Token-Based Security: 3 Possible Alternatives To IdentityServer

At least in the .NET space, IdentityServer is a prominent candidate for implementing token-based security in your .NET and ASP.NET applications, server-side or SPAs. After the license change of the popular open-source library, many are wondering if there are any viable alternatives. If you are an existing IdentityServer user, you may want to check out their license model and see if it would be feasible for you to buy a license and just continue with it. Switching the token server to a different solution may not be that easy and cheap.

In diesem Artikel:

While there are standards like OAuth2 and OpenID Connect, the standards leave a lot of room for interpretation and freedom to the implementor. So every token server implementation is somewhat biased to how they work and what their focus is. While they are technically using the same protocol, there are major differences in the structure of the token, what type of tokens you can get, etc.

And as biased as the implementations are, so is this article. It is by far not covering a complete list of alternatives, but it is about alternatives that are either a good fit for .NET developers or offer a good ready-to-run product for certain scenarios.

Library or Product

In the identity space, we have a lot of different offerings. They range from libraries where you have to add and implement a lot of functionality by yourself to fully managed products where even the hosting is done for you.

While libraries usually give you the most flexibility, the cost of implementation is higher than with products or SaaS offerings. Besides the client integration, you also need to build the server and integrate it into your codebase. On the other hand, products and SaaS offerings are mostly ready to run, and you are able to integrate them very quickly, which gives you a short „time to first token“. This can give you a boost in development since you don’t need to spend a lot of time implementing your token server. But with products, and especially SaaS offerings, you have less flexibility, and you have to rely on extensions points given by the product.

The following paragraphs discuss my current view on three candidates from the identity space which can be a viable alternative to IdentityServer:

  • OpenIddict
  • Keycloak
  • Azure AAD B2C

OpenIddict

OpenIddict is an open-source .NET library that helps you implement a security token service (STS). Therefore, it is the most „comparable“ alternative to IdentityServer. Both are not ready-to-run products, but they are libraries for developers to use. OpenIddict can not only be used in ASP.NET Core applications but also in classic .NET Framework applications.

Similar to IdentityServer, OpenIddict focuses on client authentication and token issuing and does not handle user authentication – this needs to be implemented by you independent of the library. Both expect that you are authenticating and signing in the user. This gives you the flexibility to use whatever user store you have or like to. And it also lets you implement complex custom login flows.

Compared to IdentityServer, OpenIddict is even more „bare metal“ and has even less functionality out of the box. For example, IdentityServer gives you client credential flow out of the box with just configuration needed. In OpenIddict, you also need to provide additional code for the token-endpoint in order to have a working client credential flow.

This is a tabular overview of OpenIddict based on some of the typical questions and requirements we see in customer projects:

 

Type
Library
License
Apache 2
Language
C# / .NET
Protocols
OAuth, OpenID Connect
Flows & Grant Types
All + Custom grant types
Database Backend
Entity Framework Core only
Extensibility
.NET
Multi-Tenancy
Needs to be implemented by your self
Multi-factor-authentication
n/a
Admin UI
No, but there is a module for Orchard
Admin REST API
n/a
User Self-Service portal
n/a
Custom Themes
n/a
Pricing
No upfront or licensing costs
Support
Only via Github Issues

Keycloak

Keycloak is an open-source Java-based identity and access management (IAM) solution. In contrast to IdentityServer and OpenIddict, it is a ready-to-run product that you can spin up in a couple of minutes using Docker. Since Keycloak is an IAM solution, it also handles the authentication of users and lets the administrator control which applications and APIs a user can use and access. In addition, applications can off-load their authorization to Keycloak, allowing administrators to configure permissions for users in applications and on resources. Besides providing an admin UI, Keycloak also comes with an admin REST-API enabling developers to create custom UIs and automate workflows.

Keycloak lets you integrate upstream identity providers like social logins and generic OpenId Connect (OIDC) and SAML-based identity providers. It also integrates with LDAP and Kerberos and can therefore be used to „modernize“ legacy environments.

Since Keycloak is a product, it lacks some of the flexibility you have with a library. While there are some extension points available (using Java and Javascript), not everything can be fully customized. E.g., custom grant types are not supported today, or complex login flows beyond the configurable login flows that are provided by Keycloak are not possible.

