You can't build an app these days without building security in from the start. Whatever choice you make, it ends up baked into everything.

So I decided to take a one-and-done approach to this. Figure out the best and just wade in and get it done.

Not happening. At. All.

B2C

At first I thought I'd use Microsoft Azure Active Directory Business to Consumer Identity as a Service. Catchy name, huh? B2C is what it's called.

Two problems surfaced immediately. The first is that while the first 50,000 users and first 50,000 authentications are free, if the app scales at all, this will become expensive. That doesn't work really well for a "freemium" business model, where some users don't pay anything. But that's not the real problem.

The real problem is that while there are a couple of I-could-live-with-that restrictions, it's been in "preview" for months. Months. And the question and answer support areas are showing lag in replies to questions in months. And the most recent activity is also months old. So ask a question and it might be months before anyone on the team responds. Find a bug and it might be months before it's fixed. Finally ready for market? Might be months before you can actually release an app based on their stuff.

That's not good. Either it's not a priority or the management team heading it up just senses no urgency to complete this. Either way, that doesn't work for me.

Took me two full days to get to the bottom of that.

ThinkTecture's Identity Server

This one is an open source, well oiled solution by respected industry experts. It's so good, there are multiple video courses on it. I figured that would make a good alternative, plus, it would be much cheaper than B2C.

But...

I'm trying to put up all our new development on Microsoft's latest version of Asp.Net, called Asp.Net Core (formerly Asp.Net 5). It's substantially different, not to mention, faster, lighter and more portable. All things I want/need.

Well, not so fast. Turns out that IdentityServer3 is meant for Asp.Net 4.61, not Asp.Net Core 1.0. To get it to run under Core, you IdentityServer4.

That exists, but there's zero - repeat zero - documentation for it. All the videos are for 3, not 4 and there's enough of a difference that it's impossible to follow the old videos with the new code.

And what's more, they've added tons of new flexibility and options, none of which are documented and all of which are nearly impossible to figure out without a roadmap. Their roadmap is "code first, documentation second". I guess if you're man enough to use their work, you need to really understand the inner workings. Just what I was hoping to avoid. Security is nasty complicated and changing constantly.

So now I have no choice, except to punt. All projects must be moved back to Asp.Net 4.61 from Core and I have to use IdentityServer3.

And that means that when this dust settles, I'll have to convert, test and redeploy everything under the new Asp.Net Core and IdentityServer4 combination.

Yay me.