I am an independent consultant specializing in identity & access control. I help companies around the world designing & implementing authentication and authorization for their distributed web and native applications. I am the co-author of the popular OpenID Connect & OAuth 2.0 framework called IdentityServer (http://identityserver.io) , have written a couple of books and tweet as @leastprivilege.

154 Responses to About

  1. José luis says:

    Hello dominick
    I have read your course on pluralsight about identity and access control in 4.5 and I would like to know why you haven’t talk anything about simplemembership or universalmembership

    Also please could you recommend me a reading or code project to learn indentityclsims with universal o simplemembership

  2. Matthew Belk says:


    Is the demo code from your PluralSight course available as part of the upgraded subscription? It doesn’t appear to be in the IdentityModel45 source code from GitHub, unless I’m not looking in the right place.

    The course was very instructive, but I would like to be able to refer back to the code.


    • thanks!

      You can get the code from PluralSight.

      • Matthew Belk says:

        Got the code; thanks. I’m having trouble reconciling that sample with the IdentityModel samples in that I would like to be able to have FormsAuth coexist with BasicAuth using the IdentityModel paradigm with ClaimsTransformation so that I can have a “normal” MVC app with jQuery, knockout, etc. client views targetting a WebAPI while at the same time allowing mobile apps (of all stripes, iOS, Android, etc) access to the same WebAPI via Basic Auth (or some other more appropriate scheme).


      • Matthew Belk says:

        I should add that I’d like to leverage the SessionAuthenticationModule functionality like in the PluralSight demo code as well as the “AuthenticationHandler” and “ClaimsTransformationHandler” from the IdentityModel samples.


      • Dominick Baier says:

        Yeah – will try to get a sample up and running.

  3. Macropus says:

    Hi Dom,

    Does your thinktecture library run on MonoTouch? I would like to implement ADFS Claims on iOS.


  4. @matthew: that should work ;)

    If i have time I will throw a sample together for that scenario. Right now I am too busy.

    • Matthew Belk says:

      That would be great, thanks. I’m sure I’m not the only person trying to reconcile these two concepts. Would you recommend using the ClaimsAuthenticationManager property of the AuthenticationConfiguration or just nesting the ClaimsTransformationHandler inside the AuthenticationHandler? I would think that nesting the handlers would seem to be “more correct,” since it would appear to make for a more composable solution.


  5. Brooks says:

    Hello Dominick. I apologize in advance for the long post. I was unsure of how else to send this to you. Anyway…

    ASP.NET MVC 4/Web API Single Page App for Mobile Devices … Needs Authentication

    We have developed an ASP.NET MVC 4/Web API single page, mobile website (also using jQuery Mobile) that is intended to be accessed only from mobile devices (e.g., iPads, iPhones, Android tables and phones, etc.), not desktop browsers. This mobile website will be hosted internally, like an intranet site. However, since we’re accessing it from mobile devices, we can’t use Windows authentication. We still need to know which user (and their role) is logging in to the mobile website app.

    We tried simply using ASP.NET’s forms authentication and membership provider, but couldn’t get it working exactly the way we wanted. What we need is for the user to be prompted for a user name and password only on the first time they access the site on their mobile device. After they enter a correct user name and password and have been authenticated once, each subsequent time they access the site they should just go right in. They shouldn’t have to re-enter their credentials (i.e., something needs to be saved locally to each device to identify the user after the first time).

    This is where we had troubles. Everything worked as expected the first time. That is, the user was prompted to enter a user name and password, and, after doing that, was authenticated and allowed into the site. The problem is every time after the browser was closed on the mobile device, the device and user were not know and the user had to re-enter user name and password.

    We tried lots of things too. We tried setting persistent cookies in JavaScript. No good. The cookies weren’t there to be read the second time. We tried manually setting persistent cookies from ASP.NET. No good. We, of course, used FormsAuthentication.SetAuthCookie(model.UserName, true); as part of the form authentication framework. No good. We tried using HTML5 local storage. No good. No matter what we tried, if the user was on a mobile device, they would have to log in every single time. (Note: we’ve tried on an iPad and iPhone running both iOS 5.1 and 6.0, with Safari configure to allow cookies, and we’ve tried on Android 2.3.4.)

    Is there some trick to getting a scenario like this working?
    Or, do we have to write some sort of custom authentication mechanism? If so, how? And, what?
    Or, should we use something like claims-based authentication and WIF?

