Category Archives: .NET Security

Which OpenID Connect/OAuth 2.0 Flow is the right One?

That is probably the most common question we get – and the answer is of course: it depends! Machine to Machine Communication This one is easy – since there is no human directly involved, client credentials are used to request … Continue reading

Posted in .NET Security, IdentityServer, OAuth, OpenID Connect, WebAPI | 14 Comments

Reference Tokens and Introspection

Access tokens can come in two shapes: self-contained and reference. Self-contained tokens are using a protected, time-limited data structure that contains metadata and claims to communicate the identity of the user or client over the wire. A popular format would … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OWIN, Uncategorized, WebAPI | 16 Comments

IdentityServer3 v2.2

Yesterday we published v2.2 to nuget and github. You can see the release notes here. Besides a couple of bug fixes and refinements – the big features are support for the introspection specification (rfc 7662) and the OpenID Connect HTTP-based … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OpenID Connect, OWIN, Uncategorized, WebAPI | 5 Comments

IdentityServer3 Logging & Monitoring using Serilog and Seq

IdentityServer has two fundamental “monitoring” facilities : development-time logging and production-time eventing. The original docs are here. Logging is for developers – in fact – when I start a new IdentityServer3 project, that’s the first thing I configure. For security reasons (and … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, OWIN, WebAPI | 5 Comments

The State of Security in ASP.NET 5 and MVC 6: Authorization

The hardest part in designing an application is authorization. The requirements are always so app-specific that for 10 applications you often see 12 different implementations. To make things worse, ASP.NET and MVC traditionally had not much more built-in to offer than … Continue reading

Posted in .NET Security, ASP.NET, WebAPI | 15 Comments

Upcoming Identity & Access Control Workshops in Europe

Brock and I will be in London in November and January to hold our identity & access control workshop. In November we are at the SDD Deep Dive event and do a very special three day version which includes extra … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect, WebAPI | Leave a comment

IdentityServer3 v2 Release and other Tidbits (aka what did I miss during Holidays)

I am back from my annual family/summer vacation. This time it was Norway, and it was excellent. Norway has stunning landscapes and excellent breweries – recommended! During that time Brock released v2 of IdentityServer. This was a big release and … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, OAuth, OpenID Connect | Leave a comment