Over a million developers have joined DZone.

IdentityServer4 With .NET Core, Part I

DZone 's Guide to

IdentityServer4 With .NET Core, Part I

Looking for a new way to easily add security mechanisms to your web applications and APIs? Read on to get an overview of this great platform.

· Security Zone ·
Free Resource


Since I explored and wrote about Authentication in .NET Core using Identity here, many people have asked me to explore and write on IdentityServer4.

So I am starting a series of posts in which I will mainly concentrate on IdentityServer4

In this first post, we will look at some of the basics of IdentityServer4.

Nowadays, securing your application with username and password is not just enough. The number of cyberattacks is increasing day by day and to secure your application/APIs – you need a solid authentication and authorization system.


As you can see in above picture, Modern applications are not just simple Server-Client applications but are more like – Web Application calls -> Web APIClient Apps calls -> Web APINative apps call -> Web APIWeb API calls -> Web API, etc. In this complex structure, we need a token-based security.

Along with having a solid authentication and authorization system, we also need to have a centralized Auth logic for all our applications/APIs.

To achieve this, it would take a lot of time and effort to build this authentication and authorization system. But we can just use a ready-made framework to take care of our authentication and authorization needs. That framework is called IdentityServer4.

What Is IdentityServer4?

  • IdentityServer4 is the newest version of the IdentityServer.
  • IdentityServer4 is an open source OpenID Connect and OAuth 2.0 framework for ASP.NET Core
  • IdentityServer4 acts as a central authentication server for multiple applications.
  • It is a hostable component that allows implementing single sign-on and access control for modern web applications and APIs using protocols like OpenID Connect and OAuth2.
  • IdentityServer4 is part of the .NET foundation.

So in Simple Words:

  • If we want to implement the OpenId standard then we need to implement all the rules of the standard but building that is quite hard and time-consuming
  • So what if we have a component or a framework which implements all that code for us and we can just plug it in our application? – Cue IdentityServer4.
  • IdentityServer4 is a piece of software that issues security tokens to the clients
  • IdentityServer4 is responsible for creating a complete authentication service, with single session input and output for various types of applications, such as mobile, web, native or even other services.
  • With the use of IdentityServer4, we just need to create a login and logout page (and maybe consent), and everything else can be done by the IdentityServer4 middleware. Thus, client applications can communicate with it using standard protocols.
  • IdentityServer4 can be used for securing web APIs as well.



As you can see in the above picture:

  • Users are humans that need to access the resources of the application, APIs, etc.
  • The client is a piece of code which internally calls IdentityServer4.
  • The client requests the token from IdentityServer4 either to authenticate the user, i.e. the Identity tokens, or to gain the access to the resources, i.e. the Access tokens.
  • The identity tokens contain all the identity data of the user and is used for user authentication.
  • The access token contains information about the client and user and uses this information to access the APIs.
  • Resources are all the important data that are protectable – like user details, passwords, Fingerprints, Voice phrases of the user, APIs, etc.
  • IdentityServer4 is our hero here – IdentityServer4 is used to issue the security tokens to clients.

Some of the Features of IdentityServer:

  • Authentication as a service – Centralized logic for login protocols for all your applications/APIs, etc.
  • It can be used to protect your resources.
  • It is an Open Source Identity Provider.
  • Authentication of the users and/or clients.
  • Single Sign-On.
  • Can be used to secure APIs.
  • Provides session management.
  • Used to issue identity and access tokens to clients.
  • Used to validate tokens.
  • A gateway to third-party identity providers like FacebookGoogle, etc.

Last but not the least, special thanks to Dominick Baier and Brock Allen for creating such an awesome IdentityServer framework!

In the next post, we will look at how to create an IdentityServer4 server (Update – Part II is available here).

Hope it helps.

security ,authentication ,authorization ,web application security ,api security

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}