Can we Protect 3 microservices api project with asp net identity jwt token?

Question

I'm building Microservices using asp net core 3. My Question is can i protect Microservices with asp net identity? For example one identiy project protecting 3 Microservices project. I don't want to use Identity server.

Answer 1

I don't want to use Identity server.

Just with ASP.NET Core and ASP.NET Core Identity?

No that's not possible. ASP.NET Core Identity doesn't possess the ability to generate JWT tokens and only support Cookie authentication.

For JWT you need to either

• use an OpenIDConnect/OAuth2 provider (IdentityServer is one, OpenIddict ist another open source OIDC provider)
• use external OIDC/OAuth provider (Auth0, Google, Facebook, Twitter, etc.)
• generate the JWT token yourself (Which is not recommended unless you very well understand JWT/ODIC and are an security expert, since wrong/incomplete implementations in it can lead to severe security issues vs the well established and hardened Identity Provider already existing)

My Question is can i protect Microservices with asp net identity?

Generally, you can protect as many Microservices as you with with JWT tokens.

One thing to remember though is: OpenID/JWT token is not for authorization, its for authentication. Authentication means to validate the identity of the user.

As such, you should not put permissions inside these tokens other than "scopes". Fine grained permissions need to be managed by the service itself, using the token to identify the user and obtain the fine-grained permissions.

On the last topic Identity vs Permissions is a useful article to better understand this.