    Any help is appreciated.

  6. gmetzker says:

    Hi Dominick. I’ve been reading all your post and just watched your PluralSight video. All very interesting & informative, so thank you.

    My organization is building a new site with MVC & Web API, so I’ve been researching solutions to authentication/authorization, account storage, WIF, token protocols etc… Your IdentityServer seems like it would provide some solutions out of the box, but I’m curious if you have played around with Windows Azure Active Directory preview? It appears it would provide all the standard account storage like: users, roles, etc… but also provide authentication and STS.

    I would enjoy a post on this from your perspective. I think you would offer some good insight.

    Thanks much!

    • I have played with WAAD. But it is CTP currently with no announced RTM date.

      I think WAAD is a compelling solution but we don’t know the final feature set yet. Also – but that may be a european thing – most of my customers don’t like the idea that their business accounts are in the cloud…

  7. Hello – been reading alot of your posts the past days – but i started running my head against the wall with an error i havent been able to solve.

    I have been running MVC4 on .Net 4.0 with no issues and decided that i wanted to upgrade to 4.5. By prior solution(wif.swt from nuget) do not work with this and therefore i have been trying to come up with a solution from reading your posts.

    I am trying to setup Azure ACS as issuer and have configured my config file like this:

    But i only get an exception that the issuer is invalid. From within your lib:
    // check issuer name registry for allowed issuers
    string issuerName = null;
    if (base.Configuration.IssuerNameRegistry != null)
    issuerName = base.Configuration.IssuerNameRegistry.GetIssuerName(token);
    if (string.IsNullOrEmpty(issuerName))
    throw new SecurityTokenValidationException(“Invalid issuer “);

    I downloaded the code and tryed to debug, and i found that that token is correct. and the issuer of the token is https://s-innovations.accesscontrol.windows.net/. I dont know how GetIssuerName() works or what im missing to get it to work.

    I have been looking over all your samples and didnt find a solution.

    • I wouldn’t use SWT at all. Simply use SAML and add the signing cert thumbprint to the issuer name registry.

      • Okay. The reason i used SWT is because im authenticating my Windows 8 Store App. It seemed like the easiest solution. To authenticate a windows 8 app with the webbroker i needed to make the ACS return to a post controller on my site which redirect it back to the windows 8 app.

        (and the reason why i want a swt token for my windows 8 app is that I need to authenticate it when calling my WebApi).

        Do you know anything about this? Would it be better to use SAML2 and then transform it to a swt for my windows 8 app when thats needed and then make my webapi be authenticated by SWT ? (I could not get SAML2 working for windows 8 app because the token was to long to send over querystring).

  8. It might be that im building ontop of a bad solution i have from when i used WIF in 4.0 – have you done any samples with a Windows 8 App as client? The experience i had when i used it last was using Azure ACS and the build in api AuthenticationBroker that sents a request to ACS and because it cant receive the the post coming back from ACS we need to tell it to post it to a controller on the web backend (WebApi).

    public HttpResponseMessage Post()

    var response = this.Request.CreateResponse(HttpStatusCode.Redirect);

    response.Headers.Add(“Location”, “/api/federation/end?acsToken=” +
    return response;

    (Also, BootstrapTokenhave been replaced with a BootstrapContext – i havent started looking into the differences of that).

  9. Louis Hansen says:

    Hello Dominick,

    Can you recommend any samples on how to have multiple clients communicate with the same STS through different endpoints, either using the IdentityServer or through a Custom STS?
    I’m trying to get multiple clients to connect to a WCF service that needs to be secured, but the clients are coming both through SOAP (Windows app, AD credentials) and through REST (web site, JSON requests, forms authentication), and I can’t seem to get things to communicate well together.

    • Could you explain a little more?

      IdentityServer supports multiple protocols/endpoints that would be suitable for SOAP and REST services….

      • Louis Hansen says:

        I have the following scenario.
        I want to create a business layer that will serve two presentation layers, a Windows application and a Web application.
        The business layer will be a WCF service that needs to offer it’s methods to both windows and web.
        The windows application will want to use SOAP to be able to create a proxy and simplify development as much as possible, where as the web site will want to use REST in order to support JSON.
        My problem is then that I want my WCF service to have these two endpoints, which I can do, but I also want to setup an STS that can authenticate both presentation layers.
        I know this means that the STS will need one endpoint for the SOAP and one for the JSON/REST, but I have simply been unable to find any good example of how to set this up.

