Clik here to view.
Thinktecture IdentityModel and Web API v2 / Katana
If you are using IdentityModel and the AuthenticationHandler to secure your Web APIs – we have some good and some bad news. The good news is, that IdentityModel continues to work in Web API v2 when...
View ArticleClik here to view.
My Web API Security Talk from Software Architect 2013
https://vimeo.com/user22258446/review/79095048/9a4d62f61cFiled under: ASP.NET, AuthorizationServer, Conferences & Training, IdentityModel, IdentityServer, Katana, OAuth, OWIN
View ArticleClik here to view.
Thinktecture.IdentityModel.Owin.*
To be more in-line with the OWIN / middleware mindset (and because Damian said so) – I broke up our OWIN security assembly into smaller components:...
View ArticleClik here to view.
Workshop: Identity & Access Control for modern Web Applications and APIs
Brock and I are currently working on a brand new two day workshop about all things security when building modern web applications and APIs. You can either attend the full two day version at NDC Oslo...
View ArticleClik here to view.
OAuth2 and OpenID Connect Scope Validation for OWIN/Katana
In OAuth2 or OpenID Connect you don’t necessarily always use the audience to partition your token space – the scope concept is also commonly used (see also Vittorio’s post from yesterday). A while ago...
View ArticleClik here to view.
Announcing Thinktecture IdentityServer v3 – Preview 1
The last months we’ve been heads down re-writing IdentityServer from scratch (see here for background) – and we are now at a point where we think we have enough up and running to show it to you! What...
View ArticleClik here to view.
100k Downloads of Thinktecture IdentityModel
Amazing! Thanks for all the feedback – but keep in mind that this package is deprecated. For Web API => v2 and MVC >= 5 please use the new Thinktecture.IdentityModel.Core and family.Filed under:...
View ArticleClik here to view.
Resource/Action based Authorization for OWIN (and MVC and Web API)
Authorization is hard – much harder than authentication because it is so application specific. Microsoft went through several iterations of authorization plumbing in .NET, e.g. PrincipalPermission,...
View ArticleClik here to view.
NDC London: Identity and Access Control for modern Web Applications and APIs
I am happy to announce that NDC will host our new workshop in London in December! Join us to learn everything that is important to secure modern web applications and APIs using Microsoft’s current and...
View ArticleClik here to view.
Identity & Access Control at NDC London 2014
The NDC Agenda is out now – and Brock and me will do a number of identity & access control related sessions. Brock will talk about identity management in ASP.NET – which is a huge topic – so he...
View ArticleClik here to view.
.NET Foundation Advisory Council
I have been invited to join the .NET Foundation advisory council – looking forward to it!...
View ArticleClik here to view.
Security at NDC Oslo
For a developer conference, NDC Oslo had a really strong security track this year. Also the audience appreciated that – from the five highest ranked talks – three were about security. Troy has the...
View ArticleClik here to view.
IdentityModel 1.0.0 released
Part of the ongoing effort to modernize our libraries, I released IdentityModel today. IdentityModel contains useful helpers, extension methods and constants when working with claims-based identity in...
View ArticleClik here to view.
IdentityServer: Using WS-Federation with JWT Tokens
WS-Federation is token agnostic – that means you can also use JWT tokens instead of the default SAML ones. Why would you want to do that? Well – JWT’s a slightly more compact which I think is...
View ArticleClik here to view.
Hawk Support in Thinktecture IdentityModel v3.3
I just released v3.3 of IdentityModel to Github and Nuget. It includes the [Scope] attribute for Web API (here) and the clickjacking protection for MVC (here). But the biggest addition is certainly a...
View ArticleClik here to view.
Thinktecture AuthorizationServer v0.5 released
I just uploaded a “feature complete” version of AuthorizationServer to Github. This version has all the features we are planning for v1 – please give us feedback when you think things should work...
View ArticleClik here to view.
Bringing SWT Support back to Thinktecture IdentityModel
When Microsoft released the JWT library, I thought that’s a good opportunity to remove the SWT support from IdentityModel. But it turns out, there are still scenarios for SWT – so I refreshed my old...
