Our current system is pure ASP.net web application. We got our own login page, where user will enter his username and password for authentication and authorisation. System will verify this from our user table and if it is matched, it will create a security session object for the user which will be verified on each page. We got our own user_profile table for authorization on each module/functionality.
We are re-designing our system using Web Api with AJAX and to support Mobile. On successful login new token should be created for the user either using IdentityServer or Authorisation Server, so he could use that token for each webapi call.
For our system when it comes to the security, we got no experience in this area. After some googling understood the OAuth. Also found that so many people referring Thinktecture for security implementations. based on some googling on Thinktecture my understanding is IdentityServer - which will be used for authentication AuthorizationServer - which will be issued tokens based on user's access. This AuthorizationServer got its own pages to create users, roles and DB to store these details.
In our case since we got our own user table and user profile mappings for the modules, we believe that we dont need these admin module to create user/role and DB from authorizationserver.
Can some anyone guide us where exactly these servers fit in our requirement? Which one do you recomment for our scenario?
Apologies, if these questions has been asked earlier and it has been answered.