  10. William Bosacker says:

    Hey Dominick,

    I liked your “Securing ASP.NET Web APIs” video (https://vimeo.com/43603474) and was trying to get the code files that you were working with, but it appears that the http://goo.gl/00OC2 link is not working. Is there a different link that we can use to get the code presented in the video?


  11. Oscar says:

    Hello Dominick,
    I’m using WCF Data Services. For authorization purposes I need to pass the token from the client application (an MVC 3 website with Claims) to the service.
    You posted exactly the solution I need here:
    But I can’t find that sample code in github or in the current source code. Maybe it’s deprecated?
    Any help you can provide is greatly appreciated.

  12. @Louis:

    In IdSrv terms – the SOAP endpoint is the WS-Trust endpoint. The JSON/REST endpoint is OAuth2.

  13. Matt says:

    Dominick, Hi I’ve been watching your Pluralsight videos and reading your book “A Guide to Claims-Based Identity and Access Control”. All great content. At my job right now they have rolled their own STS because they have to support both AD and AD LDS (light-weight directory services). It is an older STS and has been used only with active clients in the past. Now I am tasked with building a web app that requires a passive endpoint which currently does not exist. I don’t think this custom STS is fully WIF enabled, for instance it doesn’t even expose a federated metadata xml file. Anyways, I have the control to upgrade this STS or maybe even ditch it for a more standard STS, but the main requirement being that it must support LDS in addition to AD. Does the requirement to support LDS lead us towards building a custom STS? or are they both supported out of the box? Any advice would be much appreciated.

  14. Dominick, Hi I’ve been watching your Pluralsight videos and reading your book “A Guide to Claims-Based Identity and Access Control”. All great content. At my job right now they have rolled their own STS because they have to support both AD and AD LDS (light-weight directory services). It is an older STS and has been used only with active clients in the past. Now I am tasked with building a web app that requires a passive endpoint which currently does not exist. I don’t think this custom STS is fully WIF enabled, for instance it doesn’t even expose a federated metadata xml file. Anyways, I have the control to upgrade this STS or maybe even ditch it for a more standard STS, but the main requirement being that it must support LDS in addition to AD. Does the requirement to support LDS lead us towards building a custom STS? or are they both supported out of the box? Any advice would be much appreciated.

  15. David Peden says:

    Hey Dominick, I was excited to see https://github.com/thinktecture/Thinktecture.IdentityServer.v2/issues/53 as I’ve been thinking about trying to leverage v2 in a web role as well. However, I was obviously disappointed to see that you say v2 is not yet ready in that capacity. Can you shed some light on what is deficient about v2 in terms of Azure support?

    • Well – in theory you can deploy on Windows Azure (Cloud Services). You just need to move all config and the user database to SQL Azure. You also need to deploy the signing and SSL certs using the Azure portal.

      It is just that we didn’t have the time to properly test and document it.

      The more attractive model is Azure Web Sites – but they have the problems I mentioned earlier.

  16. gentlehag says:

    Hey Dominick. I’ve seen your pluralsight couse about Identity and Access Control. Now I’ve a question. Perhaps you can help me.

    In the example or “Authentication Session Demo” you modify the account controler to store the cookie. Before that, there was a FormsAuthentication.SetAuthCookie code. Now in newer ASP MVC 4 (.net 4.5) templates there ist a WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe) call. which has a parameter to tell wether a cookie should be set.

    Am I right that I have to pass false for cookie creation and set the cookie afterwards manually like shown in the couse?

    PS: A short comparison / explanation of WebSecurity vs. old asp pattern would be great

    • Well – i don’t use this new pattern because i don’t like it. They try to solve every problem “with one line of code” ;)

      This new login method seems to validate the credential and set the cookie in one go. So you can’t use that with the session facility. You have to decouple just like i did.

      • gentlehag says:

        Ok thx for your reply. I tried to adapt the template but then the antiforgery token validation tells me that something is wrong. That possibly the nameidentifier or identityprovider claim doesn’t meet expectations.

        Currently I’m using this template because it wraps very easily the OAuth Features for Facebook, twitter and so on ;-)

        So I would have to completly redesign the pattern and make all this on my own ?

