Clik here to view.
Validating Scopes in ASP.NET 4 and 5
OAuth 2.0 scopes are a way to model (API) resources. This allows you to give logical “names” to APIs that clients can use to request tokens for. You might have very granular scopes like e.g. api1 &...
View ArticleClik here to view.
Announcing IdentityServer for ASP.NET 5 and .NET Core
Over the last couple of years, we’ve been working with the ASP.NET team on the authentication and authorization story for Web API, Katana and ASP.NET 5. This included the design around claims-based...
View ArticleClik here to view.
Which OpenID Connect/OAuth 2.0 Flow is the right One?
That is probably the most common question we get – and the answer is of course: it depends! Machine to Machine Communication This one is easy – since there is no human directly involved, client...
View ArticleClik here to view.
NDC London 2016 Wrap-up
NDC has been fantastic again! Good fun, good talks and good company! Brock and I did the usual 2-day version of our Identity & Access Control workshop at the pre-con. This was (probably) the last...
View ArticleClik here to view.
IdentityServer4 on ASP.NET Core RC2
This week was quite busy ;) Besides doing a couple of talks and workshops at SDD in London – we also updated all the IdentityServer4 bits to RC2. Many thanks to all the people in the community that...
View ArticleClik here to view.
Identity Videos, Podcasts and Slides from Conference Season 2016/1
My plan was to cut down on conferences and travelling in general – this didn’t work out ;) I did more conferences in the first 6 months of 2016 than I did in total last year. weird. Here are some of...
View ArticleClik here to view.
Update for authentication & API access for native applications and...
The most relevant spec for authentication and API access for native apps has been recently updated. If you are “that kind of person” that enjoys looking at diffs of pre-release RFCs – you would have...
View ArticleClik here to view.
.NET Core 1.0 is released, but where is IdentityServer?
In short: we are working on it. Migrating the code from Katana to ASP.NET Core was actually mostly mechanical. But obviously new approaches and patterns have been introduced which might, or might not...
View ArticleClik here to view.
Fixing OAuth 2.0 with OpenID Connect?
I didn’t like Nat’s Fixing OAuth? post. “For protecting a resource with low value, current RFC6749 and RFC6750 with an appropriate constraint should be good enough…For protecting a resource whose value...
View ArticleClik here to view.
Commercial Support Options for IdentityServer
Many customers have asked us for production support for IdentityServer. While this is sometime we would love to provide, Brock and I can’t do that on our own because we can’t guarantee the response...
View ArticleClik here to view.
Trying IdentityServer
We have a demo instance of IdentityServer3 on https://demo.identityserver.io. I already used this for various samples (e.g. the OpenID Connect native clients) – and it makes it easy to try...
View ArticleClik here to view.
Why does my Authorize Attribute not work?
Sad title, isn’t it? The alternative would have been “The complicated relationship between claim types, ClaimsPrincipal, the JWT security token handler and the Authorize attribute role checks” – but...
View ArticleClik here to view.
IdentityServer4 RC1
Wow – we’re done! Brock and I spent the last two weeks 14h/day refactoring, polishing, testing and refining IdentityServer for ASP.NET Core…and I must say it’s the best STS we’ve written so far… We...
View ArticleClik here to view.
New in IdentityServer4: Clients without Secrets
Over the next weeks I will do short blog posts about new features in IdentityServer4. The primary intention is to highlight a new feature and then defer to our docs for the details (which will also...
View ArticleClik here to view.
Identity & Access Control for ASP.NET Core Deep Dive
Once a year Brock and I do our three day version of the Identity & Access Control workshop in London. This year it will be all about .NET Core and ASP.NET Core – and a full day on the new...
View ArticleClik here to view.
New in IdentityServer4: Default Scopes
Another small thing people have been asking for. The scope parameter is optional in OAuth 2 – but we made the decision that clients always have to explicitly ask for the scopes they want to access. We...
View ArticleClik here to view.
