I am working on a project with 4 applications:
- Angular Client application
- Native Script iOS / Android Mobile application
- Net Core 3.1 API Resource application
- IdentityServer / Openiddict OpenId application the manages logins
There are a few pages associated with Authentication Process:
SignUp
Login
External Login (Google, ...)
Logout
Send Two Factor Authentication Code
Verify Email
Reset Password
Question
Should all these pages be in OpenId application?
I looked at a few websites and there are a few differences ...
In some the mobile and website applications have their own signup (1).
But it seems the other pages are in the OpenId application.
I don't have a full view as I am not working on the Mobile application yet ...
So I am not sure about all the advantages and disadvantages of one approach or the other.
Could someone, please, clarify me on this?
As IdentityServer does not deal with users and the user management side, you need to do that your self. And the alternatives is to do it by your self, use ASP.NET Identity or outsource it to third-party services like Auth0 or Octa.
I would recommend to put IdentiyServer in its own service, because combining it with ASP.NET Identity in the same service makes it harder to reason and troubleshoot the solution. One option is to have one Service just running IdentiyServer without any extra fluff and then via a shared user database run ASP.NET Identity and handle the user management there.
So you would have identity.yourdomain.com and accounts.yourdomian.com as one way of structuring it or use one of your applications for the accounts part using Identity.