  17. This “something” that is wrong is actually explained in the error message. You have to find out which claim(s) in your system make up a unique identifier. You somehow need to be able to uniquely identify users.

    • Boas Enkler says:

      In a ASP MVC 4 Webapplication.
      Would you use some kind of framework (if yes which framework for example dotnetopenauth?)? Make the calls yourself or something else?

  18. I like:

    or DNOA (which is used in the MVC4 template)

    It depends on your needs. Brock’s implementation is cleaner IMO.

  19. Michael says:


    Does the Identity server have a config setting that governs password attempts before lockout?


  20. please use the github issue tracker for IdSdrv questions…

    This is up to the account store implementation. If you use the built-in asp.net membership provider, that’s configurable, yes (but it is not an identity server feature per se).

  21. UD says:

    Hi Dominick
    I downloaded the latest Zip version of the source code from Github opened it in VS 2012 and tried to build the solution. While building the the project Thinktecture.IdentityServer.Core.Repositories I run into the following error. Can you please let me know what I might be doing wrong? Thank you

    C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Common.targets(2291,5): error MSB3553: Resource file “obj\Debug\Thinktecture.IdentityServer.Core.Repositories.Migrations.SqlServer.InitialMigration.resources” has an invalid name. The item metadata “%(FullPath)” cannot be applied to the path “obj\Debug\Thinktecture.IdentityServer.Core.Repositories.Migrations.SqlServer.InitialMigration.resources”. C:\SoftwareDownLoad\Thinktecture.IdentityServer.v2-master_01082012\Thinktecture.IdentityServer.v2-master\src\Libraries\Thinktecture.IdentityServer.Core.Repositories\obj\Debug\Thinktecture.IdentityServer.Core.Repositories.Migrations.SqlServer.InitialMigration.resources

  22. Michael De Marco says:

    Dominick I have been working with your IdentityServer2 solution. I have written you before. I saw a potential error in your code as I was debugging the code below. There is a dependency on the relying party to have a forward slash ‘/’ at the end of the relying party url. If not, your code does not handle this condition gracefully. It should probably handle cases with and without forward slashes. In other words if I register a relying party with your STS in the form without the trailing forward slash there is problems when I navigate to or If i register it with forward slash at the end it is okay in one or both of the cases as I don’t remember which one or if okay in both. FYI I found that in the relying party configuration for the config below and specifically if the trailing forward slash was not there we have issues.

    public bool TryGet(string realm, out RelyingParty relyingParty)
    relyingParty = null;

    using (var entities = IdentityServerConfigurationContext.Get())
    var match = (from rp in entities.RelyingParties
    where rp.Realm.Equals(realm, StringComparison.OrdinalIgnoreCase) &&
    rp.Enabled == true
    orderby rp.Realm descending
    select rp)

    if (match != null)
    relyingParty = match.ToDomainModel();
    return true;

    return false;


  23. Rafi G. says:

    I’m trying to get documentation on Thinktecture.IdentityServer.v1 and I hit this dead link – http://wiki.thinktecture.com/IdentityServer.MainPage.ashx

    Can I find the documentation elsewhere?


  24. Don W. says:

    Hi Dominick,

    I’ve found your information on Pluralsight very helpful. I ended up implementing a Custom UserName Password Validator with your nuget package. I’m just writing to say thank you, and that it seems Microsoft needs to update their documentation. If I hadn’t watched your training videos I would have had no idea that there were changes in .Net 4.5 to the security infrastructure.
    http://msdn.microsoft.com/en-us/library/aa702565.aspx Seems like they need to revisit this section in particular :)

  25. Andy Cohen says:


    Is the source code available from your video: http://vimeo.com/43603474?

  26. Bob Kaine says:

    Hi Dominic,

    I’ve watched a few of your videos on PluralSight and they have been very helpful. We are attempting to create our own STS (I know we’re crazy), and we’ve created our design document and have mostly created our Proof-of-Concept but now we’re running into something that makes us think we missed the boat.

    We’ve created an STS that accepts RequestSecurityToken objects and returns RequestSecurityTokenResponse objects but when we attempt to place the STS within a WCF service we are informed that these are not serializable. We assumed (I know we’re crazy) that they would be serializable. Of course, now that they aren’t we’re second and third guessing our design.

