Category Archives: ASP.NET

NDC London 2016 Wrap-up

NDC has been fantastic again! Good fun, good talks and good company! Brock and I did the usual 2-day version of our Identity & Access Control workshop at the pre-con. This was (probably) the last time we ran the 2-day … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 2 Comments

Announcing IdentityServer for ASP.NET 5 and .NET Core

Over the last couple of years, we’ve been working with the ASP.NET team on the authentication and authorization story for Web API, Katana and ASP.NET 5. This included the design around claims-based identity, authorization and token-based authentication. In the Katana … Continue reading

Posted in ASP.NET, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 43 Comments

Validating Scopes in ASP.NET 4 and 5

OAuth 2.0 scopes are a way to model (API) resources. This allows you to give logical “names” to APIs that clients can use to request tokens for. You might have very granular scopes like e.g. api1 & api2, or very coarse grained … Continue reading

Posted in ASP.NET, IdentityModel, IdentityServer, Katana, OAuth, Uncategorized, WebAPI | 9 Comments

OAuth 2.0 Token Introspection Middleware for ASP.NET 5

In my last post I described the value of reference tokens and how the OAuth 2.0 token introspection spec (aka rfc7662) gives us a standard way of using them. Over the christmas break I worked on an ASP.NET 5-based middleware … Continue reading

Posted in ASP.NET, IdentityServer, OAuth, WebAPI | Leave a comment

Reference Tokens and Introspection

Access tokens can come in two shapes: self-contained and reference. Self-contained tokens are using a protected, time-limited data structure that contains metadata and claims to communicate the identity of the user or client over the wire. A popular format would … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OWIN, Uncategorized, WebAPI | 16 Comments

IdentityServer3 v2.2

Yesterday we published v2.2 to nuget and github. You can see the release notes here. Besides a couple of bug fixes and refinements – the big features are support for the introspection specification (rfc 7662) and the OpenID Connect HTTP-based … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OpenID Connect, OWIN, Uncategorized, WebAPI | 5 Comments

IdentityServer3 Logging & Monitoring using Serilog and Seq

IdentityServer has two fundamental “monitoring” facilities : development-time logging and production-time eventing. The original docs are here. Logging is for developers – in fact – when I start a new IdentityServer3 project, that’s the first thing I configure. For security reasons (and … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, OWIN, WebAPI | 5 Comments