Clik here to view.
Thinktecture.IdentityModel Nuget Package hits 10K downloads
Thanks! Filed under: .NET Security, ASP.NET, IdentityModel, IdentityServer, WCF, WebAPI
View ArticleClik here to view.
Thinktecture IdentityServer v2 RTM
Title says it all – I am glad we could get this done before the end of the year!! Besides bug fixes since the last beta version, we added two features: identity server core nuget package and profile...
View ArticleClik here to view.
ASP.NET (Web API) Security: Prologue
Many people asked me how all the moving parts of Thinktecture.IdentityModel, IdentityServer and ASP.NET and Web API relate to each other. And quite frankly, reading my old blog posts does not always...
View ArticleClik here to view.
Thinktecture IdentityModel v2.3 Breaking Changes
I just uploaded v2.3 to Nuget. There are a number of breaking changes I want to make you aware of (.Net 4.5 version only): By default the Web API authentication handler now requires SSL. You can turn...
View ArticleClik here to view.
How to implement Authentication with OAuth2
I get this question a lot. Short answer: “you don’t!”. For the long answer: http://blogs.msdn.com/b/vbertocci/archive/2013/01/02/oauth-2-0-and-sign-in.aspx Filed under: IdentityModel, OAuth, WebAPI
View ArticleClik here to view.
ASP.NET Web API Security: The Web Host and Service
I will be using the same web hosted Web API service for the sample. The service is very simple: [Authorize] public class IdentityController : ApiController { public ViewClaims Get() {...
View ArticleClik here to view.
ASP.NET Web API Security: Setting up the Sample
You can download the complete source from here. The Web API security sample is in samples/web api security. On my machine I have mapped the samples/web api security/webhost directory to IIS. I am sure...
View ArticleClik here to view.
Claims-based Identity & Access Control Training in February
I just got email confirming the February run of the “identity course” in Oslo. great! There are seats left and you can book here. Cu! Filed under: .NET Security, ASP.NET, Azure, IdentityModel,...
View ArticleClik here to view.
ASP.NET Web API Authentication using the Microsoft Account
The last days I’ve been researching some of the new security features in Windows 8. One of the biggest changes in Windows is definitely the fact that you can now login using your Microsoft Account. I...
View ArticleClik here to view.
Claims-based Identity & Access Control Pre-Conference Workshop at NDC 2013
This is great news! If you are going to NDC, you can take my identity & access control training as a pre-conference workshop. I have divided the content in a “web apps” day and a “services &...
View ArticleClik here to view.
Alternative to Thread.CurrentPrincipal in ASP.NET Web API
Those who know me also know that I was always an advocate of Thread.CurrentPrincipal (or ClaimsPrincipal.Current in .NET 4.5). But I also understand that some people (or frameworks) don’t like ambients...
View ArticleClik here to view.
Introducing OAuth2 Code Flow and Refresh Token Support in Thinktecture...
We recently merged OAuth2 code flow and refresh token support into the main branch on Github. Please give it a try and tell us if it is working for you or not. After that feedback phase I will release...
View ArticleClik here to view.
OAuth2 Security
Right now there are many good “discussions” on OAuth2 security happening. Some are constructive, some rather destructive – and some simply hack one or the other website to prove the point. In my...
View ArticleClik here to view.
Common OAuth2 Vulnerabilities and Mitigation Techniques
In the last post I described some of the general problems with OAuth2 and its implementations. In this post I want to go into more detail and show some necessary hardening steps. We did our best (well...
View ArticleClik here to view.
Pro ASP.NET Web API Security
Check out Badri’s book. Essential information about securing ASP.NET Web APIs! http://amzn.com/1430257822 Filed under: IdentityModel, OAuth, WebAPI
View ArticleClik here to view.
Going to NDC? Get two extra Days of Identity and Access Control!
Claims, WS-Federation, WS-Trust, WS-Security, ASP.NET, Federation, Single Sign-On, Home Realm Discovery, WCF, SAML, JWT, Web API, OAuth2, Thinktecture IdentityServer & IdentityModel, ADFS, Windows...
View ArticleClik here to view.
Driving the WS-Federation Handshake from ASP.NET Web API
In general I think the API design of the WS-Federation support in WIF / .NET 4.5 is a bit unfortunate. It was a strange decision to combine the HTTP module (aka the FAM) and the more generic protocol...
View ArticleClik here to view.
Getting JSON web tokens (JWTs) from ADFS via Thinktecture IdentityServer's...
Reblogged from brockallen: Dominick and I recently added three features to IdentityServer that collectively we call "ADFS Integration". This "ADFS Integration" is a new protocol (which can be enabled,...
View ArticleClik here to view.
Authentication vs Authorization
…in the context of token-based security systems. There are many practical and philosophical ways to discuss the difference between the two terms. But since there is quite some confusion, I want to look...
View ArticleClik here to view.
Annual Identity Update on DotNetRocks
It’s this time of the year again! http://www.dotnetrocks.com/default.aspx?ShowNum=863 “Dominick Baier returns to talk to Carl and Richard about the current state of security in .NET 4.5. Dom starts out...
View Article