2

We are planning to build an OAuth2 authorization server in our company, and we're trying to figure out what to be the correct solution to implement it upon. Currently we're considering using the ThinkTecture IdentityServer3 or the plain Microsoft.Owin.Security.OAuth package. One of the things we take into account in which to choose is who already uses it. Unfortunately, I cannot find any information regarding IdentityServer3 customers on the ThinkTecture website, neither anywhere else. Does anybody know, if there are any big players, who rely on this library/framework?

If anybody has any other guidance in terms of which of the two solutions above is better, that would be valuable for us as well.

Cheers

jakubkwa
  • 21
  • 1

1 Answers1

8

The Microsoft.Owin.Security.OAuth library has been deprecated by Microsoft essentially because to use it in any scenarios other than their one sample you have to build lots of additional security infrastructure on top of it. Doing this is not trivial and requires you to be very aware of the threats and mitigations when developing an OIDC/OAuth2 provider. This sort of security work is already done in IdentityServer. As such, Microsoft is recommending IdentityServer as the choice going forward for when you need your own customizable OIDC/OAuth2 token service for your applications and APIs.

Brock Allen
  • 7,385
  • 19
  • 24
  • 1
    Thanks for the response Brock. We know, that if we use the Microsoft library we will have to build more upon it, and that IdentityServer probably solves a lot of security issues. We are just wondering, how many of those issues are actually a case in our scenarios. Can you mention, what kind of additional security infrastructure you mean? In choosing the best approach for us, we are taking into account also the configurability of the solution, and who already uses it (it gives us more confidence, that it's worth using). The latter is a thing we have no clue about. – jakubkwa Nov 22 '16 at 08:35