:16 Comment(1)

@Iatrogenic is this true? – Pelkey 4/3, 2016 at 4:18

Recommended topics

Hot tags