    Are we just missing something? Don’t you host your STS within a WCF Service?

    Quick Explanation of what we’re attempting to accomplish

    We have multiple web-based applications, all internal.
    They have been developed over the last 10 years so some used ActiveDirectory for authentication using WIN32API or LDAP. Some use SQLMembershipProvider. All applications then have an application specific USER_PROFILE table that holds the permissions/roles/claims.

    The idea was to create a custom WCF Hosted Security Token Service.

    The user would bring up the application. Enter their username and password.
    A RequestSecurityToken would be sent to the WCF Hosted STS and a RequestSecurityTokenResponse would be returned. (empty if authentication failed, roles/claim populated if authentication succeeded)

    Are we totally off base?

    • You are thinking too complicated ;) WIF takes care of all the WS-Trust low level details.

      You only need to implement a SecurityTokenService derived class (and the corresponding SecurityTokenServiceConfiguration) and host it with WSTrustServiceHost.

      • Bob Kaine says:

        Thank you for your quick response. Your response at least makes me a little more comfortable that we aren’t totally off base. I don’t want to keep pestering you so is there somewhere that you could point me that would show an example of implementing a STS derived class (….) and hosting it with WSTrustServiceHost. Thank you again for your help.

      • Bob Kaine says:

        Also noticed that WSTrustServiceHost seems to be deprecated when using .NET 4.5. Which we seem to see every time we find something but then the 4.5 “guidelines” seem incomplete.

  27. Bob Kaine says:

    Ignore second comment about it being deprecated, I found the WSTrustServiceHost under 4.5 documentation.

  28. Hi Dominick,

    After watching your Identity and Access Control in ASP.NET 4.5 Pluralsight course, I have a question.

    I’m very interested in getting started with ADFS2 and being able to implement SSO, but I’m stuck on wrapping my head around where the STS would live. For instance, I work from home so I’m rarely logged into the domain for the company I work for. Would I have to be logged into my company’s to be able to reach the STS or is it “acceptable/normal” to have an STS outside of the domain and accessing Active Directory through a firewall?

    Thanks so much! And also, you’re photos are great :)


  29. Kert Kaelep says:

    Hi Dominick,

    I have been using thinktecture identitymodel with my Web Api.
    I am implementing Basic Authentication, Claims-based authorization and Session token.
    All works fine, but I also want to use SignalR side by side with the Web Api. I would like to do the same Auth stuff as I did for the Web Api.

    I have been googling and getting some pointers, but I was wondering if you could give me some advice or point me to the right direction?

  30. Hi Kert,

    this is thinktecture’s Christian Weyer.
    The way I usually see Web API and SignalR is the following:
    -define inbound APIs (from consumers to services) with Web API
    -define outbound APIs (from services to consumers) with SignalR

    With this is mind I have a very simple specialized ApiController which holds a hub:

    By leveraging this approach we can totally rely on the Web API pipeline and thus on thinktecture IdentityModel.



  31. Kert Kaelep says:

    Hi Christian,

    I have tried that, but
    I would like to use SignalR groups and track my real users(map connectionids to my users).

    Is there more solutions you have seen ?

  32. Sam says:

    Good morning Dominick,

    Thank you very much for the lots of information and projects you have provided to the community. Very very informative. I have been recently going through your videos on vimeo and pdf files and this website and have a quickie question.

    I am looking at the projects on the thinktecture github account and have a question on how to integrate the “Thinktecture.IdentityModel.45” into the overall picture of “Authentication and Authorization” security flow?

    I know that the “IdentityServer” is to just produce and generate identity token to identify the user. The “AuthorizationServer” is to just produce and generate access token to resources on the resource server.

    So the flow I have in my head right now is the user hits the “IdentityServer” and gets an identity token in the response once authenticated. Then the user passes that identity token to the “AuthorizationServer” to get back a authorization/access token to what resoures the user has access to.

    Then the access token is submitted to the resource server where the resource server checks what resource the user can access using the access token. In this entire flow, where does the “Thinktecture.IdentityModel.45” project fit in??? very confused at the moment.

    Thank you very much for all you and thinktecture have done for the community and for helping clarifying this confusion I have.

