Category Archives: Uncategorized

Writing an OpenID Connect Web Client from Scratch

OIDC is supposed to make things easier, so I thought it would be a good exercise to write a web application that uses OIDC to authenticate users – but without using any OIDC specific libraries. I chose to use the … Continue reading

Posted in Uncategorized | 14 Comments

10th Anniversary

…seems that this blog is now ten years old. Who would have thought.

Posted in Uncategorized | 3 Comments

Claims-based Authentication does not exist (for crying out loud)

…as much as there is no “role-based authentication”. Rather use “claims-based identity” or “token-based authentication” kthxbye

Posted in Uncategorized | 1 Comment

Web API 2 Excel File Export With OAuth2 Implicit Flow

Originally posted on Software Engineering:
This article demonstrates how to set up a Web API 2 excel file download using OAuth2 Implicit Flow. The application requires an Authorization Server and Identity Server V2 from Thinkteckture and also the excel Media…

Posted in Uncategorized | 2 Comments

Covert Redirect – really?

In the era where security vulnerabilities have logos, stickers and mainstream media coverage – it seems to be really easy to attract attention with simple input validation flaws. Quoting: “Covert Redirect is an application that takes a parameter and redirects a … Continue reading

Posted in .NET Security, AuthorizationServer, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 3 Comments

Introducing Thinktecture IdentityManager

Originally posted on brockallen:
Back in 2005 when Microsoft released the ASP.NET MembershipProvider API, they also included in Visual Studio the ASP.NET WebSite Administration tool. This was used by developers to quickly create and edit users to populate the MembershipProvider…

Posted in Uncategorized | Leave a comment

How MembershipReboot stores passwords properly

Originally posted on brockallen:
I’m not going to go into all of the motivation behind proper password hashing — Troy’s done an excellent job of it and he has said it all better than I ever could have. The short…

Posted in Uncategorized | Leave a comment

A primer on external login providers (social logins) with OWIN/Katana authentication middleware

Originally posted on brockallen:
Like MVC 4, in MVC 5 and Visual Studio 2013 we have the ability to use external login providers (aka social logins) in our ASP.NET applications. The big change related to this from the prior version…

Posted in Uncategorized | 2 Comments

2013 in review

The stats helper monkeys prepared a 2013 annual report for this blog. Here’s an excerpt: The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 400,000 times in 2013. If it were an exhibit at … Continue reading

Posted in Uncategorized | Leave a comment

MSDN article on CORS in Web API 2

Originally posted on brockallen:
My MSDN article on CORS in Web API is now out! Given the nature of CORS, I really wanted to spend much of the article explaining CORS by itself. With that understanding then it’s simple enough…

Posted in Uncategorized | Leave a comment