Author Archives: Dominick Baier

Major Update to IdentityModel.OidcClient

Posted on April 24, 2020 by Dominick Baier

I just pushed Preview 3 of the 4.0 version of IdentityModel.OidcClient – this includes some major updates (that you might or might not have asked for): Removal of OpenID Connect Hybrid Flow. The codebase does Authorization Code Flow + PKCE … Continue reading →

Posted in IdentityModel, OAuth, OpenID Connect | 2 Comments

SPAs are dead!?

Posted on March 31, 2020 by Dominick Baier

clickbait isn’t it? But this was Brock’s immediate reaction when we saw (and I recommend you read this first): Full Third-Party Cookie Blocking and More What this basically means is, that browser are getting more and more strict with how … Continue reading →

Posted in OAuth, OpenID Connect | 27 Comments

Online Workshops in 2020

Posted on March 16, 2020 by Dominick Baier

For obvious reasons, all in-person workshops have been cancelled for the time being. This is frustrating on one hand, but converting them to an online format, will allow people to attend who otherwise wouldn’t make it. The other upside is, … Continue reading →

Posted in Uncategorized | Leave a comment

Mutual TLS and Proof-of-Possession Tokens: Summary

Posted on February 12, 2020 by Dominick Baier

This is the last part of my PoP and Mutual TLS post series. Part 1 covered some history and motivation, and part 2 looked at various server setups. Part 3 was supposed to be a walk-through guide on how to … Continue reading →

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 4 Comments

Mutual TLS and Proof-of-Possession Access Tokens – Part 1: Setup

Posted on February 7, 2020 by Dominick Baier

2020 is the year where I want proof-of-possession tokens to become reality. Mutual TLS seems to be the only feasible way to do that today. So here’s another post about it…. This is a two-part post. In this post we … Continue reading →

Posted in ASP.NET Core, IdentityServer, OAuth, OpenID Connect | 8 Comments

Hardening OpenID Connect/OAuth Authorize Requests (and Responses)

Posted on February 4, 2020 by Dominick Baier

One of the biggest strengths of OIDC and OAuth is the usage of the browser front-channel. The browser can show a UI and follow redirects, this makes it very powerful and flexible. Guess what – the biggest weakness of OIDC … Continue reading →

Posted in IdentityServer, OAuth, OpenID Connect | Leave a comment

Hardening Refresh Tokens

Posted on January 21, 2020 by Dominick Baier

Refresh tokens provide a UX friendly way to give a client long-lived access to resources without having to involve the user after the initial authentication & token request. This makes them also a high-value target for attackers, because they typically … Continue reading →

Posted in IdentityServer, OAuth, Uncategorized | Leave a comment

2020: IdentityServer4 Roadmap

Posted on January 17, 2020 by Dominick Baier

It’s the time of the year – we are working on IdentityServer and lock down the features we want to implement for the next version(s). Initially we planned to make our 3.0 release the big one – but then .NET … Continue reading →

Posted in IdentityServer, Uncategorized | 2 Comments

New in IdentityServer4 v4: Multiple signing Keys

Posted on January 16, 2020 by Dominick Baier

So far IdentityServer4 only supported a single signing key at a time. There are historic reasons for that. When we started with .NET Core, the only x-plat algorithm that really worked (without #ifdef hell) was RSA with SHA-256 (RS256) so … Continue reading →

Posted in IdentityServer, Uncategorized | 3 Comments

OAuth 2.0: The long Road to Proof-of-Possession Access Tokens

Posted on January 15, 2020 by Dominick Baier

I did a lot of WS-Security in my (distant) past – and whenever we started looking into migrating to OAuth 2.0, there was this one thing on the security check-list that was missing in the OAuth world: proof of possession … Continue reading →

Posted in IdentityServer, OAuth | 1 Comment