Skip to content

Identity and Access Management

Context and Problem Statement

The aim of this ADR is to define the IAM tool landscape for the PSS®X project. Also a decision on the supported client protocol(s) and directory access needs to be defined.

Considered Options

  • IdentityServer5 from Duende Software
  • OpenIddict
  • Keycloak
  • Azure Active Directory B2C

Decision Drivers

  • Open source tools shall be used and abstracted via an API. (e.g. Keycloak)
  • A PSS®X team based implementation is very cost intensive
  • Keycloak can be used to manage rights & roles in the backend
  • Keycloak can incorporate existing LDAP or AD user token or provide SAML related stuff.

Decision Outcome

The organizations and their development teams must immediately pursue the new identity management strategy. There’s no time left to use IdentityServer for free; the changes are inevitable. If your software product doesn’t fit the new specifications, there may be severe loopholes. Companies must prioritize the quality, security, and stability of the software, so schedule the time for reviewing the business strategy and re-evaluation of fundamental needs and resources.

Chosen option: "OpenIddict", because

  • ABP Framework already implemented module that provides an integration with the OpenIddict which provides advanced authentication features like single sign-on, single log-out, and API access control. This module persists applications, scopes, and other OpenIddict-related objects to the database.
  • Use "Keycloak" if customer has requirement related with SAML

Pros and Cons of the Options

OpenIddict vs IdentityServer4:

One of the IdentityServer4 alternatives proposed by the IT community is OpenIddict. Like IdentityServer, it’s a .NET library-type solution that works with client authentication and token issuing, but not user authentication, and allows implementing custom login flows. OpenIddict operates under the Apache 2 license, uses OAuth and OpenID Connect protocols, and is supported by the GitHub community.

However, compared to IdentityServer, OpenIddict is even more “bare metal” with fewer features straight away. For instance, in OpenIddict, you must provide extra code for the token endpoint before you get a working client credential flow.

Keycloak vs IdentityServer4:

Another IS alternative, Keycloak, is an open-source product-type solution. It operates under the Apache 2 license, but unlike IS and OpenIdDict, it is Java-based and has no such flexibility as libraries. For example, it doesn’t support custom grant types and custom login flows for users.

Unlike IdentityServer and OpenIddict, Keycloak is a ready-to-run product, so you can launch in minutes using Docker.

Microsoft Azure Active Directory B2C vs IdentityServer4

Azure Active Directory B2C can be a solution if there is no need for flexibility and you are hosting customer identities in a SaaS. It’s a Microsoft product running only in the Azure cloud. AAD B2C pricing is user-based, and is free for 50,000 monthly active users (MAUs).

Compared to IdentityServer, Azure AD B2C is a cloud-based identity and access management service with pre-built templates, offering scalable infrastructure and various functionalities, including user authentication and authorization.