New in IdentityServer4: Support for Extension Grants
Well – this is not completely new, but we redesigned it a bit. Extension grants are used to add support for non-standard token issuance scenarios to the token endpoint, e.g. translating between token...
View ArticleClik here to view.
New in IdentityServer4: Resource Owner Password Validation
Not completely new, but re-designed. In IdentityServer3, we used the user service for both interactive as well as non-interactive authentication. In IdentityServer4, the interactive authentication is...
View ArticleClik here to view.
IdentityModel v2 released
IdentityModel is our protocol client library for various OpenID Connect and OAuth 2 endpoints like discovery, userinfo, token, introspection and token revocation. In addition it has some general...
View ArticleClik here to view.
IdentityServer4 RC2 released
Yesterday we pushed IdentityServer4 RC2 to nuget. There are no big new features this time, but a lot of cleaning up, bug fixing and adding more tests. We might add one or two more bigger things before...
View ArticleClik here to view.
New in IdentityServer4: Multiple allowed Grant Types
In OAuth 2 some grant type combinations are insecure, that’s why we decided for IdentityServer3 that we’ll be defensive and allow only a single grant type per client. During the last two years of...
View ArticleClik here to view.
New in IdentityServer4: Resource-based Configuration
For RC4 we decided to re-design our configuration object model for resources (formerly known as scopes). I know, I know – we are not supposed to make fundamental breaking changes once reaching the RC...
View ArticleClik here to view.
IdentityServer4 and ASP.NET Core 1.1
aka RC5 – last RC – promised! The update from ASP.NET Core 1.0 (aka LTS – long term support) to ASP.NET Core 1.1 (aka Current) didn’t go so well (at least IMHO). There were a couple of breaking changes...
View ArticleClik here to view.
Optimizing Identity Tokens for size
Generally speaking, you want to keep your (identity) tokens small. They often need to be transferred via length constrained transport mechanisms – especially the browser URL which might have...
View ArticleClik here to view.
Identity vs Permissions
We often see people misusing IdentityServer as an authorization/permission management system. This is troublesome – here’s why. IdentityServer (hence the name) is really good at providing a stable...
View ArticleClik here to view.
IdentityServer4 is now OpenID Certified
As of today – IdentityServer4 is official certified by the OpenID Foundation. Release of 1.0 will be this Friday! More details here. Filed under: .NET Security, OAuth, WebAPI
View ArticleClik here to view.
IdentityServer4.1.0.0
It’s done. Release notes here. Nuget here. Docs here. I am off to holidays. See you next year.Filed under: .NET Security, ASP.NET, OAuth, OpenID Connect, WebAPI
View ArticleClik here to view.
Trying IdentityServer4
We have a number of options how you can experiment or get started with IdentityServer4. Starting point It all starts at https://identityserver.io – from here you can find all below links as well as our...
View ArticleClik here to view.
Bootstrapping OpenID Connect: Discovery
OpenID Connect clients and APIs need certain configuration values to initiate the various protocol requests and to validate identity and access tokens. You can either hard-code these values (e.g. the...
View ArticleClik here to view.
Platforms where you can run IdentityServer4
There is some confusion about where, and on which platform/OS you can run IdentityServer4 – or more generally speaking: ASP.NET Core. IdentityServer4 is ASP.NET Core middleware – and ASP.NET Core...
View ArticleClik here to view.
IdentityModel.OidcClient v2 & the OpenID RP Certification
A couple of weeks ago I started re-writing (an re-designing) my OpenID Connect & OAuth 2 client library for native applications. The library follows the guidance from the OpenID Connect and OAuth...
View ArticleClik here to view.
NDC London 2017
As always – NDC was a very good conference. Brock and I did a workshop, two talks and an interview. Here are the relevant links: Building JavaScript and mobile/native Clients for Token-based...
View ArticleClik here to view.
New in IdentityServer4: Events
Well – not really new – but redesigned. IdentityServer4 has two diagnostics facilities – logging and events. While logging is more like low level “printf” style – events represent higher level...
