Creating your own OpenID Connect server with ASOS: introduction

What's ASOS?

AspNet.Security.OpenIdConnect.Server (codenamed ASOS) is an open-source OAuth2/OpenID Connect server middleware for OWIN/Katana and ASP.NET Core 1.0 (previously known as ASP.NET 5), designed to work on both the full .NET desktop framework and the new .NET Core platform. It is part of the aspnet-contrib initiative, that's also behind the OAuth2 social providers for ASP.NET Core.

Forked from Katana's now deprecated OAuth2 authorization server middleware, ASOS shares the same same low-level, protocol-first approach but comes with many new OpenID Connect features (e.g provider configuration discovery, client-initiated logout or userinfo support) and implements some of the recent OAuth2 specifications like token revocation or token introspection (kudos to Michael Ciarlillo for his great contribution!).


How is it different from the other identity servers?

Unlike other identity server projects, ASOS only focuses on the OAuth2/OpenID Connect protocol part and acts as a thin layer between your application and the protocol details: it comes with no membership feature, implementing the consent pages is left as an exercise and adding a CORS policy must be done by the developer depending on his/her own needs.

Though it requires a solid knowledge of the OAuth2/OpenID Connect specifications and generally needs more work than turnkey solutions (like the famous IdentityServer or OpenIddict), ASOS offers the most flexible approach and can be easily integrated to any existing environment.


Is ASOS the right tool for me?

If you're not comfortable at all with how OAuth2 or OpenID Connect work in general, then no, ASOS is probably not for you. Like OAuthAuthorizationServerMiddleware, ASOS has been designed as a low-level framework rather than as a ready-to-use server: you can't use it without providing your own authorization logic or without implementing the different flows you want to support.

Of course, ASOS handles most of the protocols details for you (e.g request validation, provider discovery, token serialization/deserialization), so the effort needed to implement the missing parts is actually limited to very precise things like client authentication or consent form pages: you don't need to be a security expert to use ASOS.


What about OpenIddict?

Based on ASOS and ASP.NET Core Identity, OpenIddict is a whole new turnkey server designed to offer a simple solution to most token authentication scenarios. It natively supports all the OAuth2/OpenID Connect non-interactive flows and interactive flows like implicit can be easily implemented by adding a tiny AuthorizationController MVC controller in your application, similarly to the approach used by ASP.NET Core Identity with its AccountController.

Though still at an early stage, OpenIddict is probably your best option if you're looking for a simple/easy-to-use server, that easily integrates with the rest of your ASP.NET Core application. Conversely, if you think you need more flexibility or if you want to have full control over the entire OpenID Connect process, then ASOS is definitely for you.

For more information about OpenIddict, don't miss the great blog posts written by Sean Walsh, Josh Comley and Kerry Ritter:


How is this blog posts series organized?

For better readability, this series was split into 7 posts – from the most general to the most specific – and will almost exclusively cover the server-side aspects of building your authorization server based on ASOS (the client-side part will be covered in a future series):


Next part: Choosing the right flow(s).