    By the by, is there a pdf diagram and explanation of the overall flow of using the three projects “Thinktecture.IdentityModel.45”, “Thinktecture.IdentityServer.v2″, and Thinktecture.AuthorizationServer” together as an integrated security solution?

    have a great day

    • In general IdentityModel is a helper library – that is e.g. used by IdentityServer and AuthorizationServer.

      In your scenario IdentityModel could be used to consume the identity/access token in your Web API.

      See the IdentityModel wiki for samples.

  33. Graham says:

    Hi Dominick

    I attended your great presentation on securing asp.net web api based architectures at the software architect conference in London. Is it possible you could provide me with the URL to the example source code? My camera couldn’t capture the URL from the back of the room!


  34. Peter Derwa says:

    Hi dominick, I’ve been going over your blog and brocks blog for a while now, but I can’t seem to find a sample in ASP.Net MVC 4 on .Net 4.0, do you have a config file example? I’ve tried allot of things already, now I’m stuck on response 405, method not allowed. I’m seeing a roundtrip to identityserver and back, but I’m not understanding what the problem is yet.

    • .NET 4.0 is a long time ago ;) Well – config should be more or less the same – 405 sound familiar – do you have a trainling / on your reply to URL (if no – add it).

      • Peter Derwa says:

        Yes, I would love to use 4.5 but our boss doesn’t want to upgrade to VS 2012 or 2013 yet. What is a trainling? :)

  35. sorry – trailing “/”

  36. Per says:

    Hi Dominick!

    I have recently viewed your NDC presentations which I found really helpful. However, one subject that I haven’t found much information on is authorization related to data. Narrowing the information returned based on user. This type of authorization is often crucial in enterprise applications where you have users on different levels in an organization. To me it is something that relates to authorization but at the same time is different from claim based authorization. As I see it you often need both. EX: A user located in a specific country can only view and perform certain actions related to that country.
    Whats your opinion on this subject? I know this is potentially a big topic but could you point me in some direction?

    Many Thanks

    • Hey

      yes this is a big topic – and i’d love to have the universal formula for that. but i don’t. This seems to be so application specific that it has to be implemented over and over again.

  37. Udayan Sarma says:

    Hi Dominick,
    I have been following the Identity server implementations and downloaded the code from Github for Identity server 2.0. I was able to use Windows Azure as the identity provider. We don’t have a federated Active Directory system within our organization. Is there any other way to wire in the active directory DB without federation to the Identity server so our application can provide SSO experience to our users.

    Thank you

    • We don’t support Windows integrated authentication directly (that’s an ASP.NET limitation).

      You could write a user repository that uses LDAP to auth against AD. Check the wiki for extensibility.

  38. Peter Derwa says:

    Hi Dominick,
    In our company we would like to start using the IdentityServer to secure our Web API services. I was wondering how you handle basic user/password authentication through a JavaScript web application (durandal) and use that authentication on the web api services.

    What I had in mind was this:
    – In a login screen, I authenticate as a user, I send the user and password to the identityServer and receive a token (which endpoint should I call for this? I can’t seem to find an endpoint which returns a token instead of a complete view?)
    – I add the token to the header of my request to the Web API Services.

    I don’t think that I would want to use the authorization server since I want to be able to administer quite allot of roles, so I would like to work with the ClaimsAuthorize Attribute. Only I’m not sure what is the best way to achieve this in my Web API Scenario.

    Thanks allot for your great work! I hope you are available for a good security review of our code once we want to publish this online?

  39. For JS/Web API you want to use one of the OAuth2 endpoints – like the resource owner flow or implicit flow. Check the wiki.

    Sure – I am available to review work. Have fun!

    • Peter Derwa says:

      Hi Dominick, so there is no way of getting this done without oauth? I thought that I would be able to realize this with only claims authorization. I wasn’t planning to use OAuth for the website because I only want to control access through claims.

  40. Sorry I don’t know enough about you scenario – and this here is note the place for general consulting ;)

    • Peter Derwa says:

      I understand :) Let me try one more question. If I understand correctly from your code, I should be able to get a session token from my Javascript application. But I’m not sure which endpoint I can use to do so, of is this something that is not ready to use? I supposed I could just call the Identity Server with my credentials and receive a token, but I don’t know which endpoint to use according to the JsBasicAuth example.
      PS, how can I contact you for a review on our security once implemented?