View ArticleClik here to view.
dotnet new Templates for IdentityServer4
The dotnet CLI includes a templating engine that makes it pretty straightforward to create your own project templates (see this blog post for a good intro). This new repo is the home for all...
View ArticleClik here to view.
Financial APIs and IdentityServer
Right now there is quite some movement in the financial sector towards APIs and “collaboration” scenarios. The OpenID Foundation started a dedicated working group on securing Financial APIs (FAPIs) and...
View ArticleClik here to view.
Techorama 2017
Again Techorama was an awesome conference – kudos to the organizers! Seth and Channel9 recorded my talk and also did an interview – so if you couldn’t be there in person, there are some updates about...
View ArticleClik here to view.
Authorization is hard! Slides and Video from NDC Oslo 2017
A while ago I wrote a controversial article about the problems that can arise when mixing authentication and authorization systems – especially when using identity/access tokens to transmit...
View ArticleIdentityServer4 v2
Wow – this was probably our biggest update ever! Version 2.0 of IdentityServer4 is not only incorporating all the feedback we got over the last year, it also includes the necessary updates for ASP.NET...
View ArticleClik here to view.
New in IdentityServer4 v2: Simplified Configuration behind Load-balancers or...
Many people struggle with setting up ASP.NET Core behind load-balancers and reverse-proxies. This is due to the fact that Kestrel is often used just for serving up the application, whereas the “real...
View ArticleClik here to view.
SAML2p Identity Provider Support for IdentityServer4
One very common feature request is support for acting as a SAML2p identity provider. This is not a trivial task, but our friends at Rock Solid Knowledge were working hard, and now published a beta...
View ArticleClik here to view.
Templates for IdentityServer4 v2
I finally found the time to update the templates for IdentityServer4 to version 2. You can find the source code and instructions here. To be honest, I didn’t have time to research more advanced...
View ArticleUsing iOS11 SFAuthenticationSession with IdentityModel.OidcClient
Starting with iOS 11, there’s a special system service for browser-based authentication called SFAuthenticationSession. This is the recommended approach for OpenID Connect and OAuth 2 native iOS...
View ArticleMissing Claims in the ASP.NET Core 2 OpenID Connect Handler?
The new OpenID Connect handler in ASP.NET Core 2 has a different (aka breaking) behavior when it comes to mapping claims from an OIDC provider to the resulting ClaimsPrincipal. This is especially...
View ArticleUpdated Templates for IdentityServer4
We finally found the time to put more work into our templates. dotnet new is4empty Creates a minimal IdentityServer4 project without a UI. dotnet new is4ui Adds the quickstart UI to the current project...
View ArticleSponsoring IdentityServer
Brock and I have been working on free identity & access control related libraries since 2009. This all started as a hobby project, and I can very well remember the day when I said to Brock that we...
View ArticleNDC London 2018 Artefacts
“IdentityServer v2 on ASP.NET Core v2: An update” video “Authorization is hard! (aka the PolicyServer announcement) video DotNetRocks interview audio
View ArticleClik here to view.
The State of HttpClient and .NET Multi-Targeting
IdentityModel is a library that uses HttpClient internally – it should also run on all recent versions of the .NET Framework and .NET Core. HttpClient is sometimes “built-in”, e.g. in the .NET...
View ArticleMixing UI and API Endpoints in ASP.NET Core 2.1 (aka Dynamic Scheme Selection)
Some people like to co-locate UI and API endpoints in the same application. I generally prefer to keep them separate, but I acknowledge that certain architecture styles make this conscious decision....
View ArticleMaking the IdentityModel Client Libraries HttpClientFactory friendly
IdentityModel has a number of protocol client libraries, e.g. for requesting, refreshing, revoking and introspecting OAuth 2 tokens as well as a client and cache for the OpenID Connect discovery...
View ArticleClik here to view.
An alternative way to secure SPAs (with ASP.NET Core, OpenID Connect, OAuth...
You might have noticed the recent public discussions around how to securely build SPAs – and especially about the “weak security properties” of the OAuth 2.0 Implicit Flow. Brock has written up a good...
View Article
