Monthly Archives: January 2020

Hardening Refresh Tokens

Posted on January 21, 2020 by Dominick Baier

Refresh tokens provide a UX friendly way to give a client long-lived access to resources without having to involve the user after the initial authentication & token request. This makes them also a high-value target for attackers, because they typically … Continue reading

Posted in IdentityServer, OAuth, Uncategorized | Leave a comment

2020: IdentityServer4 Roadmap

Posted on January 17, 2020 by Dominick Baier

It’s the time of the year – we are working on IdentityServer and lock down the features we want to implement for the next version(s). Initially we planned to make our 3.0 release the big one – but then .NET … Continue reading

Posted in IdentityServer, Uncategorized | 2 Comments

New in IdentityServer4 v4: Multiple signing Keys

Posted on January 16, 2020 by Dominick Baier

So far IdentityServer4 only supported a single signing key at a time. There are historic reasons for that. When we started with .NET Core, the only x-plat algorithm that really worked (without #ifdef hell) was RSA with SHA-256 (RS256) so … Continue reading

Posted in IdentityServer, Uncategorized | 3 Comments

OAuth 2.0: The long Road to Proof-of-Possession Access Tokens

Posted on January 15, 2020 by Dominick Baier

I did a lot of WS-Security in my (distant) past – and whenever we started looking into migrating to OAuth 2.0, there was this one thing on the security check-list that was missing in the OAuth world: proof of possession … Continue reading

Posted in IdentityServer, OAuth | 1 Comment

IdentityServer3 and upcoming SameSite Cookie changes in Browsers

Posted on January 5, 2020 by Dominick Baier

You have probably heard that starting with Chrome 80 in February, the behavior of cookies will change. This is a breaking change and effects every single web application on the internet. Microsoft has patched their supported platforms (ASP.NET, Katana 4 … Continue reading

Posted in IdentityServer, Uncategorized | 9 Comments