Clik here to view.
SAML2p Identity Provider Support for IdentityServer4
One very common feature request is support for acting as a SAML2p identity provider. This is not a trivial task, but our friends at Rock Solid Knowledge were working hard, and now published a beta...
View ArticleClik here to view.
Templates for IdentityServer4 v2
I finally found the time to update the templates for IdentityServer4 to version 2. You can find the source code and instructions here. To be honest, I didn’t have time to research more advanced...
View ArticleUsing iOS11 SFAuthenticationSession with IdentityModel.OidcClient
Starting with iOS 11, there’s a special system service for browser-based authentication called SFAuthenticationSession. This is the recommended approach for OpenID Connect and OAuth 2 native iOS...
View ArticleEnd of IdentityServer3 Maintenance
Yesterday we made the decision to stop development and maintenance of IdentityServer3. This has a couple of reasons: IdentityServer4 is the better OpenID Connect and OAuth 2 implementation in every...
View ArticleMissing Claims in the ASP.NET Core 2 OpenID Connect Handler?
The new OpenID Connect handler in ASP.NET Core 2 has a different (aka breaking) behavior when it comes to mapping claims from an OIDC provider to the resulting ClaimsPrincipal. This is especially...
View ArticleUpdated Templates for IdentityServer4
We finally found the time to put more work into our templates. dotnet new is4empty Creates a minimal IdentityServer4 project without a UI. dotnet new is4ui Adds the quickstart UI to the current project...
View ArticleSponsoring IdentityServer
Brock and I have been working on free identity & access control related libraries since 2009. This all started as a hobby project, and I can very well remember the day when I said to Brock that we...
View ArticleNDC London 2018: IdentityServer Update
We are at NDC in London right now and are about to start our session “IdentityServer4 v2 on ASP.NET Core v2 – an Update”. For those who can’t be here – you can find my slides on Speakerdeck. There will...
View ArticleAnnouncing PolicyServer
Over the course of the last years Brock, Michele and I have all been actively designing and implementing identity solutions for customers of all sizes and industries. Solutions range from simple to...
View ArticleClik here to view.
Native OIDC client sample for Windows that uses custom URI scheme handler
brockallen Since the release of our IdentityModel.OidcClient client library we have had iOS and Android samples for using the system browser to allow a user to authenticate with the token server....
View ArticleNDC London 2018 Artefacts
“IdentityServer v2 on ASP.NET Core v2: An update” video “Authorization is hard! (aka the PolicyServer announcement) video DotNetRocks interview audio
View ArticleClik here to view.
The State of HttpClient and .NET Multi-Targeting
IdentityModel is a library that uses HttpClient internally – it should also run on all recent versions of the .NET Framework and .NET Core. HttpClient is sometimes “built-in”, e.g. in the .NET...
View ArticleImprovements in Claim Mapping in the ASP.NET Core 2.1 OpenID Connect Handler
Here I described the various layers of claim mappings going on when doing OpenID Connect with ASP.NET Core. Based on our feedback, the ASP.NET team added another mapping option to reduce the amount of...
View ArticleMixing UI and API Endpoints in ASP.NET Core 2.1 (aka Dynamic Scheme Selection)
Some people like to co-locate UI and API endpoints in the same application. I generally prefer to keep them separate, but I acknowledge that certain architecture styles make this conscious decision....
View ArticleMaking the IdentityModel Client Libraries HttpClientFactory friendly
IdentityModel has a number of protocol client libraries, e.g. for requesting, refreshing, revoking and introspecting OAuth 2 tokens as well as a client and cache for the OpenID Connect discovery...
View ArticleClik here to view.
IdentityManager2
brockallen In 2014 I developed and released the first version of IdentityManager. The intent was to provide a simple, self-contained administrative tool for managing users in your ASP.NET Identity or...
View ArticleClik here to view.
Beware the combined authorize filter mechanics in ASP.NET Core 2.1
brockallen In ASP.NET Core 2.1 one of the security changes was related to how authorization filters work. In essence the filters are now combined, whereas previously they were not. This change in...
View ArticleWhat happened in 2018?
2018 has been really busy. We worked on a lot of different things, and I just realized that I only wrote eight blog posts in total. I decided to block December to catch up on many work and non-work...
View ArticleAutomatic OAuth 2.0 Token Management in ASP.NET Core
As part of the recent discussions around how to build clients for OpenID Connect and OAuth 2.0 based systems (see e.g. Brock’s post here), we substantially updated our workshop and supporting...
View ArticleClik here to view.
An alternative way to secure SPAs (with ASP.NET Core, OpenID Connect, OAuth...
You might have noticed the recent public discussions around how to securely build SPAs – and especially about the “weak security properties” of the OAuth 2.0 Implicit Flow. Brock has written up a good...
View ArticleClik here to view.
Try Device Flow with IdentityServer4
The biggest new feature in IdentityServer4 v2.3 is support for the beta Device Flow specification. Device Flow is a flavour of OAuth 2.0 optimised for browserless and/or input-constrained devices....
View ArticleIdentityServer4 Roadmap
We didn’t have a lot of time recently to work on IdentityServer4 – and yes, I know there are a lot of open “backlog” issues right now. But fortunately everything is pretty stable and from the open...
View ArticleAnother Take on Access Token Management in ASP.NET Core (…and announcing...
I spent a lot of time on the client side recently – as part of our PolicyServer client libraries work, customer work, our updated guidance for our workshops as well as the various talks Brock and I...
View ArticleEnd of IdentityServer3 free Support
Back in 2017 we announced the end of IdentityServer3 maintenance. This excluded security bug fixes. As of the 1st of July 2019 Microsoft officially ended support for Katana 3. This means that the...
View ArticleClaims-based Identity & Access Control for .NET, ASP.NET and WCF 4.5 now...
