We want to build a central authority to do authentication and authorization for our various applications (.net). We see IdentityServer4 is open source and free, while Auth0 cost money. Does anyone use both of these? Can anyone provide suggestion which one to choose and why?
Answer
IdentityServer is a library that implements various authentication (not authorization!) protocols and let's you consolidate access control into a single system. You can host it in a typical ASP.NET webapp, console app or anything else, as long as the HTTP endpoints are available. It also lets you store the user data anywhere you want, whether in-memory, databases, flat files, the asp.net core membership system, or anywhere else.
Auth0 is a company that provides a managed service that handles authentication for you. They run the infrastructure and provide access through their website and APIs. It's similar to having someone run IdentityServer4 for you and there are several competitors like Okta for Devs, AWS Cognito, Azure AD B2C, Google Cloud Identity/Firebase, and more.
Choose IdentityServer if:
- You want free open-source software.
- You have the time and effort to run it yourself.
- You want to control the backing data store (SQL database, Redis, JSON file, etc).
- You want to manage all the data yourself due to regulations, privacy, etc.
- You need complete control and flexibility around what happens during authentication (for example, merging user accounts in your database when someone signs in). It's all just C# code so you can do whatever you want.
Choose Auth0 if:
- You want to save time and effort on implementation and operation.
- Price is not an issue (as it can get expensive for some features).
- The limited customizations offered by Auth0 are enough for your app.
- You want the other features they offer like password-breach monitoring.
- You don't want to manage user data, or don't mind having it stored by them.