I work as an associate consultant for the Germany-based company thinktecture (http://www.thinktecture.com). My main area of focus is security in general and identity & access control in particular. I help customers around the world implementing claims-based identity, single sign-on, authorization and federation in their web applications, services and APIs. I am also an international conference speaker and the author of “Developing more-secure ASP.NET Application” and co-author of the Microsoft Patterns & Practices “Guide to Claims-based Identity and Access Control”.

127 Responses to About

  1. Karamer says:

    Hi Dom

    I’m pretty new to all this security, identity and access control stuff, but have to tell you that the stuff you have made available is awesome and has been a great help whilst beginning to understand this area. Awesome job, Thanks!.

    I have been playing around with Identity server and Authorization server whilst trying to architect a solution. Ideally what I am looking at is using windows Azure ACS as federation provider which a web application will trust. This will me to the configure ACS to trust multiple identity providers which allows one code base to scale to numerous customers with different identity providers (SAS). Having read a lot of stuff, mostly produced by yourself!, and prototyped the scenario, I am comfortable with this part of things.

    However I also need to provide a web api to be consumed by mobile devices and so wanted to use oauth 2 to secure this (resource owner flow in this case) , and this is the reason i was looking at your Authorization Server to help issue access tokens. Having quickly looked at the code it looks as if the resource owner endpoint authenticates with the configured identity provider. In this situation I wont be able to authenticate with just one identity provider as this is federated. Is there any way the Authorization Server can support federated identity in the same way that Windows Azure ACS does for the web application?

    Any help on whether this is/can be supported and some pointers in the right direction to implement this would be much appreciated.


  2. Karamer says:

    Actually, as an addition to the above, it wouldn’t only just be limited to the resource owner flow, but also would need to be able to support the authorization code flow.

  3. skrv7 says:

    How do I contact you for consulting engagement?

  4. Dmitry Gilyaev says:

    Hi Dom
    Do you have any boards where I can ask you about WIF?

  5. Per Erik Gransøe says:

    Hi Dominick
    I’m looking into the relatively new FIDO protocol standard called U2F for two-factor-authentication – https://fidoalliance.org/specifications/download/ – U2F.
    Have you ever looked into this or worked with it? And if so do you have an opinion on it as to the market impact of the standard compared to the few other two-factor-standards there are out there now?

  6. I have a question. What are the best practices for implementing SSO across multiple domains via OAuth. I was thinking about storing the url of any one of the first of the cross domain site logged into along with user credentials so that when a navigation is made to another site not logged into we can check to see if that user already has a session on another domain by checking the credentials and the logged in url and if so bypass the authentication mechanism on that non logged into site.

    • Since OAuth is not an authentication protocol – you wouldn’t use it to implement SSO. I would use OpenID Connect for that. https://github.com/IdentityServer

      • Hi Dominick. Certainly. Your point is well taken but its the limitation as you know of not having cross domain cookies so I was thinking of this as a home grown strategy decoupled from OAuth but a way to bypass the reauthentication of domains by auth that have know foreknowledge of the already logged into domain. I will definitely look into OpenID Connect.

      • Hi Dominick, one other question after reviewing OpenID Connect. Does Google as a token provider to the relying party offer this multi domain crossing out of the box so If I go to another domain not a subdomain a different domain that it will by pass the Google login box for the next heterogeneous domain?

  7. of course – that’s the whole point of it. It is called single sign-on.

    • Hi Dominick, let me rephrase my question. I know OpenID Connect is about SSO after reviewing but asking if Google implemented it in their stack and maybe that is implicitly clear and not worth asking. I had read an article that suggested that it is implemented as follows as a workflow. You login the normal way through the broker interceptor box you apply your credentials and then the Identity provider essentially sets a cookie on each url in the realm or ring so when you login to another heterogenous domain in the ring not previously logged into you are then redirected to the IDP which then set the cookie already on your behalf so the cookie is read by your browser and subsequent posts whether classic or Ajax based or whatever will be authenticated. Dominick, does this sound like a viable workflow to depict what is going on conceptually and practically however not necessarily in all implementations.

  8. Jack Russell says:

    Hi Dominick

    Has an independent security review been performed for Thinktecture IdentityServer, for design and code and where do I find it?

    Alternatively, does IdentityServer address the threats discussed in RFC 6819, OAuth 2.0 Threat Model and Security Considerations? Where is this documented?


  9. david m chinn says:

    hello dominick;
    We have a legacy application which uses the Windows Identity Framework, written around 2010-2011. Users authenticate by logging into a client portal, which then sends a saml 1.1 token to our application.

    We are updating the application to a services model, using webAPI 2.0/Owin/Identity 2.0 for security. Looks like bearer tokens are similar in concept to SAML, but not the same.

    The client is very sensitive about changing his portal. Is there any way to consume SAML in a webAPI application?

  10. Hi dominick,

    I’m building a system where I need to have a way of easily configuring or choosing the authentication and authorization mechanism or Identity management(i.e either using AD or custom user account store), where I can choose between using Active Directory or storing users authentication details outside of active directory, based on the client I’m deploying to. Some of them might be enterprise and needs the app to run on-premise using their existing active directory user account(and I get to query for user roles).

    I think a separate service/middleware can handle this for me, and I know of two ways I can implement this, which is: using IndentitySever or Auth0. I haven’t invested much time researching on these different API but I think they’ll solve my problem.

    My question: which will be the preferable way of implementing this. Do I use Auth0 or IdentityServer?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s