Time flies! I just got notice from PluralSight that the above mentioned three courses are now retired and are not included in search results anymore. If you still care about this content – the direct...
View ArticleReleasing IdentityModel v4
IdentityModel has been growing organically over the last years, and we felt it is necessary to do some fundamental cleanup. At the same time it is used by a lot of people and companies (currently...
View ArticleIdentityServer for ASP.NET Core 3
In short: is released (along with the introspection and access control validation handler). As part of the longer version, you might ask yourself how we can do that before ASP.NET Core 3 itself is...
View ArticleTwo is the magic Number
..and not 3. To build authentication systems for modern applications, all you need to understand are two OpenID Connect / OAuth 2.0 flow. That’s it. Client Credentials Flow This is probably the...
View ArticleClik here to view.
Use explicit typing for your JWTs
JWTs are being used in many places these days – identity tokens, access tokens, security events, logout tokens… You actually have to be careful when validating a JWT that you don’t mistakenly confuse...
View ArticleIdentityServer3 and upcoming SameSite Cookie changes in Browsers
You have probably heard that starting with Chrome 80 in February, the behavior of cookies will change. This is a breaking change and effects every single web application on the internet. Microsoft has...
View ArticleOAuth 2.0: The long Road to Proof-of-Possession Access Tokens
I did a lot of WS-Security in my (distant) past – and whenever we started looking into migrating to OAuth 2.0, there was this one thing on the security check-list that was missing in the OAuth world:...
View ArticleNew in IdentityServer4 v4: Multiple signing Keys
So far IdentityServer4 only supported a single signing key at a time. There are historic reasons for that. When we started with .NET Core, the only x-plat algorithm that really worked (without #ifdef...
View Article2020: IdentityServer4 Roadmap
It’s the time of the year – we are working on IdentityServer and lock down the features we want to implement for the next version(s). Initially we planned to make our 3.0 release the big one – but then...
View ArticleHardening Refresh Tokens
Refresh tokens provide a UX friendly way to give a client long-lived access to resources without having to involve the user after the initial authentication & token request. This makes them also a...
View ArticleHardening OpenID Connect/OAuth Authorize Requests (and Responses)
One of the biggest strengths of OIDC and OAuth is the usage of the browser front-channel. The browser can show a UI and follow redirects, this makes it very powerful and flexible. Guess what – the...
View ArticleMutual TLS and Proof-of-Possession Access Tokens – Part 1: Setup
2020 is the year where I want proof-of-possession tokens to become reality. Mutual TLS seems to be the only feasible way to do that today. So here’s another post about it…. This is a two-part post. In...
View ArticleMutual TLS and Proof-of-Possession Tokens: Summary
This is the last part of my PoP and Mutual TLS post series. Part 1 covered some history and motivation, and part 2 looked at various server setups. Part 3 was supposed to be a walk-through guide on how...
View ArticleOnline Workshops in 2020
For obvious reasons, all in-person workshops have been cancelled for the time being. This is frustrating on one hand, but converting them to an online format, will allow people to attend who otherwise...
View ArticleSPAs are dead!?
clickbait isn’t it? But this was Brock’s immediate reaction when we saw (and I recommend you read this first): Full Third-Party Cookie Blocking and More What this basically means is, that browser are...
View ArticleMajor Update to IdentityModel.OidcClient
I just pushed Preview 3 of the 4.0 version of IdentityModel.OidcClient – this includes some major updates (that you might or might not have asked for): Removal of OpenID Connect Hybrid Flow. The...
View ArticleAutomatic Token Management for ASP.NET Core and Worker Services 1.0
After a pretty long preview period, I am happy to announce that IdentityModel.AspNetCore 1.0 is now on Nuget. This library solves a problem that we have with every single OIDC/OAuth client we are...
View ArticleUpdates on our Workshops
I am pleased to announce that we are now offering two workshops. I was mentioning that on Twitter already, and got a lot of questions. So I thought it would make sense to summarise them all in one...
View ArticleClik here to view.
The JWT Profile for OAuth 2.0 Access Tokens (and IdentityServer)
As part of creating our new Advanced OAuth training, I created a whole lecture on the evolution of access tokens and resource access. It’s fascinating – since the original OAuth 2.0 spec does not have...
View ArticleI don’t like Identity Tokens
…or rather the name ;) I bet that if you wake up most “identity professionals” in the middle of the night and ask them what an identity token is, the answer would be “a token about the identity of the...
View ArticleResource Access in IdentityServer4 v4 and going forward
In my last post I alluded to the tension between real-world token-based security architectures, the OAuth 2.0 scope model, JWT access tokens and the audience claim. We went through a couple of...
View ArticleAnnouncing IdentityServer4 v4.0
OK – it’s finally done. I published v4 to Nuget earlier today. You can find the complete set of changes/bug fixes/breaking changes here. We had to cut some features which were originally on our...
View ArticleRefresh Tokens in IdentityServer4 v4
I already wrote about the hardening of refresh tokens in this post. I would recommend reading this first. The upcoming OAuth 2.1 spec is pretty clear about refresh token handling: If the client is...
View ArticleFlexible Access Token Validation in ASP.NET Core
The ASP.NET Core authentication system went through a couple of iterations, and is pretty good now. For API scenarios, the typical choice is the JwtBearer authentication handler, which can validate...
View ArticleThe Future of IdentityServer
Tl:dr https://blog.duendesoftware.com/posts/20201001_helloduende/ Brock Allen and I have been working on the IdentityServer code-base for more than 10 years. In 2020 we will be making some important...
View ArticleWhat’s going on?
I just realized that my last blog post was over half a year ago when we announced our new company Duende Software. So what happened in the last 6 months of my life? In short – a ton! We left our...
View Article