I have two web applications that need functionality for Authentication And Authorization. The server side runs Asp.NET Core 3.0, client side runs Angular and I intend to implement IdentityServer with a Proof Key for Code Exchange (PKCE) flow. Official IdentityServer documentation (https://identityserver4.readthedocs.io) refers to package IdentityServer4 while the dotnet templates (https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-3.0) use Microsoft.AspNetCore.ApiAuthorization.IdentityServer . I can't find a proper description of the latter package, it is listed as an implementation of IdentityServer. However the configuration methods available between the two packages is different.
I would like to run IdentityServer as middleware in my web application, and issue the PKCE secret doing the authentication and authorization in full. I am not sure if IdentityServer4 can run as middleware in my main application or needs to be middleware in its own application, and am not sure if Microsoft.AspNetCore.ApiAuthorization.IdentityServer supports PKCE flow.
Which package meets both my requirements?
I have found a discussion on the features of the Microsoft maintained nuget, and it references in April that it only supports an implicit flow. At a later stage it will support a PKCE secret flow.
https://github.com/aspnet/AspNetCore/issues/5833
The IdentityServer4 (or specifically IdentityServer4.AccessTokenValidation for issuing the PKCE secret) can be middleware of my main application.
So I will stick to IdentityServer4 as it meets both my requirements.