Category Archives: ASP.NET

Transitioning from a Token back to a Windows Identity

Sometimes you are in the situation where you have Windows-based users, but the rest of the application architecture is token-based (e.g. using OpenID Connect or WS-Federation). As long as these users stay in your “token-based world” everything is fine. But … Continue reading

Posted in .NET Security, ASP.NET | Leave a comment

Simplified ASP.NET and MVC 6 Security Templates

As mentioned before – the ASP.NET templates never really tried to make to you help  understand the security features.  Instead they crammed ever single feature into a single “sample app” making it really hard to figure out who does what … Continue reading

Posted in .NET Security, ASP.NET | Leave a comment

The State of Security in ASP.NET 5 and MVC 6: OAuth 2.0, OpenID Connect and IdentityServer

ASP.NET 5 contains a middleware for consuming tokens – but not anymore for producing them. I personally have never been a big fan of the Katana authorization server middleware (see my thoughts here) – and according to this, it seems … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, OWIN, WebAPI | 2 Comments

The State of Security in ASP.NET 5 and MVC 6: Claims & Authentication

Disclaimer: Microsoft announced the roadmap for ASP.NET 5 yesterday – the current release date of the final version is Q1 2016. Some details of the features and APIs I mention will change between now and then. This post is about … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | 3 Comments

The State of Security in ASP.NET 5 and MVC 6

We’ve been closely following ASP.NET 5 and MVC 6 since the days it was presented behind closed doors, through the “vNext” and “Project K” phase up to recent beta builds. I personally monitored all developments in the security space in … Continue reading

Posted in .NET Security, ASP.NET, Conferences & Training, IdentityServer, WebAPI | Leave a comment

Federated Logout with the Katana WS-Federation Middleware

For some reason the Katana WS-Fed middleware does not seem to implement signout cleanup. This means that your application will ignore federated signout callbacks from the STS which will result in resources like logon cookies not being cleaned up properly. … Continue reading

Posted in .NET Security, ASP.NET, Katana, OWIN | Leave a comment

OpenID Connect Certification for IdentityServer3

I am extremely happy to announce that IdentityServer3 is now officially certified by the OpenID Foundation. http://openid.net/certification/ Version 1.6 and onwards is now fully compatible with the basic, implicit, hybrid and configuration profile of OpenID Connect.

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OpenID Connect, OWIN, WebAPI | 2 Comments