0

Hi I am building a centralized authentication structure for all our applications in our intranet.

I have tried using a Jwt Web Api.

I have tried Identity Server 4 OpenConnect

And now i found out Cookie Sharing from Microsoft docs

https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-2.2

I can't decide even after reading so many articles already which one should i implement.

The cookie sharing sounds very simple to do, I downloaded the sample and it worked right out of the box.

The identity Server 4 samples all have some problem that i can't run. Some functions like log out won't work or only works on one end.

The Jwt Web Api wasn't very hard to implement but still requires to thinker a bit to get claims from the token and then implement token refresh.

The cookie sharing i just found out but i'm still open for more alternatives or pros and cons each of these.

I also heard about OWIN but still don't understand exactly what it is

Improve this question
2
  • 1
    All of these technologies can be made to work, regardless of any issues you've had in trialling them. And they all have slightly different advantages and disadvantages in different circumstances. Read about those, and then evaluate them against your business criteria (one of which might, of course, be cost/ease of implementation) and then decide what is the best option for your scenario (I.e. do a product evaluation). We don't know nearly enough about your situation to make that decision for you. Security is not to be messed with though...if you can't get a solution, hire an expert Commented Mar 27, 2019 at 0:30
  • 1
    I resolved this problem implemented JWT. github.com/aloji/JwtSecurity Commented Apr 26, 2019 at 5:26

1 Answer 1

Reset to default
3

AFAIK

Cookie Sharing

If all of your applications are on the intranet and are all made using the dot net stack. It makes sense to take advantage of the sharing cookies. I previously had success implementing SSO using this strategy where the main login would be an old web forms application and it would authorise a dotnet core app.

Pros: You are using the Microsoft stack, easy to setup.

Cons: You are locked to using the Microsoft stack. Falls over if you want to use with native/js applications.

IdentityServer4

Having experimented quite a bit with this library, this is an abstraction of the OAuth2 and OpenIdConnect protocols, essentially authentication and authorisation using jwt tokens. IdentityServer4 allows you to specify your authority (AS => Authentication Server) which is handles authenticating clients (your other applications be it .net, js or native). The token that the AS gives the clients are then used to determine if the client has access to the an API. You get to specify which clients can access which api's and how much of it can they access based on Claims. It is possible to convert Active Directory groups into claims and authorise by that level.

Pros: Really good abstraction they simplify a big part of the process. You can secure any type of client (js/native/.net).

Cons: You still have to learn OAuth2 & OpenIdConnect specs, which can take quite some time. You'll probably endup writing quite a bit of configuration depending on how big the network of apps that you are trying to secure.

JWT Middleware

This just allows the api to authorize tokens against an authority, and it doesn't really provide the "centralized authentication structure", you will have to handle alot of the flow setup your self. generally just a watered down version of IS4.

Pros: fast and simple way to secure an api to an already existing Authority.

Cons: Doesn't allow you to create a Authentication Server.

Summary

I'd say go with Cookie Sharing if you don't plan on securing native apps or js apps.

If you are setting up token based authentication read below.

Go with IdentityServer4 for long term flexible solution and if you have time to learn how to use it and set it up.

if you have an authority and don't mind doing a bit of setup go with JWT Middleware, this will be a bit more flexible than Cookie Sharing.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

wow thanks for the constructive comment. I currently tried again the Identity Server 4 approach, I managed to fix the cookies not being deleted problem and seems to work nicely locally. --- I managed to generate a certificate to use on it but i still have to look further into where can i store the certificate cause it couldn't find it in the certification store so i put it in the wwwroot directory. --- My problem now is testing it on the IIS but i might be missing something, changed url ports.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.