We encourage you to upgrade if possible.
We encourage you to upgrade if possible.
A while ago I wrote a controversial article about the problems that can arise when mixing authentication and authorization systems – especially when using identity/access tokens to transmit authorization data – you can read it here.
In the meanwhile Brock and I sat down to prototype a possible solution (or at least an improvement) to the problem and presented it to various customers and at conferences.
Again Techorama was an awesome conference – kudos to the organizers!
Right now there is quite some movement in the financial sector towards APIs and “collaboration” scenarios. The OpenID Foundation started a dedicated working group on securing Financial APIs (FAPIs) and the upcoming Revised Payment Service EU Directive (PSD2 – official document, vendor-based article) will bring quite some change to how technology is used at banks as well as to banking itself.
Googling for PSD2 shows quite a lot of ads and sponsored search results, which tells me that there is money to be made (pun intended).
We have a couple of customers that asked me about FAPIs and how IdentityServer can help them in this new world. In short, the answer is that both FAPIs in the OIDF sense and PSD2 are based on tokens and are either inspired by OpenID Connect/OAuth 2 or even tightly coupled with them. So moving to these technologies is definitely the first step.
The purpose of the OIDF “Financial API Part 1: Read-only API security profile” is to select a subset of the possible OpenID Connect options for clients and providers that have suitable security for the financial sector. Let’s have a look at some of those for OIDC providers (edited):
So to summarize, these are mostly best practices for implementing OIDC and OAuth 2 – just formalized. I am sure there will be also a certification process around that at some point.
Interesting to note is the requirement for PKCE and the removal of plain client secrets in favour of mutual TLS and client JWT assertions. IdentityServer supports all of the above requirements.
In contrast, the “Read and Write Profile” (currently a working draft) steps up security significantly by demanding proof of possession tokens via token binding, requiring signed authentication requests and encrypted identity tokens, and limiting the authentication flow to hybrid only. The current list from the draft:
Both profiles also have increased security requirements for clients – which is subject of a future post.
In short – exciting times ahead and we are constantly improving IdentityServer to make it ready for these new scenarios. Feel free to get in touch if you are interested.
Seth and the Channel9 crew visited me in my office in Heidelberg to learn about IdentityServer and German culture.
We had a nice day in Heidelberg involving identity, a whiteboard, code, beers & bratwurst ;) enjoy.
The dotnet CLI includes a templating engine that makes it pretty straightforward to create your own project templates (see this blog post for a good intro).
This new repo is the home for all IdentityServer4 templates to come – right now they are pretty basic, but good enough to get you started.
The repo includes three templates right now:
Creates a minimal IdentityServer4 project without a UI and just one API and one client.
Adds the quickstart UI to the current project (can be combined with is4)
Adds a boilerplate IdentityServer with UI, test users and sample clients and resources
See the readme for installation instructions.
Well – not really new – but redesigned.
IdentityServer4 has two diagnostics facilities – logging and events. While logging is more like low level “printf” style – events represent higher level information about certain logical operations in IdentityServer (think Windows security event log).
Events are structured data and include event IDs, success/failure information activity IDs, IP addresses, categories and event specific details. This makes it easy to query and analyze them and extract useful information that can be used for further processing.
Find more details in our docs.