About

I am an independent consultant specializing in identity & access control. I help companies around the world designing & implementing authentication and authorization for their distributed web and native applications. I am the co-author of the popular OpenID Connect & OAuth 2.0 framework called IdentityServer (http://identityserver.io) , have written a couple of books and tweet as @leastprivilege.

132 Responses to About

  1. Karamer says:

    Hi Dom

    I’m pretty new to all this security, identity and access control stuff, but have to tell you that the stuff you have made available is awesome and has been a great help whilst beginning to understand this area. Awesome job, Thanks!.

    I have been playing around with Identity server and Authorization server whilst trying to architect a solution. Ideally what I am looking at is using windows Azure ACS as federation provider which a web application will trust. This will me to the configure ACS to trust multiple identity providers which allows one code base to scale to numerous customers with different identity providers (SAS). Having read a lot of stuff, mostly produced by yourself!, and prototyped the scenario, I am comfortable with this part of things.

    However I also need to provide a web api to be consumed by mobile devices and so wanted to use oauth 2 to secure this (resource owner flow in this case) , and this is the reason i was looking at your Authorization Server to help issue access tokens. Having quickly looked at the code it looks as if the resource owner endpoint authenticates with the configured identity provider. In this situation I wont be able to authenticate with just one identity provider as this is federated. Is there any way the Authorization Server can support federated identity in the same way that Windows Azure ACS does for the web application?

    Any help on whether this is/can be supported and some pointers in the right direction to implement this would be much appreciated.

    Thanks
    K

  2. Karamer says:

    Actually, as an addition to the above, it wouldn’t only just be limited to the resource owner flow, but also would need to be able to support the authorization code flow.

  3. skrv7 says:

    How do I contact you for consulting engagement?

  4. Dmitry Gilyaev says:

    Hi Dom
    Do you have any boards where I can ask you about WIF?

  5. Per Erik Gransøe says:

    Hi Dominick
    I’m looking into the relatively new FIDO protocol standard called U2F for two-factor-authentication – https://fidoalliance.org/specifications/download/ – U2F.
    Have you ever looked into this or worked with it? And if so do you have an opinion on it as to the market impact of the standard compared to the few other two-factor-standards there are out there now?

  6. I have a question. What are the best practices for implementing SSO across multiple domains via OAuth. I was thinking about storing the url of any one of the first of the cross domain site logged into along with user credentials so that when a navigation is made to another site not logged into we can check to see if that user already has a session on another domain by checking the credentials and the logged in url and if so bypass the authentication mechanism on that non logged into site.

    • Since OAuth is not an authentication protocol – you wouldn’t use it to implement SSO. I would use OpenID Connect for that. https://github.com/IdentityServer

      • Hi Dominick. Certainly. Your point is well taken but its the limitation as you know of not having cross domain cookies so I was thinking of this as a home grown strategy decoupled from OAuth but a way to bypass the reauthentication of domains by auth that have know foreknowledge of the already logged into domain. I will definitely look into OpenID Connect.

      • Hi Dominick, one other question after reviewing OpenID Connect. Does Google as a token provider to the relying party offer this multi domain crossing out of the box so If I go to another domain not a subdomain a different domain that it will by pass the Google login box for the next heterogeneous domain?

  7. of course – that’s the whole point of it. It is called single sign-on.

    • Hi Dominick, let me rephrase my question. I know OpenID Connect is about SSO after reviewing but asking if Google implemented it in their stack and maybe that is implicitly clear and not worth asking. I had read an article that suggested that it is implemented as follows as a workflow. You login the normal way through the broker interceptor box you apply your credentials and then the Identity provider essentially sets a cookie on each url in the realm or ring so when you login to another heterogenous domain in the ring not previously logged into you are then redirected to the IDP which then set the cookie already on your behalf so the cookie is read by your browser and subsequent posts whether classic or Ajax based or whatever will be authenticated. Dominick, does this sound like a viable workflow to depict what is going on conceptually and practically however not necessarily in all implementations.

  8. Jack Russell says:

    Hi Dominick

    Has an independent security review been performed for Thinktecture IdentityServer, for design and code and where do I find it?

    Alternatively, does IdentityServer address the threats discussed in RFC 6819, OAuth 2.0 Threat Model and Security Considerations? Where is this documented?

    Thanks

  9. david m chinn says:

    hello dominick;
    We have a legacy application which uses the Windows Identity Framework, written around 2010-2011. Users authenticate by logging into a client portal, which then sends a saml 1.1 token to our application.

    We are updating the application to a services model, using webAPI 2.0/Owin/Identity 2.0 for security. Looks like bearer tokens are similar in concept to SAML, but not the same.

    The client is very sensitive about changing his portal. Is there any way to consume SAML in a webAPI application?

  10. Hi dominick,

    I’m building a system where I need to have a way of easily configuring or choosing the authentication and authorization mechanism or Identity management(i.e either using AD or custom user account store), where I can choose between using Active Directory or storing users authentication details outside of active directory, based on the client I’m deploying to. Some of them might be enterprise and needs the app to run on-premise using their existing active directory user account(and I get to query for user roles).

    I think a separate service/middleware can handle this for me, and I know of two ways I can implement this, which is: using IndentitySever or Auth0. I haven’t invested much time researching on these different API but I think they’ll solve my problem.

    My question: which will be the preferable way of implementing this. Do I use Auth0 or IdentityServer?

  11. Hi Dominick!

    I work with .NET in Brazil and I wonder if you can authorize me to translate their material of IdentityServer, I’m not thinking in made “word-by-word” translations, I write my articles using some coding samples… Of course citing your page as a reference in the articles produced.

    Tks.

  12. Hi Dominick,

    Thank you for your excellent resources on your blog and also on Pluralsight. They have been very useful to our organization, in our attempts to create a token based authorization service.

    I did have a quick question about Identity Server. We will be rewriting most of our enterprise applications over the next year. As far as our internal applications and APIs, Identity Server is perfect for handling authorization. However, is it possible that Identity Server can assist in the following scenario?

    Our current single sign on process allows a user to sign in to a third party application that is outside of our network and supplied by a different vendor. When the user authenticates through our login page, they are then redirected to the vendor’s site once they are signed in. Thus, the leave our site completely during their session with this third party.

    Is there anything that Identity Server can assist with in this scenario, and are there any examples by chance as well? I apologize if this question is very rudimentary to the framework’s capability but my team and I are still trying to ramp up and learn how to use Identity Server at this time.

    Thank you very much for your help!

    • Sure – that’s supported. Obviously the details are all that counts here ;)

      I’d recommend you check our docs and samples first. If you need consulting support, let us know.

      • That’s fantastic news, and thank you for the quick response!

        I will continue on with the documentation and samples first as you recommended. We are in a discovery phase right now and are looking for the right options for an SSO implementation which will handle both internal and external services.

        We are definitely interested in your consulting availability, and that would be a huge help to us. I will talk to the rest of our technical staff about that and try to reach back out to you formally over the next week or two at: identity@leastprivilege.com.

        Thanks again Dominick!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s