I am an independent consultant specializing in identity & access control. I help companies around the world designing & implementing authentication and authorization for their distributed web and native applications. I am the co-author of the popular OpenID Connect & OAuth 2.0 framework called IdentityServer (http://identityserver.io) , have written a couple of books and tweet as @leastprivilege.

154 Responses to About

  1. Karamer says:

    Hi Dom

    I’m pretty new to all this security, identity and access control stuff, but have to tell you that the stuff you have made available is awesome and has been a great help whilst beginning to understand this area. Awesome job, Thanks!.

    I have been playing around with Identity server and Authorization server whilst trying to architect a solution. Ideally what I am looking at is using windows Azure ACS as federation provider which a web application will trust. This will me to the configure ACS to trust multiple identity providers which allows one code base to scale to numerous customers with different identity providers (SAS). Having read a lot of stuff, mostly produced by yourself!, and prototyped the scenario, I am comfortable with this part of things.

    However I also need to provide a web api to be consumed by mobile devices and so wanted to use oauth 2 to secure this (resource owner flow in this case) , and this is the reason i was looking at your Authorization Server to help issue access tokens. Having quickly looked at the code it looks as if the resource owner endpoint authenticates with the configured identity provider. In this situation I wont be able to authenticate with just one identity provider as this is federated. Is there any way the Authorization Server can support federated identity in the same way that Windows Azure ACS does for the web application?

    Any help on whether this is/can be supported and some pointers in the right direction to implement this would be much appreciated.


  2. Karamer says:

    Actually, as an addition to the above, it wouldn’t only just be limited to the resource owner flow, but also would need to be able to support the authorization code flow.

  3. skrv7 says:

    How do I contact you for consulting engagement?

  4. Dmitry Gilyaev says:

    Hi Dom
    Do you have any boards where I can ask you about WIF?

  5. Per Erik Gransøe says:

    Hi Dominick
    I’m looking into the relatively new FIDO protocol standard called U2F for two-factor-authentication – https://fidoalliance.org/specifications/download/ – U2F.
    Have you ever looked into this or worked with it? And if so do you have an opinion on it as to the market impact of the standard compared to the few other two-factor-standards there are out there now?

  6. I have a question. What are the best practices for implementing SSO across multiple domains via OAuth. I was thinking about storing the url of any one of the first of the cross domain site logged into along with user credentials so that when a navigation is made to another site not logged into we can check to see if that user already has a session on another domain by checking the credentials and the logged in url and if so bypass the authentication mechanism on that non logged into site.

    • Since OAuth is not an authentication protocol – you wouldn’t use it to implement SSO. I would use OpenID Connect for that. https://github.com/IdentityServer

      • Hi Dominick. Certainly. Your point is well taken but its the limitation as you know of not having cross domain cookies so I was thinking of this as a home grown strategy decoupled from OAuth but a way to bypass the reauthentication of domains by auth that have know foreknowledge of the already logged into domain. I will definitely look into OpenID Connect.

      • Hi Dominick, one other question after reviewing OpenID Connect. Does Google as a token provider to the relying party offer this multi domain crossing out of the box so If I go to another domain not a subdomain a different domain that it will by pass the Google login box for the next heterogeneous domain?

  7. of course – that’s the whole point of it. It is called single sign-on.

    • Hi Dominick, let me rephrase my question. I know OpenID Connect is about SSO after reviewing but asking if Google implemented it in their stack and maybe that is implicitly clear and not worth asking. I had read an article that suggested that it is implemented as follows as a workflow. You login the normal way through the broker interceptor box you apply your credentials and then the Identity provider essentially sets a cookie on each url in the realm or ring so when you login to another heterogenous domain in the ring not previously logged into you are then redirected to the IDP which then set the cookie already on your behalf so the cookie is read by your browser and subsequent posts whether classic or Ajax based or whatever will be authenticated. Dominick, does this sound like a viable workflow to depict what is going on conceptually and practically however not necessarily in all implementations.

  8. Jack Russell says:

    Hi Dominick

    Has an independent security review been performed for Thinktecture IdentityServer, for design and code and where do I find it?

    Alternatively, does IdentityServer address the threats discussed in RFC 6819, OAuth 2.0 Threat Model and Security Considerations? Where is this documented?


  9. david m chinn says:

    hello dominick;
    We have a legacy application which uses the Windows Identity Framework, written around 2010-2011. Users authenticate by logging into a client portal, which then sends a saml 1.1 token to our application.

    We are updating the application to a services model, using webAPI 2.0/Owin/Identity 2.0 for security. Looks like bearer tokens are similar in concept to SAML, but not the same.

    The client is very sensitive about changing his portal. Is there any way to consume SAML in a webAPI application?

  10. Hi dominick,

    I’m building a system where I need to have a way of easily configuring or choosing the authentication and authorization mechanism or Identity management(i.e either using AD or custom user account store), where I can choose between using Active Directory or storing users authentication details outside of active directory, based on the client I’m deploying to. Some of them might be enterprise and needs the app to run on-premise using their existing active directory user account(and I get to query for user roles).

    I think a separate service/middleware can handle this for me, and I know of two ways I can implement this, which is: using IndentitySever or Auth0. I haven’t invested much time researching on these different API but I think they’ll solve my problem.

    My question: which will be the preferable way of implementing this. Do I use Auth0 or IdentityServer?

  11. Hi Dominick!

    I work with .NET in Brazil and I wonder if you can authorize me to translate their material of IdentityServer, I’m not thinking in made “word-by-word” translations, I write my articles using some coding samples… Of course citing your page as a reference in the articles produced.


  12. Hi Dominick,

    Thank you for your excellent resources on your blog and also on Pluralsight. They have been very useful to our organization, in our attempts to create a token based authorization service.

    I did have a quick question about Identity Server. We will be rewriting most of our enterprise applications over the next year. As far as our internal applications and APIs, Identity Server is perfect for handling authorization. However, is it possible that Identity Server can assist in the following scenario?

    Our current single sign on process allows a user to sign in to a third party application that is outside of our network and supplied by a different vendor. When the user authenticates through our login page, they are then redirected to the vendor’s site once they are signed in. Thus, the leave our site completely during their session with this third party.

    Is there anything that Identity Server can assist with in this scenario, and are there any examples by chance as well? I apologize if this question is very rudimentary to the framework’s capability but my team and I are still trying to ramp up and learn how to use Identity Server at this time.

    Thank you very much for your help!

    • Sure – that’s supported. Obviously the details are all that counts here ;)

      I’d recommend you check our docs and samples first. If you need consulting support, let us know.

      • That’s fantastic news, and thank you for the quick response!

        I will continue on with the documentation and samples first as you recommended. We are in a discovery phase right now and are looking for the right options for an SSO implementation which will handle both internal and external services.

        We are definitely interested in your consulting availability, and that would be a huge help to us. I will talk to the rest of our technical staff about that and try to reach back out to you formally over the next week or two at: identity@leastprivilege.com.

        Thanks again Dominick!

  13. Rob says:

    Hello Dominick

    I am exploring IdentityServer for potential use in an upcoming product rewrite. We may be interested in consulting services. Is emailing identity@leastprivilege.com the best way to follow up?


  14. Thomas Van Herpe says:

    Hi Dominick,

    Do you have plans on online course on IdentityServer4.
    Currently we are investing some time in this but we face some difficulties during our learning process.

    As an example, adding support for external authentication is working well for Google. For Facebook and Twitter we managed to get it up and running very fast too in our local dev environment.
    But for integration with the microsoft account, we are facing issues. I read an article saying we need to set up https (locally) to be able to test this, but I can not find the correct info on the web. Is this info correct? And where can we find more on that?

    Thx in advance for a reply.

  15. Dom! I just finished your *excellent* PluralSight courses (Web API v2 Security, Intro to OAuth2, OpenID and JWT) – and my head is exploding!! My company still lives in the safety of the old active dir. “triangle”.

    I’m a developer tasked with bringing our team into the 21st century. Since it looks like we’re getting Azure Active Directory as part of our move to Office 365… that’ll be one decision made for how we’ll do the OpenID part of our puzzle, and we’ll probably either go full bore Azure w/some mix of exposing “protected resources” via our DMZ that will need to support ‘tokenized access’

    Are all the tools referred to in your courses (after all, 2013 was a long time ago, heh-heh) still your recommended options?

    For one example, the devs currently have windows 7 workstations.. I’m guessing we HAVE to update those, otherwise local development is limited to IIS 8 Express.

    Should we use something like IdentityServer to spin up DEV and/or TEST environments if we think our production topography is going to be in Azure?

    • Glad you enjoyed it ;)

      Today I would recommend using ASP.NET Core and IdentityServer4 – even with Azure AD holding the account database, many people use IdentityServer4 in between to get the customizability and to not burden the applications with Microsoft’s proprietary design decisions.

      Lots more to learn – have fun ;)

  16. Jack Schaufele says:

    I am working on a US DOD contract where IS could be of great value – I have implemented in the private sector and was curious if you have worked w/ the US DOD in the past and/or would be interested

  17. Jitendra says:

    Hi Dominick,

    I have read and listened to your videos about OAuth 2.0 and have question on using right workflow for below given scenario. Below are the participants.

    1. API Service Provider for end user (APIs for our platform, combinations of standard and client specific customized APIs)
    2. API management gateway (manages API authentication and supports OAuth 2.0). All the API calls happen through this gateway only.
    3. Client (customer) and client controlled mobile app, website for end users.
    4. Vendors (partners of our clients, has mobile apps for end users).
    5. End users of client’s products/services.

    In this particular scenario where we are the API service provider, we do want to restrict each client app or vendor app to only access one end user specific data, once the authentication is performed. Here we can trust client and planning to let client authenticate their end user (as a API service provider, we don’t have end user authentication info, but our client has that) i.e. through their own auth mechanism to support their various mobile and website apps and also to support their vendor’s mobile apps/websites. Thus we depend on client to authenticate end user and capture user_context and scope once the end user is authenticated and pass on the same to us with client specific credentials. So here we only authenticate client (using OAuth 2.0 client credentials) and verify that user-context and scope are as expected for one given end user (we can define rule to have user-context and scope encrypted by client’s auth mechanism using JWE and have it in JSON format). Each API call does have end user identifier which can be compared against JWE token to verify the request is only for authenticated end user and only return data related to that end user.

    This approach seems to be using OAuth 2.0 but adds custom layer to it. None of the other OAuth 2.0 workflow seems useful in the scenario we are dealing with. Do you see this is right approach or can you point to any info which help provide better options for this?


  18. zdeno says:

    Hi, I have tried IdentServer 4 and ResourceOwner flow with custom user store and it works like a charm. Anyvway, I have one question. I have 2 clients, legacy SPA application for which this flow is OK.. Second one is Windows form application where user ID is RFID chip ID from RFID reader without password need. IS there any chance to modify somehow password validator to expect only alphanumeric CardID? what is suitable solution? I want to keep it as much simple as possible

    • The password validator is your impl. You can do whatever you want…

      • zdeno says:

        Yes, I understand, anyway ResourceOwnerPasswordValidationContext contains properties like UserName and Password. If I ommit password, I receive message like Username_or_Password missing. Is there a need to modify ResourceOwnerPasswordValidationContext to put there just one property CardChipOID?

        thanks a lot for your swift responses

  19. Password is required per spec. Either put a dummy value on it or use an extension grant (probably the better alternative). For everything else – please use:


  20. zdeno says:

    When I try to consume JWT generated from IdentityServer4 with ASp.net webapi2, what needs to be done to be able to decorate controller action with some attribute to use specific claim value? is there any straight way or docs? I am missing something? I have claims like: claims.Add(new Claim(“role”, item.Role.RoleName));

  21. Dasha says:

    Hello Dominick!

    My name is Dasha. I am part of the team that makes fantastic professional conferences: QA Fest (www.qafest.com), .Net Fest (www.dotnetfest.com), JS Fest (www.jsfest.com.ua) and Mobile Fest (www.mobilefest.com.ua) – the biggest annual events in Ukraine.
    We would be very happy to have you as a speaker on the .NET Fest 2018! It will be two days conference with several streams of talks. Besides that we have so called “expert corner” (a dedicated place where people can continue discussion with the speaker after the talk) and many other activities. The event is planned on October 26-27th 2018 in Kiev, Ukraine.
    What are the requirements and conditions for you to come?

    Best Regards,
    Dasha Kozyr
    QA Fest| .NET Fest| JS Fest| Mobile Fest

  22. Dasha says:

    Hi Dominick,

    My name is Dasha. I am a part of a great team which makes fantastic professional IT conferences: QA Fest, .Net Fest, JS Fest, and DevOps Fest – the biggest annual technical IT-events in Ukraine.

    We want to invite you to come to .NET Fest 2019 (www.dotnetfest.com), that will be held on October, 25-26th in Kyiv. We would be very happy to have you as a speaker at our event :))

    Does it sound interesting to you? What are the requirements and conditions for you to come?

    I look forward to your answer regardless of your decision! Don’t hesitate to contact me and ask any questions!


  23. scientistz says:

    Hi Dominick, We are looking for Identity Server consultancy in design, development of custom solution and support for production, please let me if you are available for a quick chat.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s