I have been trying to learn about the implementation of the security features on the web apps and webapis. II have tried to educate myself but I am getting confuse. If you guys help me out to clear some of my thoughts.
In one video I saw it said asp.net core is not a security tool. I thought it is it does secure the web application. Why is not?
I read multiple places that Oauth is the tool to authorize access to the resources on the web but it is not the authentication tool So if that is true, what tool should use to authenticate and authorization purpose? Should I create the user profile (asp.net identity maybe) in Oauth project and validate user first and if user does have authorization then I should check if user also have access to the api for which it is trying to access a resource. Then in the token I can also add user profile as a claim in Payload (information such as username, role, client id or any other information that maybe needed for that session?
if I create a client, web api and a oauth server what would be the flow to authenticate user to a client app and then to the api? So far what I see almost all the articles are talking about the OAuth flow but not mentioning the first part when user get authenticated.
Should I always create a separate project for Oauth?
If Oauth can provide the security then what is OpenID connect. I read IdenityServer4, uses OAuth2 and OpenIdConnect, when I read the flow for authorization it is similar to the OAuth flow, then where does OpenId come into picture and its main purpose.
When should I choose between implementation Oauth vs IdentityServer4, or IdentityServer4 or similar is always the best option?