Users are either stored in the external system or if using membership or ASP.NET Identity in the local database. It's less about best practice and about what your business needs dictate.
If your users/groups are already in an external identity provider and you want to use OpenID that's perfect. I personally have created solutions connecting to AzureAD, Salesforce and other system and in those instances all the group and user management should be kept in the provider.
Episerver has a process which syncs roles from the authentication provider to the database table so they can be used for access rights and such in the episerver CMS to create the sections of the site you want to be restrcted or use them for Visitor Group personalisation so as long as the users and the correct groups have been created Administration, WebEditors, WebAdmins and assigned in the identity system everything should work out.
We would like to have visitors of our site be able to register to gain access to a member area protected by a login.
For the member registration and authentication we want to use an authentication service (OAuth2 OpenId) used within our corporation.
Ideally, we would like to control the content displayed to our members (and also visitors) by implementing visitor groups.
What is the best approach regarding editors and admins - is it best to also authenticate editors via the same auth platform or is it better to have them registered in our own epi db?
Should we create a specific group for members to control what they can see? Or how else would we protect the member pages?
Basically looking for best practice advice on how to build a site where members are kept in an external db and are only allowed to view some of the pages if they are logged in.