View ArticleClik here to view.
Using IdentityServer to issue tokens for Windows Server ServiceBus
Windows Server ServiceBus supports SWT tokens to authorize actions on a SB namespace or entity (e.g. listen, send or manage). In the Azure version of ServiceBus you would use the Azure Access Control...
View ArticleClik here to view.
IdentityServer: Overview of OpenID Connect Basic Client Profile
Filed under: IdentityModel, IdentityServer, OAuth, WebAPI
View ArticleClik here to view.
Two days of Claims-based Identity & Access Control Workshop in London
Great news! The London edition of the NDC conference has pre-con workshops and Jakob invited us to hold our claims-based identity & access control workshop there. This is the first time Brock and I...
View ArticleClik here to view.
Using AuthorizationServer with Web API v2/Katana–first look
Traditionally we have used Thinktecture.IdentityModel to parse and validate incoming JWT tokens in Web API. The good news is, there is nothing you have to change when moving to Web API v2 – the...
View ArticleClik here to view.
Claims Transformation Middleware for Katana
One missing piece in Katana security/authentication is claims transformation. Fortunately, this is easy to add: public class ClaimsTransformationMiddleware : OwinMiddleware {...
View ArticleClik here to view.
Adding OAuth2 to ADFS (and thus bridging the gap between modern Applications...
AuthorizationServer can be combined with arbitrary authentication methods, but the fact that it comes pre-configured as a WS-Federation relying party, makes it particularly easy to combine it with e.g....
View ArticleClik here to view.
OWIN Claims Transformation Middleware–Take 2
Thanks to some good feedback from @grumpydev, @loudej and Chriss Ross – I changed my original claims transformation middleware (see here). What I learned is, that for better compatibility and...
View ArticleClik here to view.
Thinktecture.IdentityModel v.Next
Thinktecture.IdentityModel (github, nuget) is a popular library in the security community. But we have reached a point now where we realized that we have too many dependencies and too many legacy stuff...
View ArticleClik here to view.
Adding SAML11 and SAML2 Support to Katana/OWIN
Katana has pretty straightforward extensibility for adding support for token formats. It ships with built-in support for JWT (consuming) and their internal token format (consuming & producing). By...
View ArticleClik here to view.
Retrieving bearer tokens from alternative locations in Katana/OWIN
The Katana bearer token authentication middleware tries to retrieve tokens from the HTTP Authorization header with a scheme of Bearer by default. You can customize this behavior by providing a so...
View ArticleClik here to view.
Thinktecture AuthenticationHandler for Web API v2
Here I mentioned that there are some incompatibilities between AuthenticationHandler and Web API v2/OWIN hosting. As part of making Thinktecture.IdentityModel more modular – I updated the...
View ArticleClik here to view.
Client Certificate Authentication Middleware for Katana
Katana has no middleware to turn SSL client certificates into a ClaimsIdentity. And since I am currently collecting material for my upcoming Web API security course I used the opportunity to experiment...
View ArticleClik here to view.
Adding Refresh Tokens to a Web API v2 Authorization Server
In the last post I showed how to add a simple username/password (aka resource owner password credentials flow) authorization server to Web API v2. This has several advantages: The client does not need...
View ArticleClik here to view.
Thinktecture.IdentityModel.Client v1.0
As part of the restructuring work of IdentityModel, I separated the HTTP and OAuth2 client bits into a separate project. The nice side effect of this is that the client library is now portable and can...
View ArticleClik here to view.
Advanced OAuth2: Assertion Flow (how)
My last post described the mechanics and motivation for the OAuth2 assertion flow. In this post I want to show you how you can use Thinktecture AuthorizationServer to implement an assertion flow...
View ArticleClik here to view.
OpenID Connect and the IdentityServer Roadmap
Since OpenID Connect has been officially released now, I thought I’ll tell you a little bit more about our plans around our identity open source projects. IdentityServerIdSrv is a very popular identity...
View ArticleClik here to view.
