Openiddict-core: ASP.Net Core version 2.2 shall have an OpenID Connect Authorization Server. Is it based on this library?

Created on 2 Sep 2018  路  9Comments  路  Source: openiddict/openiddict-core

https://github.com/aspnet/Announcements/issues/307
In the coming months there shall be a built-in Authorization Server provided with the upcoming ASP.Net Core version 2.2. Shall that implementation be based on this project?
Main question: for new projects should we start use ASP.Net Core (preview) 2.2 releases, or can we use this project now and easily port to the Authorization Server implementation of ASP.Net Core version 2.2?
What is best way forward for new ASP.Net projects that need OpenID Connect Authorization Server capabilities?

question

Most helpful comment

In the coming months there shall be a built-in Authorization Server provided with the upcoming ASP.Net Core version 2.2. Shall that implementation be based on this project?

That's a question you should ask to @DamianEdwards or someone from the ASP.NET team. Recent rumors seem to indicate that they may consider building something on top of IdentityServer4, but I have no idea whether it's true or false.

FWIW, this project is not exactly new since Vittorio Bertocci (who now works at Auth0) privately contacted me in July 2016 to chat about it as they were considering using OpenIddict as a base for this thing. One year later he informed me they preferred opting for a custom implementation instead of relying on a third-party OSS solution as it was "too strategic" from a business perspective. The source code of their prototype can be found here: https://github.com/aspnet/Identity/tree/master/src/Service (it hasn't been updated for ages).

Main question: for new projects should we start use ASP.Net Core (preview) 2.2 releases, or can we use this project now and easily port to the Authorization Server implementation of ASP.Net Core version 2.2?

Since this "authorization server" hasn't been released yet, it's hard to say whether the migration path will be easy or not nor whether they'll write documentation about it. @DamianEdwards can probably shed some light on this.

What is best way forward for new ASP.Net projects that need OpenID Connect Authorization Server capabilities?

Let me be extremely clear about that: OpenIddict's RTM bits are being tested at this moment (by both private and enterprisey customers) and will be released soon. I don't have any plan to abandon it, even if Microsoft decides to release its own thing and even if it's based on IdentityServer4. OpenIddict is here to stay and I'll continue to support both the 1.0 and 2.0 versions and develop future versions. Future improvements will most likely include NHibernate (already written), RavenDB and possibly ElasticSearch and linq2db stores (we already officially support EF Core, EF 6.x and MongoDB).

Why? Because I use it massively for my professional needs, as a consultant. Thanks to the new advanced events model introduced in RC3, I even stopped to create custom implementations based on ASOS (the underlying OpenID Connect server) and I'm now using OpenIddict in all the projects I work on (at least, the ones that don't exclusively rely on cloud solutions like Auth0, Okta or Azure AD).

Whether you'll want to go with MSFT's thingy, IdentityServer4 or OpenIddict will be up to you, most likely based on your experience and the feeling you have with each library. If you go with OpenIddict, I'll support you (if you need professional support for it, feel free to email me).

FWIW, OpenIddict is what powers OrchardCore's OpenID module, where we're aiming at developing a low-friction, multitenant-compatible, "almost-zero-configuration" free OSS OAuth2/OpenID Connect server coming with a management UI that allows you to configure the client/server/validation settings and register applications/scopes fairly easily...

... pretty much what the ASP.NET folks are trying to replicate with their own thing. I wish they decided to support the effort, specially since OrchardCore is developed by one of their awesome employees, @sebastienros. But hem, I guess I'm just dreaming.

All 9 comments

The announcement says that the built-in OpenID Connect Authorization Server will support only first-party client applications:

As we are concentrating on first party applications..., we鈥檙e not aiming to replace the excellent third-party solutions out there...

Is your new project going to be supporting only first-party applications?


I'll leave it to @PinpointTownes to speak about porting from OpenIddict.

@PinpointTownes idea?

