Clik here to view.
Dissecting the Web API Individual Accounts Template–Part 2: Local Accounts
In the last post I gave an overview of the security setup of the Individual Accounts template. I recommend reading that first. Also Brock has some great background content – here and here. Disclaimer:...
View ArticleClik here to view.
Dissecting the Web API Individual Accounts Template–Part 3: External Accounts
Part 1 covered the basic template security setup. Part 2 focused on the features around local accounts and username/password authentication. This part will deal with third party authentication using...
View ArticleClik here to view.
Advanced OAuth2: Assertion Flow (why)
The core OAuth2 spec defines so called flows, which are basically descriptions of the interactions between a client, a user and an authorization server to request access tokens. Another implied fact...
View ArticleClik here to view.
Advanced OAuth2: Assertion Flow (how)
My last post described the mechanics and motivation for the OAuth2 assertion flow. In this post I want to show you how you can use Thinktecture AuthorizationServer to implement an assertion flow...
View ArticleClik here to view.
Combining Thinktecture AuthorizationServer with Windows Integrated...
One of the key features of AS is that you can combine it with arbitrary authentication methods. This basically allows to layer OAuth2 and our application and authorization model over any identity...
View ArticleClik here to view.
AuthorizationServer v1.2
I just uploaded version 1.2 of AuthorizationServer. The big change is that AS is now using MVC and Web API v5.1.1 – additionally there are some bug fixes and a new configuration switch – set the...
View ArticleClik here to view.
Thinktecture.IdentityModel.Owin.*
To be more in-line with the OWIN / middleware mindset (and because Damian said so) – I broke up our OWIN security assembly into smaller components:...
View ArticleClik here to view.
Workshop: Identity & Access Control for modern Web Applications and APIs
Brock and I are currently working on a brand new two day workshop about all things security when building modern web applications and APIs. You can either attend the full two day version at NDC Oslo...
View ArticleClik here to view.
OpenID Connect and the IdentityServer Roadmap
Since OpenID Connect has been officially released now, I thought I’ll tell you a little bit more about our plans around our identity open source projects. IdentityServerIdSrv is a very popular identity...
View ArticleClik here to view.
OAuth2 and OpenID Connect Scope Validation for OWIN/Katana
In OAuth2 or OpenID Connect you don’t necessarily always use the audience to partition your token space – the scope concept is also commonly used (see also Vittorio’s post from yesterday). A while ago...
View ArticleClik here to view.
The Web API v2 OAuth2 Authorization Server Middleware–Is it worth it?
Adding the concept of an authorization server to your web APIs is the recommended architecture for managing authentication and authorization. But writing such a service from scratch is not an easy...
View ArticleClik here to view.
Integrating AuthorizationServer with Auth0
AuthorizationServer is a lightweight OAuth2 implementation that is designed to integrate with arbitrary identity management systems. I wrote about integration with Thinktecture IdentityServer, ADFS and...
View ArticleClik here to view.
Announcing Thinktecture IdentityServer v3 – Preview 1
The last months we’ve been heads down re-writing IdentityServer from scratch (see here for background) – and we are now at a point where we think we have enough up and running to show it to you! What...
View ArticleClik here to view.
List of Libaries and Projects for OpenID Connect and JWT
..can be found here http://openid.net/developers/libraries/Filed under: OAuth, OpenID Connect, WebAPI
View ArticleClik here to view.
New Pluralsight Course: “Web API v2 Security”
It is finally online! Hope you like it. http://pluralsight.com/training/Courses/TableOfContents/webapi-v2-securityFiled under: ASP.NET, AuthorizationServer, Katana, OAuth, OWIN, WebAPI
View ArticleClik here to view.
IdentityServer v3 and Azure WebSites (and other Deployment Simplifications)
(applies to preview 1) A common request for IdentityServer was being able to run on Azure WebSites (or other constrained deployment environments where you don’t have machine level access). This was...
View ArticleClik here to view.
Covert Redirect – really?
In the era where security vulnerabilities have logos, stickers and mainstream media coverage – it seems to be really easy to attract attention with simple input validation flaws. Quoting: “Covert...
View ArticleClik here to view.
IdentityServer v3 Nuget and Self-Hosting
Thanks to Damian and Maurice we now have a build script for IdSrv3 that creates a Nuget package *and* internalizes all dependencies. So in other words you only need to reference a single package (well...
View ArticleClik here to view.
NDC Oslo 2014 Slides, Samples and Videos
As always – NDC was a great conference! Here’s the list of resources relevant to my talks: IdentityServer v3 preview: github Web API Access Control & Authorization: slides / video OpenID Connect:...
View ArticleClik here to view.
DotNetRocks on OpenID Connect with Brock and Me
Recorded at NDC Oslo: http://www.dotnetrocks.com/default.aspx?ShowNum=993Filed under: Conferences & Training, IdentityServer, OAuth, OpenID Connect, OWIN, WebAPI
View Article