Clik here to view.
Retrieving bearer tokens from alternative locations in Katana/OWIN
The Katana bearer token authentication middleware tries to retrieve tokens from the HTTP Authorization header with a scheme of Bearer by default. You can customize this behavior by providing a so...
View ArticleClik here to view.
Thinktecture AuthenticationHandler for Web API v2
Here I mentioned that there are some incompatibilities between AuthenticationHandler and Web API v2/OWIN hosting. As part of making Thinktecture.IdentityModel more modular – I updated the...
View ArticleClik here to view.
Client Certificate Authentication Middleware for Katana
Katana has no middleware to turn SSL client certificates into a ClaimsIdentity. And since I am currently collecting material for my upcoming Web API security course I used the opportunity to experiment...
View ArticleClik here to view.
Adding Refresh Tokens to a Web API v2 Authorization Server
In the last post I showed how to add a simple username/password (aka resource owner password credentials flow) authorization server to Web API v2. This has several advantages: The client does not need...
View ArticleClik here to view.
Thinktecture.IdentityModel.Client v1.0
As part of the restructuring work of IdentityModel, I separated the HTTP and OAuth2 client bits into a separate project. The nice side effect of this is that the client library is now portable and can...
View ArticleClik here to view.
Advanced OAuth2: Assertion Flow (how)
My last post described the mechanics and motivation for the OAuth2 assertion flow. In this post I want to show you how you can use Thinktecture AuthorizationServer to implement an assertion flow...
View ArticleClik here to view.
OpenID Connect and the IdentityServer Roadmap
Since OpenID Connect has been officially released now, I thought I’ll tell you a little bit more about our plans around our identity open source projects. IdentityServerIdSrv is a very popular identity...
View ArticleClik here to view.
Validating Scopes in ASP.NET 4 and 5
OAuth 2.0 scopes are a way to model (API) resources. This allows you to give logical “names” to APIs that clients can use to request tokens for. You might have very granular scopes like e.g. api1 &...
View ArticleClik here to view.
IdentityModel: OpenID Connect & OAuth 2.0 Client Library for Mobile/Native...
Recently we had a couple of customers that needed to connect their native desktop and mobile applications to an OpenID Connect and OAuth 2.0 back-end. We always had samples that showed how to do this,...
View ArticleClik here to view.
Identity Videos, Podcasts and Slides from Conference Season 2016/1
My plan was to cut down on conferences and travelling in general – this didn’t work out ;) I did more conferences in the first 6 months of 2016 than I did in total last year. weird. Here are some of...
View ArticleClik here to view.
Update for authentication & API access for native applications and...
The most relevant spec for authentication and API access for native apps has been recently updated. If you are “that kind of person” that enjoys looking at diffs of pre-release RFCs – you would have...
View ArticleClik here to view.
Identity & Access Control for ASP.NET Core Deep Dive
Once a year Brock and I do our three day version of the Identity & Access Control workshop in London. This year it will be all about .NET Core and ASP.NET Core – and a full day on the new...
View ArticleClik here to view.
IdentityModel v2 released
IdentityModel is our protocol client library for various OpenID Connect and OAuth 2 endpoints like discovery, userinfo, token, introspection and token revocation. In addition it has some general...
View ArticleClik here to view.
IdentityServer4 RC2 released
Yesterday we pushed IdentityServer4 RC2 to nuget. There are no big new features this time, but a lot of cleaning up, bug fixing and adding more tests. We might add one or two more bigger things before...
View ArticleClik here to view.
IdentityModel.OidcClient v2 & the OpenID RP Certification
A couple of weeks ago I started re-writing (an re-designing) my OpenID Connect & OAuth 2 client library for native applications. The library follows the guidance from the OpenID Connect and OAuth...
View ArticleClik here to view.
OpenID Connect Client Library for JavaScript/SPA-style Applications
In addition to our native library – Brock successfully certified his JavaScript library with the OpenID Foundation. oidc-client-js is by far the most easy and elegant way I have seen so far for...
View ArticleClik here to view.
NDC London 2017
As always – NDC was a very good conference. Brock and I did a workshop, two talks and an interview. Here are the relevant links: Building JavaScript and mobile/native Clients for Token-based...
View ArticleUsing iOS11 SFAuthenticationSession with IdentityModel.OidcClient
Starting with iOS 11, there’s a special system service for browser-based authentication called SFAuthenticationSession. This is the recommended approach for OpenID Connect and OAuth 2 native iOS...
View ArticleClik here to view.
The State of HttpClient and .NET Multi-Targeting
IdentityModel is a library that uses HttpClient internally – it should also run on all recent versions of the .NET Framework and .NET Core. HttpClient is sometimes “built-in”, e.g. in the .NET...
View ArticleMaking the IdentityModel Client Libraries HttpClientFactory friendly
IdentityModel has a number of protocol client libraries, e.g. for requesting, refreshing, revoking and introspecting OAuth 2 tokens as well as a client and cache for the OpenID Connect discovery...
View Article