What happened in 2018?

2018 has been really busy. We worked on a lot of different things, and I just realized that I only wrote eight blog posts in total.

I decided to block December to catch up on many work and non-work related things, work on a couple of “hobby” projects – and last but not least prepare for the holiday season (where I try to force myself to stay away from the computer – this time for real ;)

I thought I should write a final blog summarizing what we’ve been working and what kept us busy in the last 12 months.



PolicyServer is our commercial “authorization for modern applications” product that we announced at NDC in January this year. As you can imagine, this announcement required a lot of preparations and many things were very “last minute” – so much that the URL to the product was wrong on the slides when we made announcement (because we moved things around “last second”). Embarrassing.

But anyways – the feedback we got after the announcement was fantastic, and in the following weeks we got way more enquiries than we could handle. Ever since, this was our primary focus and we did a lot of customer work over the last 12 months to make sure that PolicyServer is really meeting the real world needs.

We have many plans for upcoming versions, and I must say it was a refreshing change to do some real product work as opposed to short to mid-term consulting and contracts. I also became “Mr. Devops” on our team (at least that’s how Brock likes to call me). Anyways – I figured out that automating “stuff” is actually fun.



This was also a big year for IdentityServer. We did tons of customer work around identity & access control, and it was very satisfying to see how good IdentityServer is at solving other people’s problems. While you can obviously always find things you would do differently today or would like to improve, the general design of IdentityServer has proven to be the right one. Some more facts:

  • we shipped three feature versions this year (2.1, 2.2 and 2.3) – and a couple of bug fix releases
  • 3 was a really big release and most notably – for the very first time a complete spec implementation was done as a contribution (meaning not from Brock or me). This spec is the so called “device flow” which allows devices without a browser or constrained input capabilities to connect to APIs using OAuth. Thanks Scott Brady!
  • As of today, IdentityServer has 153 contributors (thank you!), 3653 stars on Github and over 2,3 million downloads on Nuget.

We also started a Patreon page to allow companies to support IdentityServer, which in turn allows us to set more time aside from paid work.

As of today, we have 49 patrons – thank you all!! It is a bit surprising that most supportes are individual developers that use IdentityServer at work. I would have wished that more companies realize that it is important to back the OSS projects they rely on – let’s see what 2019 will bring.

Last but not least, the big news is, that the ASP.NET team decided to ship IdentityServer in their new templates that will be released shortly after v2.2. The integration comes with a simplified configuration system to target the specific template scenarios, but allows you to change over to the native configuration any time you want. I had to check my email archives, but this concludes a discussion we started with the ASP.NET team in 2012 (!)….

Btw – In case you wondered why we decided to strong name IdentityServer (and IdentityModel) – that’s ultimately the reason. It is required when you want to be part of an ASP.NET release. As part of that work, we also now Authenticode-sign our binaries as well as signed the Nuget packages.



The IdentityModel organization on Github is the home for our client libraries. The most popular one is IdentityModel itself with over 9,3 million downloads on Nuget.

IdentityModel has recently joined the .NET Foundation and has undergone the same treatment as IdentityServer (strong naming, Authenticode- and Nuget-signing). We also have proper docs now. I am currently working on a v4 which will have some breaking changes, but is a necessary clean-up for going forward.

Based on IdentityModel, there’s also OidcClient (a certified OpenID Connect client library for native clients) and AspNetCore.OAuth2Introspection (OAuth 2 introspection authentication handler for ASP.NET Core). Both get minor updates right now, and I am planning to release them all together beginning next year.

Brock is right now working on his JavaScript library called oidc-client.js to incorporate some of the latest security recommendations from the IETF. More on that in a separate post.

OK – that’s it. That’s pretty much how I split my work time. Of course there is also consulting and training and conferences – and it doesn’t really look like 2019 will be much quieter – and that’s a good thing!

See you next year!

This entry was posted in .NET Security, ASP.NET Core, IdentityModel, IdentityServer, PolicyServer, Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s