Duende IdentityServer is a sophisticated framework designed for implementing OpenID Connect (OIDC) and OAuth 2.0 protocols in .NET applications. Originating from the highly acclaimed IdentityServer4, Duende IdentityServer represents the evolution of its predecessor, tailored to meet the modern demands of authentication and authorization in web, mobile, and API security. Created by the same team behind IdentityServer4, this framework is now managed under Duende Software, focusing on continuous development and enterprise-level support.
As the digital landscape becomes increasingly complex and security demands escalate, Duende IdentityServer offers a robust solution for organizations seeking to secure their applications with advanced features and performance optimizations. The framework supports a wide range of identity-related scenarios, including interactive applications, service-oriented architectures, and microservices patterns, providing a versatile toolkit that developers can use to craft bespoke security infrastructures.
Duende IdentityServer is distinguished by its commercial model, which ensures that critical security features are paired with professional support, compliance updates, and performance enhancements. This makes it a reliable choice for businesses that require a dependable, scalable, and compliant identity management solution. Whether you are looking to act as your own identity provider or integrate with external identity services, Duende IdentityServer offers a comprehensive set of tools that facilitate a secure and efficient implementation of OIDC and OAuth 2.0.
All Duende IdentityServer documentation can be found here.
When should I choose Duende IdentityServer?
If your applications are:
- Browsers interacting with web applications.
- Web applications interacting with web APIs, either independently or on behalf of a user.
- Browser-based applications communicating with web APIs.
- Native applications connecting with web APIs.
- Server-based applications linking to web APIs.
- Web APIs engaging with other web APIs, either autonomously or representing a user.
and you need a way to Authenticate and Authorize users, then you definetly need Duende IdentityServer.
Let’s define the terms first
In a nutshell, Duende IdentityServer issues security tokens. Now, there are some key parts in this whole system, so we will go through them and explain them as plainly as possible.
User is a human that is using a registered client to access resources.
Resources are identity data of users or APIs that you want to protect.
Identity Data (claims) are identity information about a user like name, email address, phone number, etc..
APIs are funcionality a client or user wants to trigger, usualy a Web API.
Client is a software component that requests tokens from your IdentityServer, either to authenticate a user (by requesting an identity token) or to access a resource (by requesting an access token). Before a client can request tokens, it must be registered with your IdentityServer. Clients can be of many types, such as web applications, native mobile or desktop applications, single-page applications (SPAs), and server processes. However, all these can be broadly classified into two main categories.
Machine to Machine Communication In this setup, two machines communicate directly with each other—such as in background processes, batch jobs, or server daemons—without any interactive user involvement. To authorize this type of communication, your IdentityServer issues a token to the initiating machine.
This process is known in protocol terms as the Client Credentials Flow.
Interactive Applications This scenario involves the most commonly seen types of clients: web applications, single-page applications (SPAs), or native/mobile apps that include user interaction. Typically, this interaction involves a browser for tasks like authentication or obtaining user consent.
In protocol language, this type of communication is referred to as the Authorization Code Flow.
Identity Token signifies the result of an authentication event. It primarily includes an identifier for the user (known as the “sub” or “subject” claim) alongside details on the method and timing of the user’s authentication. It may also include further identity-related information.
Access Token grants permission to utilize an API resource. Clients obtain access tokens and relay them to the API. These tokens incorporate details about the client and, if applicable, the user. APIs utilize this data to authorize access to their services and data.
Getting Started with Duende IdentityServer
In order to start using Duende IdentityServer, you need to install templates using the DotnetCLI.
dotnet new -i Duende.IdentityServer.Templates
If all went well, you should be able to see in the IDE of your choice (i’m using Rider) something like this: