Monthly Archives: June 2020

Refresh Tokens in IdentityServer4 v4

Posted on June 29, 2020 by Dominick Baier

I already wrote about the hardening of refresh tokens in this post. I would recommend reading this first. The upcoming OAuth 2.1 spec is pretty clear about refresh token handling: If the client is confidential, the refresh token must be … Continue reading

Posted in IdentityServer, OAuth | 3 Comments

Announcing IdentityServer4 v4.0

Posted on June 19, 2020 by Dominick Baier

OK – it’s finally done. I published v4 to Nuget earlier today. You can find the complete set of changes/bug fixes/breaking changes here. We had to cut some features which were originally on our roadmap – we’ll revisit them for … Continue reading

Posted in IdentityServer | 2 Comments

Resource Access in IdentityServer4 v4 and going forward

Posted on June 18, 2020 by Dominick Baier

In my last post I alluded to the tension between real-world token-based security architectures, the OAuth 2.0 scope model, JWT access tokens and the audience claim. We went through a couple of iterations in IdentityServer how we deal with those … Continue reading

Posted in IdentityServer, OAuth | 4 Comments

I don’t like Identity Tokens

Posted on June 17, 2020 by Dominick Baier

…or rather the name ;) I bet that if you wake up most “identity professionals” in the middle of the night and ask them what an identity token is, the answer would be “a token about the identity of the … Continue reading

Posted in OpenID Connect | Leave a comment

The JWT Profile for OAuth 2.0 Access Tokens (and IdentityServer)

Posted on June 15, 2020 by Dominick Baier

As part of creating our new Advanced OAuth training, I created a whole lecture on the evolution of access tokens and resource access. It’s fascinating – since the original OAuth 2.0 spec does not have any information about the token … Continue reading

Posted in IdentityServer, OAuth, OpenID Connect | Leave a comment