In today's microservice-based software solutions, we have a growing need for centralized authentication and authorization systems. We could use third-party systems like Azure AD or Auth0, or build our own. But, "security is hard"! There are a bunch of different standards, tricks, and ways of implementation. Even the smallest mistake can make your solution vulnerable. To avoid that, when building our own auth system, we could use frameworks and tools like ASP.NET Core Identity and Duende IdentityServer. With Identity, we are getting a membership system with a login. IdentityServer gets us the full implementation of OAuth 2.0 and OpenID Connect standards. We'll take a look at one possible implementation, the things we should take care of, and how to fit that solution with the rest of the system – with different APIs, SPA apps, native apps, etc.