In the coming months there shall be a built-in Authorization Server provided with the upcoming ASP.Net Core version 2.2. Shall that implementation be based on this project?

That's a question you should ask to @DamianEdwards or someone from the ASP.NET team. Recent rumors seem to indicate that they may consider building something on top of IdentityServer4, but I have no idea whether it's true or false.

FWIW, this project is not exactly new since Vittorio Bertocci (who now works at Auth0) privately contacted me in July 2016 to chat about it as they were considering using OpenIddict as a base for this thing. One year later he informed me they preferred opting for a custom implementation instead of relying on a third-party OSS solution as it was "too strategic" from a business perspective. The source code of their prototype can be found here: https://github.com/aspnet/Identity/tree/master/src/Service (it hasn't been updated for ages).

Main question: for new projects should we start use ASP.Net Core (preview) 2.2 releases, or can we use this project now and easily port to the Authorization Server implementation of ASP.Net Core version 2.2?

Since this "authorization server" hasn't been released yet, it's hard to say whether the migration path will be easy or not nor whether they'll write documentation about it. @DamianEdwards can probably shed some light on this.

What is best way forward for new ASP.Net projects that need OpenID Connect Authorization Server capabilities?

Let me be extremely clear about that: OpenIddict's RTM bits are being tested at this moment (by both private and enterprisey customers) and will be released soon. I don't have any plan to abandon it, even if Microsoft decides to release its own thing and even if it's based on IdentityServer4. OpenIddict is here to stay and I'll continue to support both the 1.0 and 2.0 versions and develop future versions. Future improvements will most likely include NHibernate (already written), RavenDB and possibly ElasticSearch and linq2db stores (we already officially support EF Core, EF 6.x and MongoDB).

Why? Because I use it massively for my professional needs, as a consultant. Thanks to the new advanced events model introduced in RC3, I even stopped to create custom implementations based on ASOS (the underlying OpenID Connect server) and I'm now using OpenIddict in all the projects I work on (at least, the ones that don't exclusively rely on cloud solutions like Auth0, Okta or Azure AD).

Whether you'll want to go with MSFT's thingy, IdentityServer4 or OpenIddict will be up to you, most likely based on your experience and the feeling you have with each library. If you go with OpenIddict, I'll support you (if you need professional support for it, feel free to email me).

FWIW, OpenIddict is what powers OrchardCore's OpenID module, where we're aiming at developing a low-friction, multitenant-compatible, "almost-zero-configuration" free OSS OAuth2/OpenID Connect server coming with a management UI that allows you to configure the client/server/validation settings and register applications/scopes fairly easily...

... pretty much what the ASP.NET folks are trying to replicate with their own thing. I wish they decided to support the effort, specially since OrchardCore is developed by one of their awesome employees, @sebastienros. But hem, I guess I'm just dreaming.

"I don't have any plan to abandon it, even if Microsoft decides to release its own thing and even if it's based on IdentityServer4."

If you die @PinpointTownes ? :(
Can I be your pupil?

If you die @PinpointTownes ? :(

This will be a disappointing answer... but dying is not the first item on my todo list, sorry :sweat_smile:

On a more serious note, 5 other people have write access to this repository (incl. @shaunluttin). If anything bad happens to me, they'll be able to keep working on it (assuming they want to). And since the source code is public, nothing prevents you from forking it and maintaining it yourself at any time.

What is the status for a RavenDb store? Thanks.

The demand was unfortunately too low, so it didn't materialize. Feel free to open a new thread to discuss that if you want to.

The demand was unfortunately too low, so it didn't materialize. Feel free to open a new thread to discuss that if you want to.

Thanks. Done.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

kevinchalet picture kevinchalet  路  20Comments

aporquez picture aporquez  路  12Comments

robertcck picture robertcck  路  39Comments

xperiandri picture xperiandri  路  24Comments

ghost picture ghost  路  17Comments