  41. If you have a specific question to one of the samples, please use the corresponding issue tracker on github. thanks!

    dominick dot baier at thinktecture dot com

  42. Peter Larsen says:

    Hi Dominick,
    I have just realized that you have been in Denmark several time and done some talks about Windows Identity Foundation – is it something you plan to do again in a near future ?

  43. WIF turned into .NET 4.5 – this is “legacy” already (at least for Microsoft) – Katana is the new thing.

    • Peter Larsen says:

      So the old WIF was Geneva and the new WIF is Katana ?
      Could you – very shortly – tell the difference ?

  44. Project Geneva became the original WIF. Then WIF was integrated into .NET 4.5.

    The new wave of identity frameworks going forward is under Project Katana – they all build on claims but are now using OWIN. (see https://leastprivilege.com/2014/02/21/test-driving-the-ws-federation-authentication-middleware-for-katana/)

  45. Miguel Madeira says:

    Hi Dominique,

    I’ve attended your awesome session at “New Developer Conference” in London last December. Congratulations!

    I’m now creating a project where I need to expose an API endpoint with some operations to be consumed by a mobile application.

    My goal is to any operation available in the WebAPI, should only by accessible by valid users, after they authenticate and get a valid token from the service.

    I’ve already have the code working on my machine, and here it comes again the famous sentence “It works on my machine”, but when I publish the webapi project to my production server available in a public endpoint, the server always return a 400 BAD REQUEST response with a “invalid_grant” message, when i try authenticate a user over the token endepoint.

    I’ve made some research and everything indicates that might be a CORS issue. I’ve added the app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll); to my ConfigureAuth method but still doesn’t work in production under a valid SSL FQDN endpoint.

    I’ve attached my demo project, that is fully working on localhost but doesn’t work if I authenticate the user to the Token endpoint in my production environment.

    Link to Demo Project: https://www.dropbox.com/s/u6obymmxun0hhr4/WebApiTokenTest.zip

    Any help is appreciated.

    Thanks in advance,
    Miguel Madeira

  46. Jan Johansson says:

    Hello Dominick,

    Thanks for your amazing pluralsight course about Identity! I’ve been doing some more reading and testing based on your code, and your code works great. However, I’ve got one issue that confuses me regarding SecurityTokenHandlers with WindowsWSTrustBinding. When I’m using UserNameWSTrustBinding and wire up with a UserNameSecurityTokenHandler type, then the framework fires “ValidateToken”. But when I use WindowsWSTrustBinding then nothing happens – with any of the SecurityTokenHandlers. What token handler handles the WindowsWSTrustBinding? How do I intercept the call chain with the WindowsWSTrustBinding, to do my own validation and handling?

    Best Regards,

    • Windows authentication is always special at Microsoft – it is “built-in”. Why would you want to intercept it?

      • Jan Johansson says:

        Hi again, and thanks for a fast response :-)

        It’s mostly academic, I really enjoy knowing how things works! And I put loads of time of digging and learning. However, I did some more work after I wrote to you, and it seems like the UserNameSecurityTokenHandler IS used with WindowsWSTrustBinding. But not the ValidateToken. Only CanReadToken and …Write… calls.

        Best Regards,

      • Jan Johansson says:

        Hi again,

        I did com up with a case, when WindowsWSTrustBinding could be of help (but as we saw, can not)…

        A user is accessing a web server in a DMZ. The web server in turn must access a service in the backend, and needs credentials. To have it, the user is presented with login screen. But the user have already logged on to his/her machine, and expects to not need login again to use the web application. This need to login to an application when you’re already signed in to your local account on your Windows machine is rather dull.

        Anyway, federated security is the way to go to avoid this scenario :-)


  47. It depends how you authenticate via Windows. If the user provides a name/password – by default the WindowsUserNameSecurityTokenHandler is used. If Windows integrated authentication is used, validation is internally hard wired.

    • Jan Johansson says:

      Thank you Dominick for a good answer! Reminds me of an event some years ago when I was digging the SSPI stack, and found out that it was handled somewhat differently when using ‘localhost’ or when actually pushing traffic on a wire. After some mail exchanges with Microsoft, they confirmed it, saying that there are lots of things ‘hard wired’ in Windows based on different cases, and of course not all is documented to the public :-)

  48. I am not sure I follow – WindowsWSTrustBinding is actually used quite a lot, e.g. to turn use a Windows credential to request a SAML token.

Leave a Reply to Peter Larsen Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s