We are attempting to set up authentication for a Web-API (build on .NET Core) that is being hosted on different domains, mostly within the the respective intranets. Currently relying on Windows Authentication, an alternative/fallback solution is required that:
- Doesn’t rely on the Windows identity, in case there are devices who are not connected to Active Directory;
- might also work if portions of the service are exposed to the internet (i.e. is secure for this scenario).
The preferred solution appears to be a bearer token acquired through the OAuth code flow, with additional measures such as not exposing refresh tokens to the browser through keeping them in-memory only (I know you might still be susceptible to prototype pollution but it’s good enough for now) or requiring additional 2FA when outside the intranet.
However, it occurred to me that setting something up like this from scratch is not trivial and a majority relies on services like OAuth to host an authorization server or delegate identity management to providers like Azure AD (the latter is not an option).
Though renting an authorization server is not an issue per se, the usual license model appears to be aiming for companies setting up a single, online accessible authorization server for a all applications hosted by them. As mentioned earlier, this is also not an option as each domain is independent and should be able to manage identity for themselves (especially since a huge portion doesn’t even work beyond their own intranet). As this thread’ss answer suggests, that would mean the service is also the OpenID provider.
What would be the suitable solution here? Force each domain to host their own licensed authorization server (appears like an overkill to me)? Integrate one into the service itself with the help of solutions like Openiddict? Or drop Oauth all together and rely on some other sort of client Authentication (note that the number of users within each domain is manageable and it would certainly be possible to require some sort of instalment on each used device, though the idea was to avoid native clients for easier versioning).
I might be overthinking this, but the fact that services like Auth0 or Duende Server (formerly the default Open-Source Identity Server of.NET Core) work for years on their implementations and charge thousand of dollars per year makes me doubt self set-up solutions are close to being as secure as they are.
EDIT: fixed several typos