ASP.NET - IdentityServer / Duende IdentityServer – Detailed Explanation

IdentityServer (now commercially maintained as Duende IdentityServer) is an OpenID Connect and OAuth 2.0 framework for ASP.NET Core that provides authentication and authorization services for modern applications. It acts as a centralized identity provider, allowing applications such as web apps, mobile apps, and APIs to securely authenticate users and manage access to resources.

1. What is IdentityServer?

Duende IdentityServer is a middleware component that handles:

  • User authentication (who the user is)

  • Authorization (what the user can access)

  • Token issuance (secure tokens for API access)

It implements industry-standard protocols:

  • OAuth 2.0 → for authorization

  • OpenID Connect → for authentication

Instead of each application handling login logic separately, IdentityServer centralizes it.

2. Why Use IdentityServer?

In modern systems, especially microservices or distributed architectures, multiple applications need a secure way to authenticate users. IdentityServer solves this by:

  • Providing Single Sign-On (SSO) across multiple apps

  • Securing APIs using access tokens

  • Supporting external providers like Google, Microsoft, etc.

  • Separating authentication logic from application logic

3. Core Concepts

Clients

Clients are applications that request tokens from IdentityServer.

Examples:

  • Web applications

  • Mobile apps

  • APIs

Each client is configured with:

  • Client ID

  • Allowed grant types

  • Redirect URIs

  • Allowed scopes

Resources

Resources represent protected data.

Two types:

  • Identity Resources: User-related data (e.g., name, email)

  • API Resources: Backend services or APIs

Scopes

Scopes define what access a client is requesting.

Example:

  • openid → basic identity

  • profile → user details

  • api.read → permission to read API data

Tokens

IdentityServer issues tokens after successful authentication:

  1. Access Token
    Used to access APIs

  2. ID Token
    Contains user identity information

  3. Refresh Token
    Used to get new access tokens without re-login

4. Authentication Flow (Example)

A typical OpenID Connect flow works like this:

  1. User tries to access an application

  2. Application redirects user to IdentityServer

  3. User logs in

  4. IdentityServer validates credentials

  5. IdentityServer issues tokens

  6. Application uses tokens to access APIs

This ensures:

  • No password sharing between services

  • Secure communication using tokens

5. Grant Types in IdentityServer

Grant types define how clients obtain tokens:

  • Authorization Code Flow (most secure, used for web apps)

  • Client Credentials Flow (machine-to-machine communication)

  • Resource Owner Password Flow (not recommended for modern apps)

  • Hybrid Flow (combination of flows)

6. Integration with ASP.NET Core

IdentityServer integrates easily with ASP.NET Core applications.

Steps include:

  1. Install IdentityServer package

  2. Configure services in Program.cs

  3. Define clients, resources, and scopes

  4. Add authentication middleware

  5. Protect APIs using [Authorize] attribute

7. Duende IdentityServer vs Old IdentityServer4

  • IdentityServer4 is no longer actively maintained

  • Duende IdentityServer is the updated version

  • Duende requires a commercial license for production use

  • It supports newer .NET versions and security updates

8. Real-World Use Cases

  • Enterprise applications with multiple services

  • Microservices architecture

  • API security for mobile apps

  • SaaS platforms with multi-tenant authentication

  • Single Sign-On across multiple systems

9. Advantages

  • Centralized authentication system

  • Industry-standard security protocols

  • Highly customizable

  • Scalable for large systems

  • Supports external identity providers

10. Challenges

  • Complex initial setup

  • Requires understanding of OAuth2 and OpenID Connect

  • Licensing cost for Duende in production

  • Token management complexity

Conclusion

IdentityServer (Duende) is a powerful solution for handling authentication and authorization in modern ASP.NET Core applications. It enables secure, scalable, and standardized identity management, making it essential for enterprise-level and distributed systems. While it has a learning curve, mastering it provides strong control over application security and user identity.