Clik here to view.
Try Device Flow with IdentityServer4
The biggest new feature in IdentityServer4 v2.3 is support for the beta Device Flow specification. Device Flow is a flavour of OAuth 2.0 optimised for browserless and/or input-constrained devices....
View ArticleIdentityServer4 Roadmap
We didn’t have a lot of time recently to work on IdentityServer4 – and yes, I know there are a lot of open “backlog” issues right now. But fortunately everything is pretty stable and from the open...
View ArticleAnother Take on Access Token Management in ASP.NET Core (…and announcing...
I spent a lot of time on the client side recently – as part of our PolicyServer client libraries work, customer work, our updated guidance for our workshops as well as the various talks Brock and I...
View ArticleEnd of IdentityServer3 free Support
Back in 2017 we announced the end of IdentityServer3 maintenance. This excluded security bug fixes. As of the 1st of July 2019 Microsoft officially ended support for Katana 3. This means that the...
View ArticleClaims-based Identity & Access Control for .NET, ASP.NET and WCF 4.5 now...
Time flies! I just got notice from PluralSight that the above mentioned three courses are now retired and are not included in search results anymore. If you still care about this content – the direct...
View ArticleReleasing IdentityModel v4
IdentityModel has been growing organically over the last years, and we felt it is necessary to do some fundamental cleanup. At the same time it is used by a lot of people and companies (currently...
View ArticleIdentityServer for ASP.NET Core 3
In short: is released (along with the introspection and access control validation handler). As part of the longer version, you might ask yourself how we can do that before ASP.NET Core 3 itself is...
View ArticleTwo is the magic Number
..and not 3. To build authentication systems for modern applications, all you need to understand are two OpenID Connect / OAuth 2.0 flow. That’s it. Client Credentials Flow This is probably the...
View ArticleClik here to view.
Use explicit typing for your JWTs
JWTs are being used in many places these days – identity tokens, access tokens, security events, logout tokens… You actually have to be careful when validating a JWT that you don’t mistakenly confuse...
View ArticleIdentityServer3 and upcoming SameSite Cookie changes in Browsers
You have probably heard that starting with Chrome 80 in February, the behavior of cookies will change. This is a breaking change and effects every single web application on the internet. Microsoft has...
View ArticleOAuth 2.0: The long Road to Proof-of-Possession Access Tokens
I did a lot of WS-Security in my (distant) past – and whenever we started looking into migrating to OAuth 2.0, there was this one thing on the security check-list that was missing in the OAuth world:...
View ArticleNew in IdentityServer4 v4: Multiple signing Keys
So far IdentityServer4 only supported a single signing key at a time. There are historic reasons for that. When we started with .NET Core, the only x-plat algorithm that really worked (without #ifdef...
View Article2020: IdentityServer4 Roadmap
It’s the time of the year – we are working on IdentityServer and lock down the features we want to implement for the next version(s). Initially we planned to make our 3.0 release the big one – but then...
View ArticleHardening Refresh Tokens
Refresh tokens provide a UX friendly way to give a client long-lived access to resources without having to involve the user after the initial authentication & token request. This makes them also a...
View ArticleHardening OpenID Connect/OAuth Authorize Requests (and Responses)
One of the biggest strengths of OIDC and OAuth is the usage of the browser front-channel. The browser can show a UI and follow redirects, this makes it very powerful and flexible. Guess what – the...
View ArticleMutual TLS and Proof-of-Possession Access Tokens – Part 1: Setup
2020 is the year where I want proof-of-possession tokens to become reality. Mutual TLS seems to be the only feasible way to do that today. So here’s another post about it…. This is a two-part post. In...
View ArticleMutual TLS and Proof-of-Possession Tokens: Summary
This is the last part of my PoP and Mutual TLS post series. Part 1 covered some history and motivation, and part 2 looked at various server setups. Part 3 was supposed to be a walk-through guide on how...
View ArticleOnline Workshops in 2020
For obvious reasons, all in-person workshops have been cancelled for the time being. This is frustrating on one hand, but converting them to an online format, will allow people to attend who otherwise...
View ArticleSPAs are dead!?
clickbait isn’t it? But this was Brock’s immediate reaction when we saw (and I recommend you read this first): Full Third-Party Cookie Blocking and More What this basically means is, that browser are...
View ArticleMajor Update to IdentityModel.OidcClient
I just pushed Preview 3 of the 4.0 version of IdentityModel.OidcClient – this includes some major updates (that you might or might not have asked for): Removal of OpenID Connect Hybrid Flow. The...
View Article