Here is my overview for Keycloak:

Type
Product
License
Apache 2
Language
Java
Protocols
OAuth, OpenID Connect, SAML, User-Managed Access (UMA) for authorization
Flows & Grant Types
Does not support Device Authorization and Custom grant types. Has support for Token Exchange
Database Backend
Embedded, Oracle, Microsoft SQL Server, MySQL, PostgreSQL
Extensibility
Java / Some parts can be extended with JavaScript
Multi-Tenancy
Needs to be implemented by structuring your Keycloak installation, e.g. using realms or groups
Multi-factor-authentication
– All apps that support TOTP (e.g. Google Authenticator, Microsoft Authenticator, DUO Authenticator, etc) – WebAuthn
Admin UI
Yes
Admin REST API
Yes
User Self-Service portal
Yes
Custom Themes
Yes
Pricing
No upfront or licensing costs
Support
– Paid product Red Hat Single Sign-On available. – Community support via mailing list or forum

Azure Active Directory (AAD) B2C

Azure Active Directory B2C is Microsoft’s Software-as-a-Service (SaaS) identity and access management for customer-facing apps offering. Since it is a SaaS offering it is kind of comparable to Keycloak. The major difference to Keycloak is that Azure B2C runs only in the Azure cloud, and there is no on-premises offering. Azure B2C authenticates users and clients and comes with a minimal authorization part based on roles. Azure B2C lacks a fine-grained authorization on a resource level like it is possible with Keycloak.

Again, being a SaaS offering there are minimal extension points. Azure B2C allows the usage of WebHooks to customize the registration and login flow. Besides WebHooks, login and registration flows can be configured by the administrator. Upstream identity providers like social logins and generic OpenId-Connect-based identity providers can be integrated, too.

With the Microsoft Graph API, developers can create custom Admin UIs or automation workflows. It also allows creating custom code to import and export users.

The pricing is based on monthly active users. The first 50.000 monthly active users are free. After that, you pay for every monthly active user. A user counts as „monthly active“ as soon as he authenticates with your Azure AD B2C tenant.

Type
SaaS Product
License
n/a
Language
n/a
Protocols
OAuth, OpenID Connect, SAML
Flows & Grant Types
Does not support Resource Owner Flow, Device Authorization and Custom grant types
Database Backend
n/a
Extensibility
Very limited with WebHooks
Multi-Tenancy
Yes
Multi-factor-authentication
– All apps that support TOTP (e.g. Google Authenticator, Microsoft Authenticator, DUO Authenticator, etc) – WebAuthn – SMS – Phone Call
Admin UI
Yes
Admin REST API
Yes
User Self-Service portal
Yes
Custom Themes
Very limited
Pricing
Pay per user with first 50.000 monthly active users free
Support
Yes via support ticket in Azure Portal.

Summary

In this article, I have shown you three possible alternatives to IdentityServer. As already said, there are more alternatives on the market. But before switching to a different product/library, you should have a closer look at each of them and create prototypes to see if they fulfill your requirements. All products have their differences, and you should check which solution fits best for your needs. As always: the devil is in the detail, and some differences will only appear to you once you start integrating the solution.

Mehr Artikel zu .NET, ASP.NET, IdentityServer
Kostenloser
Newsletter

Aktuelle Artikel, Screencasts, Webinare und Interviews unserer Experten für Sie

Verpassen Sie keine Inhalte zu Angular, .NET Core, Blazor, Azure und Kubernetes und melden Sie sich zu unserem kostenlosen monatlichen Dev-Newsletter an.

Newsletter Anmeldung
Diese Artikel könnten Sie interessieren
Database Access with Sessions
.NET
KP-round

Data Access in .NET Native AOT with Sessions

.NET 8 brings Native AOT to ASP.NET Core, but many frameworks and libraries rely on unbound reflection internally and thus cannot support this scenario yet. This is true for ORMs, too: EF Core and Dapper will only bring full support for Native AOT in later releases. In this post, we will implement a database access layer with Sessions using the Humble Object pattern to get a similar developer experience. We will use Npgsql as a plain ADO.NET provider targeting PostgreSQL.
15.11.2023
Old computer with native code
.NET
KP-round

Native AOT with ASP.NET Core – Overview

Originally introduced in .NET 7, Native AOT can be used with ASP.NET Core in the upcoming .NET 8 release. In this post, we look at the benefits and drawbacks from a general perspective and perform measurements to quantify the improvements on different platforms.
02.11.2023
.NET
KP-round

Optimize ASP.NET Core memory with DATAS

.NET 8 introduces a new Garbage Collector feature called DATAS for Server GC mode - let's make some benchmarks and check how it fits into the big picture.
09.10.2023
.NET CORE
pg

Incremental Roslyn Source Generators: High-Level API – ForAttributeWithMetadataName – Part 8

With the version 4.3.1 of Microsoft.CodeAnalysis.* Roslyn provides a new high-level API - the method "ForAttributeWithMetadataName". Although it is just 1 method, still, it addresses one of the biggest performance issue with Source Generators.
16.05.2023
AI
favicon

Integrating AI Power into Your .NET Applications with the Semantic Kernel Toolkit – an Early View

With the rise of powerful AI models and services, questions come up on how to integrate those into our applications and make reasonable use of them. While other languages like Python already have popular and feature-rich libraries like LangChain, we are missing these in .NET and C#. But there is a new kid on the block that might change this situation. Welcome Semantic Kernel by Microsoft!
03.05.2023
.NET
sg

.NET 7 Performance: Regular Expressions – Part 2

There is this popular quote by Jamie Zawinski: Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems."

In this second article of our short performance series, we want to look at the latter one of those problems.
25.04.2023