Seth and the Channel9 crew visited me in my office in Heidelberg to learn about IdentityServer and German culture.
We had a nice day in Heidelberg involving identity, a whiteboard, code, beers & bratwurst ;) enjoy.
- Part 1 (interview and Heidelberg)
- Part 2 (modern authentication architecture whiteboard session)
- Part 3 (identityserver4 in action)
The dotnet CLI includes a templating engine that makes it pretty straightforward to create your own project templates (see this blog post for a good intro).
This new repo is the home for all IdentityServer4 templates to come – right now they are pretty basic, but good enough to get you started.
The repo includes three templates right now:
dotnet new is4
Creates a minimal IdentityServer4 project without a UI and just one API and one client.
dotnet new is4ui
Adds the quickstart UI to the current project (can be combined with is4)
dotnet new is4inmem
Adds a boilerplate IdentityServer with UI, test users and sample clients and resources
See the readme for installation instructions.
Well – not really new – but redesigned.
IdentityServer4 has two diagnostics facilities – logging and events. While logging is more like low level “printf” style – events represent higher level information about certain logical operations in IdentityServer (think Windows security event log).
Events are structured data and include event IDs, success/failure information activity IDs, IP addresses, categories and event specific details. This makes it easy to query and analyze them and extract useful information that can be used for further processing.
Events work great with event stores like ELK, Seq or Splunk.
Find more details in our docs.
When we designed IdentityServer4, we wanted to make it easier to extend the core token service with custom protocol endpoints.
So one thing that comes up every now and then is using IdentityServer4 as an identity provider for SharePoint and also older ASP.NET applications using System.IdentityModel (or even WIF) and Katana.
This requires support for WS-Federation – and this is perfectly possible – and actually even easier than it used to be in IdentityServer3. I made the code for it available on github and wrote a little walkthrough of how it works here.
Our documentation now also has a brief description of the underlying mechanism and useful tips for implementing other (custom) protocols. SAML2p anyone???
And last but not least, our friend Scott Brady wrote a detailed walkthrough on using the WS-Federation endpoint with SharePoint. Enjoy!
As always – NDC was a very good conference. Brock and I did a workshop, two talks and an interview. Here are the relevant links:
Check our website for more training dates.
See here for a step-by-step tutorial on how to use it.
A couple of weeks ago I started re-writing (an re-designing) my OpenID Connect & OAuth 2 client library for native applications. The library follows the guidance from the OpenID Connect and OAuth 2.0 for native Applications specification.
Main features are:
- Support for OpenID Connect authorization code and hybrid flow
- Support for PKCE
- NetStandard 1.4 library, which makes it compatible with x-plat .NET Core, desktop .NET, Xamarin iOS & Android (and UWP soon)
- Configurable policy to lock down security requirements (e.g. requiring at_hash or c_hash, policies around discovery etc.)
- either stand-alone mode (request generation and response processing) or support for pluggable (system) browser implementations
- support for pluggable logging via .NET ILogger
In addition, starting with v2 – OidcClient is also now certified by the OpenID Foundation for the basic and config profile.
It also passes all conformance tests for the code id_token grant type (hybrid flow) – but since I don’t support the other hybrid flow combinations (e.g. code token or code id_token token), I couldn’t certify for the full hybrid profile.
For maximum transparency, I checked in my conformance test runner along with the source code. Feel free to try/verify yourself.
The latest version of OidcClient is the dalwhinnie release (courtesy of my whisky semver scheme). Source code is here.
I am waiting a couple more days for feedback – and then I will release the final 2.0.0 version. If you have some spare time, please give it a try (there’s a console client included and some more sample here <use the v2 branch for the time being>). Thanks!