Clarifying confusions and misunderstandings
Before we start with explaining Authorization we need to clarify some things that until now I never see been very well explained.
In the first article we define what is Authentication and what is Authorization, but soon after i go to the architecture without explaining anything and probably there was many doubts about it somethings.
Clarifying Scope and Objective
The goal of this series is demystify and to encourage people try and learn about ASP.NET Identity Framework and Identity Server 4 nuget package.
To achieve this we need that this applications be in a ecosystem with many other applications, so I'm considering that we have single page applications, many API's, etc.
So to stay in focus on the theme, I omit all other applications there are not necessary.
To force people think, try and learn, this series will not be a "copy and paste" or anything like a "tutorial", most of customization will be a not a good idea to go to production with this code. I'm using a old version of Identity Server package on purpose to encourage people see differences between versions and try to deal with breaking changes. That's why at the end I'll not make available the full source code.
Clarifying Authentication, Authorization and Permissions
In the scope of an .NET application, when you want to make a route "for only authenticated users" you will use the [Authorize] attribute, this is a type of "Authorization" but not what will be discuss in this series of articles.
In my opinion we should divide the user permissions (user authorization) and the application permissions (application authorization). But this idea is not clear in any material that I see until today.
领英推荐
Let me try to explain, user permissions is what you understand by "user is allow or not to perform an action" is not necessary the same as "this application is allow or not to call this another application". I think is there most of places misunderstand theses ideas.
In the next article I'll cover "application authorization", but still will be confusing because we don't have any others applications. But let's consider that beyond the Identity Service and Authorization Service we also have an Single Page Application (Angular or React) and we have an WebAPI, so keep this in mind.
Clarifying ASP.NET Identity Framework and IdentityServer4
Writing the correct name seems obvious that are different things, but usually people just refer as "Identity".
ASP.NET Identity Framework is what was explained on second article in this series, is what is responsible for Authentication.
IdentityServer4 is a nuget package that implements OAuth2.0/OpenIdConnect used for the Authorization between applications, it can use the ASP.NET Identity Framework for the User login.
Most of the time they walk together causing come confusion.
In the next article we will start IdentityServer4.