Monthly Archives: November 2013

My Web API Security Talk from Software Architect 2013

Posted in ASP.NET, AuthorizationServer, Conferences & Training, IdentityModel, IdentityServer, Katana, OAuth, OWIN | 5 Comments

NDC London

I am currently doing the last preparations for next week’s NDC in London. This will be a blast! Brock and I are doing our claims-based identity & access control workshop on Monday and Tuesday. On Wednesday part 1 of the … Continue reading

Posted in Conferences & Training, Uncategorized | Leave a comment

Dissecting the Web API Individual Accounts Template–Part 3: External Accounts

Part 1 covered the basic template security setup. Part 2 focused on the features around local accounts and username/password authentication. This part will deal with third party authentication using Google and friends as well as associating a third party account … Continue reading

Posted in ASP.NET, Katana, OAuth, OWIN, WebAPI | 36 Comments

Dissecting the Web API Individual Accounts Template–Part 2: Local Accounts

In the last post I gave an overview of the security setup of the Individual Accounts template. I recommend reading that first. Also Brock has some great background content – here and here. Disclaimer: I would have designed the API … Continue reading

Posted in ASP.NET, Katana, OAuth, OWIN, WebAPI | 11 Comments

Dissecting the Web API Individual Accounts Template–Part 1: Overview

The Web API v2 Individual Accounts template shows off some quite popular application scenarios, e.g. username/password authentication with local accounts (including create account, change/set password) as well as third party authentication using Facebook, Google etc – including linking those external … Continue reading

Posted in ASP.NET, Katana, OAuth, OWIN, WebAPI | 2 Comments

Thinktecture.IdentityModel.Client v1.0

As part of the restructuring work of IdentityModel, I separated the HTTP and OAuth2 client bits into a separate project. The nice side effect of this is that the client library is now portable and can be used in .NET … Continue reading

Posted in IdentityModel, OAuth, WebAPI | 7 Comments

Using tt.idm Hawk Authentication OWIN Middleware with IIS-Hosted ASP.NET Web API

Originally posted on Badri's Blog:
Hawk Authentication in Thinktecture.IdentityModel can be hooked into your ASP.NET Web API through the message handler (HawkAuthenticationHandler) or the OWIN middleware (HawkAuthenticationMiddleware). The sample here is based on a self-hosted web API (WCF channel…

Posted in Uncategorized | Leave a comment

Adding Refresh Tokens to a Web API v2 Authorization Server

In the last post I showed how to add a simple username/password (aka resource owner password credentials flow) authorization server to Web API v2. This has several advantages: The client does not need to hold on to the user credentials … Continue reading

Posted in AuthorizationServer, IdentityModel, Katana, OAuth, OWIN, WebAPI | 38 Comments

Embedding a simple Username/Password Authorization Server in Web API v2

In my last post I explained why I think it is important to use the authorization server pattern right from the start. In this post I want to show how to build the possibly simplest authorization server using the new … Continue reading

Posted in Uncategorized | 45 Comments

Authorization Servers are good for you (and your Web APIs)

An authorization server is a very important architectural component when it comes to Web API security – think of it as a traffic cop between clients, users and resources. The OAuth2 spec defines it as follows: “The server issuing access … Continue reading

Posted in AuthorizationServer, Katana, OAuth, OWIN, WebAPI | 10 Comments