Monthly Archives: April 2013

Support for X.509 Client Certificates in Thinktecture.IdentityModel for Web API

Originally posted on
Another RTM feature I was waiting for is (reasonable) SSL client certificate support in Web API. Just like all the other authentication methods, you configure client certificate support on the AuthenticationConfiguration object. The following code…

Posted in ASP.NET, IdentityModel, Uncategorized, WebAPI | 8 Comments

Web API Security: JSON Web Token/OAuth2 with Thinktecture.IdentityModel AuthenticationHandler

(OK – I only included OAuth2 in the title to get your attention – this applies to whatever framework or technology you use to work with JSON web tokens aka JWTs) Following the pattern from my two previous posts, you … Continue reading

Posted in .NET Security, IdentityModel, IdentityServer, OAuth, WebAPI | 5 Comments

Web API Security: Basic Authentication with Thinktecture.IdentityModel AuthenticationHandler

In my last post, I showed how to configure the AuthenticationHandler using the AddMapping method. While you have full control here, I added a number of convenience extension methods that cover common use case. Following is an overview of the … Continue reading

Posted in IdentityModel, WebAPI | 58 Comments

ASP.NET Web API Security: The Thinktecture.IdentityModel AuthenticationHandler

AuthenticationHandler is an ASP.NET Web API message handler that can map incoming credentials to a token handler. The token handler in turn can parse credentials and create a principal. In addition AuthenticationHandler provides some common services like claims transformation, session … Continue reading

Posted in IdentityModel, OAuth, WebAPI | 12 Comments

Annual Identity Update on DotNetRocks

It’s this time of the year again! “Dominick Baier returns to talk to Carl and Richard about the current state of security in .NET 4.5. Dom starts out talking about how WebAPI has impacted the development of web services … Continue reading

Posted in .NET Security, ASP.NET, Azure, IdentityModel, IdentityServer, OAuth, WCF, WebAPI | 1 Comment

Authentication vs Authorization

…in the context of token-based security systems. There are many practical and philosophical ways to discuss the difference between the two terms. But since there is quite some confusion, I want to look at it from the perspective of the … Continue reading

Posted in .NET Security, IdentityModel, IdentityServer, OAuth, WebAPI | 2 Comments

Getting JSON web tokens (JWTs) from ADFS via Thinktecture IdentityServer’s ADFS Integration

Originally posted on brockallen:
Dominick and I recently added three features to IdentityServer that collectively we call “ADFS Integration”. This “ADFS Integration” is a new protocol (which can be enabled, disabled and configured like any other protocol IdentityServer supports). In…

Posted in IdentityModel, IdentityServer, OAuth, Uncategorized, WebAPI | Leave a comment

Driving the WS-Federation Handshake from ASP.NET Web API

In general I think the API design of the WS-Federation support in WIF / .NET 4.5 is a bit unfortunate. It was a strange decision to combine the HTTP module (aka the FAM) and the more generic protocol helpers into … Continue reading

Posted in ASP.NET, IdentityModel, WebAPI | 7 Comments

Photo-only Blog  

Posted in Photography | Leave a comment

Open Source Democracy

Really enjoyed this talk: via Dinis

Posted in Uncategorized | Leave a comment