How to migrate from auth0 to Duende Identity Server

[jasonliao-cb]

Which version of Duende IdentityServer are you using?
v7

Which version of .NET are you using?
.net8

Additional context

We would like to migrate from auth0 to Duende Identity Server and Asp.Net Identity for the user and clients, is there any public package we can use in the spa to communicate with the connect/authorize endpoint? Auth0 has provided the auth0 npm package, we need the same package to speed up the migration process.

And we would like to know how we can support multi tenancy with the duende identity server.

please let us know any document we can refer to.

Thanks.

[RolandGuijt]

For SPAs we strongly recommend using the BFF pattern as using flows, like implicit and authorization code, in the browser is unsafe and deprecated.
You can watch a video on how this works here.

When using BFF there's no need for any complexity in the SPA itself. It basically just has to call endpoints on the BFF to initiate login and logout and to get the claims of the logged in user. The complexity is all in the BFF which also safe-keeps the access token for the SPA.
If migrating to a BFF isn't possible for some reason any javascript library that supports OAuth/OpenID Connect can be used such as this one. But again, we don't recommend that.
We don't publish a specific IdentityServer library since IdentityServer is compliant to the standards.

As for multi tenancy: can you please open a new issue and describe to us what your architecture looks like and what you want to achieve?

[jasonliao-cb]

@RolandGuijt Thanks for your suggestion.

Yes, the SPA has a BFF. We are trying to find out if there is the same package so we can minimize the migration. we will test with the oidc-client-ts package.
Also, are there any recommendations on migrating the auth0 Applications and APIs? In the Identity server, we see the concept of clients, apiresources, apiresourcescopes, api scopes, and many related staffs. come to the auth0, we only see the Applications and APIs, so is there any reference document for us to quickly map these to the Identity server?

for the multi-tenancy, we can use different domain names to isolate the users, but we don't know if we have to use the multi-tenancy for the client management or if we can do this? as when we check the entities, we seem not able to override them and add a tenant-id column.

these are general questions as of now, If required we can have a further issue for this.

[RolandGuijt]

@jasonliao-cb Just to make sure this is clear: when using a BFF a javascript library (like oidc-client-ts) isn't needed.

As for the migration: what auth0 calls "Applications" are called "Clients" in IdentityServer.
IdentityServer allows for more control over the concepts you're mentioning. That's the reason they are structured differently.

Please take a look at this part of the documentation and let me know if there are any questions.

About the multi-tenancy: since there's no one-size-fits-all solution for this and the scenario for every organization is unique most of the time the support needed goes beyond what we can offer in this issues tracker. If you want further help with this we could help out using our remote consulting offering. Please get in touch for more information about that.

[RolandGuijt]

@jasonliao-cb Are you good to go? Feel free to add to the issue if there are additional questions. If not I'll close it.

[RolandGuijt]

Closing the issue but if you feel like adding anything, please reopen.