Monthly Archives: November 2013

Adding Refresh Tokens to a Web API v2 Authorization Server

In the last post I showed how to add a simple username/password (aka resource owner password credentials flow) authorization server to Web API v2. This has several advantages: The client does not need to hold on to the user credentials … Continue reading

Posted in AuthorizationServer, IdentityModel, Katana, OAuth, OWIN, WebAPI | 38 Comments

Embedding a simple Username/Password Authorization Server in Web API v2

In my last post I explained why I think it is important to use the authorization server pattern right from the start. In this post I want to show how to build the possibly simplest authorization server using the new … Continue reading

Posted in Uncategorized | 45 Comments

Authorization Servers are good for you (and your Web APIs)

An authorization server is a very important architectural component when it comes to Web API security – think of it as a traffic cop between clients, users and resources. The OAuth2 spec defines it as follows: “The server issuing access … Continue reading

Posted in AuthorizationServer, Katana, OAuth, OWIN, WebAPI | 10 Comments

Client Certificate Authentication Middleware for Katana

Katana has no middleware to turn SSL client certificates into a ClaimsIdentity. And since I am currently collecting material for my upcoming Web API security course I used the opportunity to experiment with Katana authentication middleware. There’s a certain pattern … Continue reading

Posted in IdentityModel, Katana, OWIN, WebAPI | 5 Comments

Thinktecture AuthorizationServer v1.0

Six months ago we released the first preview version of AS to the public. Since then happened quite a bit. We went feature complete for v1, did some bug fixing and used AS in a number of customer projects. We … Continue reading

Posted in AuthorizationServer, OAuth, WebAPI | 2 Comments

Thinktecture.IdentityModel.Hawk NuGet Package

Originally posted on Badri's Blog:
With Thinktecture.IdentityModel V.Next out, Hawk authentication implementation in Thinktecture IdentityModel gets its own NuGet package. It is currently in pre-release and here is the NuGet Gallery link. The OWIN middleware code that has been…

Posted in Uncategorized | Leave a comment

Thinktecture AuthenticationHandler for Web API v2

Here I mentioned that there are some incompatibilities between AuthenticationHandler and Web API v2/OWIN hosting. As part of making Thinktecture.IdentityModel more modular – I updated the AuthenticationHandler code and did some cleanup. You can find the source code here and … Continue reading

Posted in IdentityModel, Katana, OWIN, WebAPI | 2 Comments