Monthly Archives: March 2013

Common OAuth2 Vulnerabilities and Mitigation Techniques

Posted on March 15, 2013 by Dominick Baier

In the last post I described some of the general problems with OAuth2 and its implementations. In this post I want to go into more detail and show some necessary hardening steps. We did our best (well as much as … Continue reading

Posted in IdentityModel, IdentityServer, OAuth, WebAPI | 4 Comments

OAuth2 Security

Posted on March 15, 2013 by Dominick Baier

Right now there are many good “discussions” on OAuth2 security happening. Some are constructive, some rather destructive – and some simply hack one or the other website to prove the point. In my opinion there are a number of reason … Continue reading

Posted in IdentityModel, IdentityServer, OAuth, WebAPI | 11 Comments

Introducing OAuth2 Code Flow and Refresh Token Support in Thinktecture IdentityServer

Posted on March 15, 2013 by Dominick Baier

We recently merged OAuth2 code flow and refresh token support into the main branch on Github. Please give it a try and tell us if it is working for you or not. After that feedback phase I will release v2.2 … Continue reading

Posted in ASP.NET, IdentityModel, IdentityServer, OAuth, WebAPI | 17 Comments

Posted on March 13, 2013 by Dominick Baier

Originally posted on brockallen:
Dominick is the person who convinced me to build the CORS implementation in Thinktecture IdentityModel. I didn’t realize it would be used as much as it has. Given the popularity and the need for something built…

Posted in Uncategorized | Leave a comment

Alternative to Thread.CurrentPrincipal in ASP.NET Web API

Posted on March 11, 2013 by Dominick Baier

Those who know me also know that I was always an advocate of Thread.CurrentPrincipal (or ClaimsPrincipal.Current in .NET 4.5). But I also understand that some people (or frameworks) don’t like ambients and rather deal with instance variables. To cater for … Continue reading

Posted in ASP.NET, IdentityModel, WebAPI | Leave a comment