Category Archives: Uncategorized

PKCE Support in IdentityServer and IdentityModel

PKCE stands for “Proof Key for Code Exchange” and is a way to make OAuth 2.0 and OpenID Connect operations using an authorization code more secure. It is specified in RFC 7636. PKCE applies to authorization/token requests whenever the code … Continue reading

Posted in IdentityServer, OAuth, OpenID Connect, Uncategorized | Leave a comment

Announcing IdentityServer for ASP.NET 5 and .NET Core

Over the last couple of years, we’ve been working with the ASP.NET team on the authentication and authorization story for Web API, Katana and ASP.NET 5. This included the design around claims-based identity, authorization and token-based authentication. In the Katana … Continue reading

Posted in ASP.NET, IdentityServer, OAuth, OpenID Connect, Uncategorized, WebAPI | 43 Comments

Validating Scopes in ASP.NET 4 and 5

OAuth 2.0 scopes are a way to model (API) resources. This allows you to give logical “names” to APIs that clients can use to request tokens for. You might have very granular scopes like e.g. api1 & api2, or very coarse grained … Continue reading

Posted in ASP.NET, IdentityModel, IdentityServer, Katana, OAuth, Uncategorized, WebAPI | 9 Comments

Reference Tokens and Introspection

Access tokens can come in two shapes: self-contained and reference. Self-contained tokens are using a protected, time-limited data structure that contains metadata and claims to communicate the identity of the user or client over the wire. A popular format would … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OWIN, Uncategorized, WebAPI | 16 Comments

IdentityServer3 v2.2

Yesterday we published v2.2 to nuget and github. You can see the release notes here. Besides a couple of bug fixes and refinements – the big features are support for the introspection specification (rfc 7662) and the OpenID Connect HTTP-based … Continue reading

Posted in .NET Security, ASP.NET, IdentityServer, Katana, OAuth, OpenID Connect, OWIN, Uncategorized, WebAPI | 5 Comments

2014 in review

The stats helper monkeys prepared a 2014 annual report for this blog. Here’s an excerpt: The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 530,000 times in 2014. If it were an exhibit at … Continue reading

Posted in Uncategorized | Leave a comment

IdentityServer v3 and “Post Logout Redirect”

One frequently requested feature was the ability to redirect back to the client after logging out of IdentityServer. The session management spec describes this in the “RP-initiated logout” section. While this is a nice convenience feature and seems trivial to … Continue reading

Posted in Uncategorized | 4 Comments