Validating Scopes in ASP.NET 4 and 5
OAuth 2.0 scopes are a way to model (API) resources. This allows you to give logical “names” to APIs that clients can use to request tokens for. You might have very granular scopes like e.g. api1 &...
View ArticleClik here to view.
IdentityModel: OpenID Connect & OAuth 2.0 Client Library for Mobile/Native...
Recently we had a couple of customers that needed to connect their native desktop and mobile applications to an OpenID Connect and OAuth 2.0 back-end. We always had samples that showed how to do this,...
View ArticleClik here to view.
Identity Videos, Podcasts and Slides from Conference Season 2016/1
My plan was to cut down on conferences and travelling in general – this didn’t work out ;) I did more conferences in the first 6 months of 2016 than I did in total last year. weird. Here are some of...
View ArticleClik here to view.
Update for authentication & API access for native applications and...
The most relevant spec for authentication and API access for native apps has been recently updated. If you are “that kind of person” that enjoys looking at diffs of pre-release RFCs – you would have...
View ArticleClik here to view.
Identity & Access Control for ASP.NET Core Deep Dive
Once a year Brock and I do our three day version of the Identity & Access Control workshop in London. This year it will be all about .NET Core and ASP.NET Core – and a full day on the new...
View ArticleClik here to view.
IdentityModel v2 released
IdentityModel is our protocol client library for various OpenID Connect and OAuth 2 endpoints like discovery, userinfo, token, introspection and token revocation. In addition it has some general...
View ArticleClik here to view.
IdentityServer4 RC2 released
Yesterday we pushed IdentityServer4 RC2 to nuget. There are no big new features this time, but a lot of cleaning up, bug fixing and adding more tests. We might add one or two more bigger things before...
View ArticleClik here to view.
IdentityModel.OidcClient v2 & the OpenID RP Certification
A couple of weeks ago I started re-writing (an re-designing) my OpenID Connect & OAuth 2 client library for native applications. The library follows the guidance from the OpenID Connect and OAuth...
View ArticleClik here to view.
OpenID Connect Client Library for JavaScript/SPA-style Applications
In addition to our native library – Brock successfully certified his JavaScript library with the OpenID Foundation. oidc-client-js is by far the most easy and elegant way I have seen so far for...
View ArticleClik here to view.
NDC London 2017
As always – NDC was a very good conference. Brock and I did a workshop, two talks and an interview. Here are the relevant links: Building JavaScript and mobile/native Clients for Token-based...
View ArticleUsing iOS11 SFAuthenticationSession with IdentityModel.OidcClient
Starting with iOS 11, there’s a special system service for browser-based authentication called SFAuthenticationSession. This is the recommended approach for OpenID Connect and OAuth 2 native iOS...
View ArticleClik here to view.
The State of HttpClient and .NET Multi-Targeting
IdentityModel is a library that uses HttpClient internally – it should also run on all recent versions of the .NET Framework and .NET Core. HttpClient is sometimes “built-in”, e.g. in the .NET...
View ArticleMaking the IdentityModel Client Libraries HttpClientFactory friendly
IdentityModel has a number of protocol client libraries, e.g. for requesting, refreshing, revoking and introspecting OAuth 2 tokens as well as a client and cache for the OpenID Connect discovery...
View ArticleWhat happened in 2018?
2018 has been really busy. We worked on a lot of different things, and I just realized that I only wrote eight blog posts in total. I decided to block December to catch up on many work and non-work...
View ArticleAnother Take on Access Token Management in ASP.NET Core (…and announcing...
I spent a lot of time on the client side recently – as part of our PolicyServer client libraries work, customer work, our updated guidance for our workshops as well as the various talks Brock and I...
View ArticleReleasing IdentityModel v4
IdentityModel has been growing organically over the last years, and we felt it is necessary to do some fundamental cleanup. At the same time it is used by a lot of people and companies (currently...
View ArticleMajor Update to IdentityModel.OidcClient
I just pushed Preview 3 of the 4.0 version of IdentityModel.OidcClient – this includes some major updates (that you might or might not have asked for): Removal of OpenID Connect Hybrid Flow. The...
View Article