Clik here to view.
Three days of Identity & Access Control Workshop at SDD Deep Dive – November...
As part of the SDD Deep Dive event in London – Brock and I will deliver an updated version of our “Identity & Access Control for modern Web Applications and APIs” workshop. For the first time, this...
View ArticleClik here to view.
Give your WCF Security Architecture a Makeover with IdentityServer3
Not everybody has the luxury of being able to start over and build the new & modern version of their software from scratch. Many people I speak to have existing investments in WCF and their...
View ArticleClik here to view.
Security at NDC Oslo
For a developer conference, NDC Oslo had a really strong security track this year. Also the audience appreciated that – from the five highest ranked talks – three were about security. Troy has the...
View ArticleClik here to view.
The State of Security in ASP.NET 5 and MVC 6
We’ve been closely following ASP.NET 5 and MVC 6 since the days it was presented behind closed doors, through the “vNext” and “Project K” phase up to recent beta builds. I personally monitored all...
View ArticleClik here to view.
The State of Security in ASP.NET 5 and MVC 6: Claims & Authentication
Disclaimer: Microsoft announced the roadmap for ASP.NET 5 yesterday – the current release date of the final version is Q1 2016. Some details of the features and APIs I mention will change between now...
View ArticleClik here to view.
The State of Security in ASP.NET 5 and MVC 6: OAuth 2.0, OpenID Connect and...
ASP.NET 5 contains a middleware for consuming tokens – but not anymore for producing them. I personally have never been a big fan of the Katana authorization server middleware (see my thoughts here) –...
View ArticleClik here to view.
IdentityModel 1.0.0 released
Part of the ongoing effort to modernize our libraries, I released IdentityModel today. IdentityModel contains useful helpers, extension methods and constants when working with claims-based identity in...
View ArticleClik here to view.
Upcoming Identity & Access Control Workshops in Europe
Brock and I will be in London in November and January to hold our identity & access control workshop. In November we are at the SDD Deep Dive event and do a very special three day version which...
View ArticleClik here to view.
The State of Security in ASP.NET 5 and MVC 6: Authorization
The hardest part in designing an application is authorization. The requirements are always so app-specific that for 10 applications you often see 12 different implementations. To make things worse,...
View ArticleClik here to view.
IdentityServer3 Logging & Monitoring using Serilog and Seq
IdentityServer has two fundamental “monitoring” facilities : development-time logging and production-time eventing. The original docs are here. Logging is for developers – in fact – when I start a new...
View ArticleClik here to view.
IdentityServer3 v2.2
Yesterday we published v2.2 to nuget and github. You can see the release notes here. Besides a couple of bug fixes and refinements – the big features are support for the introspection specification...
View ArticleClik here to view.
Reference Tokens and Introspection
Access tokens can come in two shapes: self-contained and reference. Self-contained tokens are using a protected, time-limited data structure that contains metadata and claims to communicate the...
View ArticleClik here to view.
OAuth 2.0 Token Introspection Middleware for ASP.NET 5
In my last post I described the value of reference tokens and how the OAuth 2.0 token introspection spec (aka rfc7662) gives us a standard way of using them. Over the christmas break I worked on an...
View ArticleClik here to view.
Validating Scopes in ASP.NET 4 and 5
OAuth 2.0 scopes are a way to model (API) resources. This allows you to give logical “names” to APIs that clients can use to request tokens for. You might have very granular scopes like e.g. api1 &...
View ArticleClik here to view.
Announcing IdentityServer for ASP.NET 5 and .NET Core
Over the last couple of years, we’ve been working with the ASP.NET team on the authentication and authorization story for Web API, Katana and ASP.NET 5. This included the design around claims-based...
View ArticleClik here to view.
Which OpenID Connect/OAuth 2.0 Flow is the right One?
That is probably the most common question we get – and the answer is of course: it depends! Machine to Machine Communication This one is easy – since there is no human directly involved, client...
View ArticleClik here to view.
NDC London 2016 Wrap-up
NDC has been fantastic again! Good fun, good talks and good company! Brock and I did the usual 2-day version of our Identity & Access Control workshop at the pre-con. This was (probably) the last...
View ArticleClik here to view.
Workshop: Identity & Access Control for modern Web Applications and APIs
Brock and I are currently working on a brand new two day workshop about all things security when building modern web applications and APIs. You can either attend the full two day version at NDC Oslo...
View ArticleClik here to view.
OpenID Connect and the IdentityServer Roadmap
Since OpenID Connect has been officially released now, I thought I’ll tell you a little bit more about our plans around our identity open source projects. IdentityServerIdSrv is a very popular identity...
View ArticleClik here to view.
Give your WCF Security Architecture a Makeover with IdentityServer3
Not everybody has the luxury of being able to start over and build the new & modern version of their software from scratch. Many people I speak to have existing investments in WCF and their...
View Article